Sigma Ransomware Analysis - How to remove

Sigma ransomware was recently discovered by the cyber security researcher Michael and published on Twitter. It quickly gathered a lot of attention because of the insolent distribution methods and severe damage caused to the computers.

Distributed via phishing emails

Sigma virus is being distributed with phishing emails. In fact, a sample of such letter is available, here’s original text of the email:

Hi, ****,

You are going to be billed $3,141,23 on your personal Mastercard balance right away.
Check out attachment to avoid it.
Password is 5558

Warm regards, Pasquale

Users are threatened that over 3 thousand dollars will be charged directly from their Mastercard for an unknown reason. The statement is followed with the suggestion to open attached file which would allow to avoid the payment. This sure seems like an appealing option, however, once attached file is opened it will automatically load a macro that will download a payload from hxxp://6vt4gbkwnjfnyo6g.onion.link/svchost.exe.

That’s it – malicious files of the infection will be automatically downloaded to the computer. Once inside, Sigma will check for internet connection and make sure that no anti-malware or anti-virus software is analysing its’ files. If it detects that anti-malware software is operating on a computer, it will try to terminate it. It all depends on the anti-malware software one is using whether Sigma will be able to do that or not.

Encryption process and ransom payment

Sigma ransomware will automatically send a request to the TOR server to retrieve IP address and geolocation of the infected device. After that, it will assign unique ID to the system which will be used to identify ransom payments later on.

RSA-2048 encryption will be employed to encrypt files stored on the system – unique .6Tdp extension will be added to the end of every file. In every folder with encrypted files you will notice a “Readme.txt”, which is so-called ransom note – information about your situation and instructions how you should pay the ransom. Here’s original text of the file:

What has happened to my files ? Why i am seeing this ?

All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly. It does NOT mean they are damaged.

Solution

Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal.

So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files.

Payment procedure

Download a special browser called “TOR browser” and then open the given below link. Steps for the same are –

1. Go to https://www.torproject.org/download/download-easy.html.en to download the “TOR Browser”.
2. Click the purple button which says “Download TOR Browser”
3. Run the downloaded file, and install it.
4. Once installation is completed, run the TOR browser by clicking the icon on Desktop.
5. Now click “Connect button”, wait a few seconds, and the TOR browser will open.
6. Copy and paste the below link in the address bar of the TOR browser.

http://yowl2ugopitfzzwb.onion/

Now HIT “Enter”

7. Wait a few seconds, and site will open then enter your GUID mentioned below and process.

[redacted]

If you have problems during installation or use of Tor Browser, please, visit Youtube and search for “Install Tor Browser Windows” and you will find a lot of videos.

Why this ransomware is different from the other ransomware viruses like Heropoint or MadBit ransomware? Because it seems to be really well crafted. If you are a victim of this ransomware, you will be provided with detailed instructions what you should do next, while other ransomware viruses fails to provide sufficient data and just leaves you hanging.

So in this case you are expected to pay $1000 in Bitcoins in 7 days. If you fail to do that, the price will go up to $2000. It’s a common technique to force victims into paying the ransom.

The desktop wallpaper on your computer will be automatically changed to this image:

You are ordered to download Tor browser which would allow you to access paysite. If you do that, you will be presented with this information on the paysite:

Sigma Ransomware

Your documents, photos, databases and other important files have been encrypted
Your files were encrypted at Nov 7 2017 7:05 AM
To recover them you need the private key of the key pair used to encrypt them and the decryptor software.
You can buy both of them for $1000.00
Within 7 days you can purchase this product at a special price: ˜ $1000
After 7 days the price of this product will increase up to: ˜ $2000
Final deadline is 06-01-2018 03:05:01 (after that you will loose your important files forever)
Register a bitcoin wallet.
Create a Bitcoin Wallet (we recommend Blockchain.info) or other wallets (click here)
Purchase the required amount of bitcoins.
There are several ways you can buy bitcoins, you can use bitcoin exchanges (click here), buy directly from people selling near you (click here) or using a bitcoin ATM (click here)
Send exactly $1000.00 to the address:
1FTgiZwhTJ1HY4gmvieio88UAfBxQtVDNj The confirmation may take several minutes, please be patient.
Status: payment awaiting…
This payment request is valid until 14-11-2017 03:05:01 UTC after that it will get double ˜ $2000
In case of any problems with payment or having any other questions, please contact us via LIVE CHAT

We do not recommend to visit that website no contact cyber criminals via email. If you do pay the ransom, you might be left without anything – there is no guarantee that cyber criminals will decrypt your files after the payment.

Removal of Sigma virus and file decryption

First of all, there is some bad news – no free decryptor for Sigma ransomware is available at the moment. So the only way to retrieve your files is to restore them from the backup. Check this tutorial (click on the link) and see if you meet all of the qualities to be able to do so.

Nevertheless, you need to remove the infection from your computer, even though this won’t restore your files. We have already mentioned, that a decent anti-malware application would be able to block this virus in real time and protect your computer from encryption. However, if your system is infected, we assume that you don’t have that software. That’s why you should download either Spyhunter and scan your computer with it. Either of those programs should be able to detect and remove files of Sigma ransomware virus.

Automatic Malware removal tools