LIGMA Ransomware Removal Guide

Our cyber criminals search for new malicious applications every day. The newest infection they have come across is LIGMA Ransomware. It seems that more than one version of this ransomware infection exists. The first one analyzed by our researchers encrypted personal files on victims’ computers completely, whereas the second one only changed icons after the successful entrance. No matter what changes have been made on your computer, you must fully erase LIGMA Ransomware from your system completely. Unfortunately, we cannot promise that it will be a piece of cake to eliminate it because it not only drops several files, disables system utilities, but also makes modifications in the system registry. The manual LIGMA Ransomware removal is quite a challenge, but it does not mean that scanning the system with an antimalware scanner is the only way to get rid of it. We are sure it will be gone soon if you let our instructions help you to erase it manually.

Malicious applications enter computers secretly, but it does not mean that it is impossible to find out about their entrance. As for LIGMA Ransomware, you can be sure that it has successfully infiltrated your computer if it is no longer possible to open various files on the system, including all media files, and all these files now contain the .ForgiveMe extension. As mentioned, it is very likely that not all the versions of LIGMA Ransomware lock data on affected computers. You might find your icons changed instead. Surprisingly, the version analyzed by researchers working at 411-spyware.com did not demand a ransom at the time of research, so it is very likely that LIGMA Ransomware has not been developed to extract money from users. Alternatively, there is a possibility that it is still in development. Either way, the ransomware infection must be erased from the system right away. We will help you to remove LIGMA Ransomware, but we cannot promise that you could unlock your files if they have already been encrypted by this ransomware infection because, as mentioned, it does not demand a ransom, which means that it is impossible to get the decryption tool from its developer. Also, it deletes the so-called Shadow Copies of encrypted files. As a consequence, free decryption/file recovery tools will be useless. Of course, you could still restore files from your data backup after the full removal of this malicious application.

As for the LIGMA Ransomware distribution, we do not have much information about the methods used to spread it; however, we do not think that new distribution methods were invented to promote it. Most likely, it is spread using the same good old methods that are used to spread other ransomware infections. To be more specific, it should be mainly distributed via spam emails. Most probably, you will encounter it after opening a malicious email attachment. Security specialists say that users might download malicious software from the web themselves as well because computer threats often pretend to be beneficial software. If you do not have an eagle eye for recognizing malicious software, you simply cannot keep your system unprotected. We highly recommend keeping an antimalware tool active. Needless to say, it cannot be a random antimalware scanner you have come across while browsing a torrent website because it might only pretend to be a trustworthy application. In other words, it might be malware itself.

You will remove LIGMA Ransomware completely by deleting all components listed in our manual removal guide below. Unfortunately, it will not be enough to erase it. Since this infection disables system utilities, including Task Manager and Registry Editor, you will have to fix them as well. Alternatively, a reputable antimalware tool can fix it for you automatically. The ransomware infection disables these utilities expecting that the victim could not remove it. Luckily, we are here and we will help you to get rid of it. Unfortunately, we cannot help you to restore files if they have already been encrypted by this threat.

How to delete LIGMA Ransomware

Enable Registry Editor and Task Manager

1. Tap Win+R.
2. Type gpedit.msc and tap Enter.
3. Navigate to User Configuration.
4. Access Administrative Templates.
5. Go to System.
6. Double-click on Prevent Access to registry editing tools.
7. Set Not Configured and click OK.
8. Locate Ctrl+Alt+Del Options under System and access this folder.
9. Double-click on Remove Task Manager.
10. Repeat the 7th step.
11. Erase malicious software from your PC.

Delete malicious software

1. Open Windows Explorer (tap Win+E).
2. Access %HOMEDRIVE%\WinWOW32.
3. Delete the following files one by one: icon.ico, mbr.bin, Payloads.dll, and work.bat.
4. Tap Win+R.
5. Type regedit and click OK.
6. Access HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System.
7. Double-click on the Value named legalnoticecaption.
8. Delete the Value data.
9. Double-click on legalnoticetext.
10. Remove the Value data.
11. Save the changes.
12. Delete all suspicious files you have downloaded recently from the web.
13. Empty Trash.