Sigrun - How to remove

Sigrun virus is a recent crypto-ransomware that’s been spreading considerably fast in the virtual world since the middle of May 2018. It mainly targets English-speaking users, yet is not limited to any specific location. Although this malware does not differ from any other ransom virus, there is one thing that is unique about Sigrun and if you want to find out what, please, keep reading this article.

SigRun ransomware virus

Sigrun crypto-extortionist is a pretty unfortunate infection your computer can get. In spite the fact that it isn’t the most dangerous virus on the cyberspace, yet this type of ransomware can cause a real headache for users and PC technicians. Sigrun is very persistent, uses difficult encryption algorithms to lock the files adding .sigrun extension and then asks for a ransom. No matter how invincible this crypto-locker can be there are a few ways to defeat it.

What is Sigrun ransomware and how is it special?

Sigrun crypto-malware works just like any other ransom virus, Sepsis, CSGO or AutoTron. It spreads usually through infected email attachments and bundles, installs into the computer illegally without your consent, tricks the system’s protection to think that it is safe, copies itself into registry so it would reload every time you restart your Windows and scans the computer looking for files that are most personable for the victim, such as pictures, audio, videos, documents and etc. Once it identifies potential targets SigRun uses AES or RSA algorithms to lock the files so the user wouldn’t be able to access it anymore and marks them with .sigrun string attached to the compromised file’s name (filename.png becomes filename.png.sigrun). After the encryption ransomware virus drops RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html files on the desktop and every folder which display the ransom note and explain what happened to your system, giving further directions to ‘get your files back’.

Sigrun creators just like other cyber crooks that make ransomware, judging from the name itself, benefit from the ransom which victims pay for the promised decryption key. The transaction must be performed in cryptocurrency, usually Bitcoins, to maintain the anonymity of hackers. There is no official information on how much Sigrun demands, but knowing other ransom viruses, prices can run from a few hundred dollars to a couple thousand dollars in BTC. No matter what is the actual price is, it is crucial not to engage with the attackers and NOT to pay the ransom. As the practice shows, once crooks get the money they ignore the victim and never send any decryption tool or key, moreover, they use shamefully collected money to update of the virus. In the end, you become not only the victim but also a sponsor for further crimes.

Sigrun ransom note says:

All your files have been encrypted by Sigrun Ransomware
Dear user, all your important files have been encrypted!
Don’t worry! Your files still can be restored by us!
In order to restore it you need to contact with us via e-mail. [email protected]
As a proof we will decrypt 3 files for free!
Please, attach this to your message:xxxxxxxxxxx.

Moreover, after running Sigrun’s file through a scan it becomes clear that this virus is not a joke and most reliable antivirus programs recognize it as a dangerous threat which needs to be removed as soon as possible.

But here is the special part of this ransomware. Even though judging from the email address’ domain name .ch Sigrun could be originating from Switzerland, however, the ransom note has a hidden excerpt from the ancient Norwegian poem book “Elder Edda” in old Norse language:

Þá brá ljóma
af Logafjöllum,
en af þeim ljómum
leiftrir kómu,
hávar und hjalmum
Him Himinvanga,
brynjur váru þeira
blóði stokknar,
en af geirum
geislar stóðu. 

Sigrun is known to be a Valkyrie in the Nordic mythology and maybe that is why hackers chose this name for a ransomware that picks which files to encrypt and which ones to spare. No matter where this crypto extortionist is from and how artistic this poem makes it look, the most important thing – your files are still encrypted and you need to do something about it.

How to remove Sigrun virus?

While there is no specific decryptor for Sigrun ransomware there are a few measures you can take towards getting your files back. There is no guarantee that these tips will definitely restore your encrypted data, yet it still better to try, than spend few hundred dollars on the ransom and still not get any help.

There is no easy solution in this case and but the Step 1 in order to save the files should be: the Sigrun virus elimination from your PC. Best tools to do it are Malwarebytes and Spyhunter. These automatic spyware removal programs scan the computer, detect the vulnerabilities and delete them. You can, of course, choose any other anti-malware software or do it manually, but with the manual removal, you can never be sure if you removed all the harmful files and additional threats. After Sigrun ransom-virus is gone from your system, the files will still stay encrypted and that’s when you have to make a Step 2 by following directions below.

How to recover Sigrun encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Sigrun has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Sigrun

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Sigrun. You can check other tools here.  

Step 3. Restore Sigrun affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Sigrun tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Sigrun encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *