Sigma ransomware virus. How to remove? (Uninstall guide)
Sigma – ransomware that continues spreading and encrypting files in 2018
Questions about Sigma ransomware virus
Sigma is a ransomware-type cyber threat that uses RSA-2048 encryption and appends a random 4-character file extension to the targeted data. Following data encryption, it drops the ReadMe.html or ReadMe.txt file which redirects to ransom payment website. The most common way to get infected with this malware is to open a malicious email attachment. Though, security experts warn that new malspam campaign spreading the virus was noticed in March 2018.
| Summary | |
| Name | Sigma |
| Type | Ransomware |
| AV detection names | Trojan.Agent.CPOW, Trojan.Ransom.Shade!1.A988 (CLASSIC), Trojan.Generic.bcnxb etc. |
| Danger Level | High. Ransomware corrupts important Windows processes, installs malicious components and encrypts files. |
| Symptoms | Inability to open and use files due to the unknown file extension. |
| File extension | Appends random 4-character file extension. |
| Ransom note | ReadMe.html, ReadMe.txt |
| Files associated with ransomware | GUID.exe, GUID.txt, Automated Universal MultiBoot UFD Creation Tool.exe, |
At the moment, Sigma virus has a low detection ratio. It is spreads disguised as Automated Universal MultiBoot UFD Creation Tool.exe file or Guid.exe.bin. It is detectable as Trojan.Agent.CPOW,[1], Trojan.Ransom.Shade!1.A988 (CLASSIC), etc. The former sample is only identified by one security tool as Trojan.Generic.bcnxb[2] file. Observing the former alternative trojan name and the very design of the ransom note, it is possible to assume its relation to Shade malware.
Furthermore, the virus also reads technical computer details, particularly RDP protocols. It also creates a counterfeited system process to disguise its activity. Interestingly, the malware has anti-sandboxing features. It maneuvers to escape the detection. If the occupied system happens to be natural OS environment rather than a virtual machine, the malware then connects to http://ip.api/json.txt[3] and send the data about victim’s geolocation. Hence, Sigma ransomware removal is needed to fix the damage to the device.
However, the main task of the ransomware is to encrypt files on the affected computer. During the process, it places ReadMe.html file which directs users to an online payment site. It briefly informs users about the encrypted data. It instructs them to download TorBrowser and access the specific .onion page.[4] The latter presents a page entitled a “Sigma Ransomware” and asks to enter machine GUID. It also includes a link to download the GUID Helper.
After the encryption is finished, the malware also changes the desktop background. The message urges users to find “Readme” file or visit the mentioned .onion link and enter the personal ID number indicated on the ransom note. On the desktop, Sigma ransomware also leaves GUID.exe and GUID.txt files.
Speaking of the payment site, it consists of several pages. One of them indicated the exact time when your files were encrypted. It demands $1000 for the decryption software. If payment is not remitted within 7 days, the ransom amount will double. On the same .onion page, victims are encouraged to create Bitcoin wallet.
Sigma ransomware analysis revealed that unlike standard ransomware, this crypto-malware does not provide an email address but instead suggests using Xamp account. It also includes Pidgin Installation Guide link. Therefore, they contact the perpetrator via Sigmaxxx@jabb.im[3] address.
Instead of complying with the demands, remove Sigma ransomware. You can do so with the assistance of Reimage or Malwarebytes Anti Malware. You might need to boot your computer into Safe Mode. Further instructions are indicated below. Unfortunately, Sigma ransomware decryptor is not available yet. However, you can try alternative recovery methods that are also given at the end of the article.
Select 'Safe Mode with Networking'
Select 'Enable Safe Mode with Networking'
Select 'Safe Mode with Command Prompt'
Select 'Enable Safe Mode with Command Prompt'
Enter 'cd restore' without quotes and press 'Enter'
Enter 'rstrui.exe' without quotes and press 'Enter'
When 'System Restore' window shows up, select 'Next'
Select your restore point and click 'Next'
Click 'Yes' and start system restore
Fake Craigslist emails were noticed spreading Sigma ransomware in March 2018
Authors of Sigma virus launched a new malspam campaign to spread malware payload. This time crooks sent fake emails from Craiglist that contained password-protected Word or RTF documents. Of course, these documents include ransomware executable.
Users who open an infected email and enter the password are asked to enable content on the document. As soon as it's done, a malicious VBA script is launched. Immediately after the click on “Enable Content Button,” a password-protect RAR is downloaded and extracted to %Temp% folder. This folder contains svchost.exe file which executes ransomware.
Fake scanned files include malware executable
While the malware presents detailed GUI and payment sites, its distribution campaign is quite distinctive than other crypto-malware. Sigma malware is delivered in a spam email attachment “Scan_[number].doc” file.
The email message briefly states the that the receiver is going to be billed [money amount] on their personal Mastercard balance right away. In order to avoid it, they should review the attachment. It also includes a passcode. However, entering the code activates Sigma hijack. Interestingly, though the malware is written in English, it was spotted in Greek[5] domains.
Besides spam emails, users should be also vigilant while downloading applications. Pay attention to what source you download it and whether it is certified. Pay attention to the installation wizard stages to deselect optional and unnecessary add-ons. Now let us move to Sigma ransomware fix section.
Instructions on how to remove Sigma ransomware
Sigma removal is needed to clean the computer and use it normally again. Unfortunately, virus elimination does not help to get back encrypted files. However, you can try third-party software or use backup as soon as your computer is ransomware-free.
You may do so with the assistance of malware elimination tool, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware. In case you cannot launch to remove Sigma virus, perform System Restore or restart the computer in Safe Mode. Only after the eliminate the malware, proceed to data recovery.
Manual Sigma virus Removal Guide:
Remove Sigma using Safe Mode with Networking
Follow these steps to boot the computer into Safe Mode with Networking:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove Sigma
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sigma removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove Sigma using System Restore
This method might help to disable Sigma malware and run automatic removal:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of Sigma. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Sigma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Sigma, you can use several methods to restore them:
Data Recovery Pro software can help to restore files
Though this software is designed to recover files after a system crash, it might prove to be effective in this case as well.
- Download Data Recovery Pro (https://www.2-spyware.com/download/data-recovery-pro-setup.exe);
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Sigma ransomware;
- Restore them.
The benefits of ShadowExplorer
There are no reports about Sigma ransomware deleting shadow volume copies, so this software might help you recover some of the files by using the mentioned copies.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Sigma Decryptor
At the moment, there is no free decryption software released for this ransomware variant. It is not recommended to use the one offered by the malware developers as it may only facilitate future hijack of the operating system.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sigma and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware
About the author
References
- ^ Automated Universal MultiBoot UFD Creation Tool.exe. VirusTotal. Free malicious file and URL online analysis service.
- ^ GUID.exe.bin. VirusTotal. Free malicious file and URL online analysis service.
- ^ Threat Actors Go Greek Using Sigma Ransomware. MalwareMayhem. Malware analysis and insights.
- ^ CyberSecurity. Sigma Ransomware random adds extensions to encrypted file!T. Twitter. Online source for news and communication.
- ^ Eliminate computer threats. Ioys. Cybersecurity news in Greek.