What is Sigma ransomware? And how does it perform its malicious tasks?
Sigma ransomware is a new file-encrypting threat which emerged on November 9, 2017. This new ransomware is designed to apply a custom cipher to its targeted data and suggest users to purchase a decryptor from the crooks behind Sigma ransomware. Sigma ransomware shares some similarities with LockeR ransomware. It is classified as a mid-tier Trojan which uses modified versions of already documented encryption algorithm that can be downloaded from the web for free. This ransomware acts like a typical ransomware as it does not offer anything interesting when it comes to data encryption.
According to researchers, Sigma ransomware encrypts files like images, audio, video, databases, office documents, and many other file formats. It encrypts files using RSA 2048 and adds a random file extension to each of the files. After the encryption, Sigma is programmed to drop a file named ReadMe.html to the desktop of your computer which redirects you to install the TOR web browser. Here’s the ransom notification found on the html file:
“What has happened to my files ? Why i am seeing this ?
All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly. It does NOT mean they are damaged.
Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal.
So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files.
Download a special browser called “TOR browser” and then open the given below link. Steps for the same are –
- Go to https://www.torproject.org/download/download-easy.html.en to download the “TOR Browser“.
- Click the purple button which says “Download TOR Browser”
- Run the downloaded file, and install it.
- Once installation is completed, run the TOR browser by clicking the icon on Desktop.
- Now click “Connect button”, wait a few seconds. and the TOR browser will open.
- Copy and paste the below link in the address bar of the TOR browser.
Now HIT “Enter”
- Wait a few seconds. and site will open then enter your GUlD mentioned below and process.”
Sigma ransomware also changes the desktop wallpaper in your computer once it’s done with the encryption. It also contains a message which is different from its ransom note:
ATTENTION ALL YOUR DOCUMENTS, PHOTOS, DATABASES AM) OTHERE IMPORTANT FILES HAVE BEEN ENCRYPTED
*** PLEASE READ THIS MESSAGE CAREFULLY IF YOU EVER WANT YOUR FILES BACK ***
The only way to get back your files to normal is to receive the private key and decryption program
To receive the private key and decryption program we created files with complete instructions inside every folder of your computer
as we! as in your desktop named *README* please read it and follow
If you somehow can not find any *README* files at your PC, follow the instructions below
Download “Tor Browser” from https://www.torproject.org/ and install it”
It is strongly advised that you keep yourself from contacting these crooks as it is not really part of the solution to fix your problem. The best thing you could do is to obliterate Sigma ransomware from your computer and try to recover the encrypted files through backups or their shadow volume copies.
How does Sigma ransomware spread online?
Sigma ransomware spreads in a spam email attachment as “Scan_[number].doc” file. The email contains a brief message stating that you will be billed on your personal MasterCard balance right away. Clearly, it is another tactic used to lure users into opening the email and downloading its attachment. You should stir clear of any kinds of suspicious emails and for emails like this, it is best to contact your bank first.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to the Processes tab and look for suspicious processes that can be related to the Sigma Ransomware and end them.
Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 4: Look for Sigma ransomware or any malicious program and then Uninstall it.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Navigate to the following directories and look for the malicious files created by Sigma ransomware such as Scan_[number].doc, Automated Universal MultiBoot UFD Creation Tool.exe or Guid.exe.bin. Delete all these files.
- C:\Users\(your pcname)\AppData\Roaming
Step 7: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 8: Navigate to the following path:
Step 9: Delete any registry keys and sub-keys created by Sigma ransomware
Step 10: Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Sigma ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the Sigma ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.