Remove Sigma ransomware / virus (Removal Instructions) - Mar 2018 update

removal by Julie Splinters - - | Type: Ransomware

Sigma virus Removal Guide

What is Sigma ransomware virus?

Sigma ransomware is a dangerous virus which can cause massive losses for its victim

Sigma ransomware. The screenshot

Sigma ransomware is a dangerous cyber threat that uses RSA-2048 encryption and appends a random 4-character file extension to the targeted data. Following data encryption, it drops the ReadMe.html or ReadMe.txt file which redirects to ransom payment website. The most common way to get infected with this malware is to open a malicious email attachment. Though, security experts warn that a new malspam campaign spreading the virus was noticed in March 2018.

Summary
Name Sigma
Type Ransomware
AV detection names Trojan.Agent.CPOW, Trojan.Ransom.Shade!1.A988 (CLASSIC), Trojan.Generic.bcnxb etc.
Danger Level High. Ransomware corrupts important Windows processes, installs malicious components and encrypts files.
Symptoms Inability to open and use files due to the unknown file extension.
File extension Appends random 4-character file extension.
Ransom note ReadMe.html, ReadMe.txt
Files associated with ransomware GUID.exe, GUID.txt, Automated Universal MultiBoot UFD Creation Tool.exe,

At the moment, Sigma ransomware analysis reveals that the virus has a high detection ratio. It is spreads disguised as Automated Universal MultiBoot UFD Creation Tool.exe file or Guid.exe.bin. It can be detected by your anti-virus as Trojan.Agent.CPOW,[1], Trojan.Ransom.Shade!1.A988 (CLASSIC), etc. The former sample is only identified by one security tool as Trojan.Generic.bcnxb.[2] Observing that the design of the ransom note is almost identical to Shade ransomware, it seems that their developers are related or maybe the same person.

Once inside the target computer system, virus reads technical computer details, particularly RDP protocols. It also creates a counterfeited system process to disguise its activity. Interestingly, Sigma ransomware has anti-sandboxing feature which is used to prevent the detection. If the occupied system happens to be natural OS environment rather than a virtual machine, the malware connects to http://ip.api/json.txt[3] and sends the data about victim’s geolocation. Hence, Sigma ransomware removal is needed to prevent additional damage caused by this virus to the device.

Sigma wallpaper

However, the main task of the ransomware is to encrypt files on the affected computer. During the process, it places ReadMe.html file which directs users to an online payment site. It briefly informs users about the encrypted data. It instructs them to download TorBrowser and access the specific .onion page.[4] The latter presents a page entitled a “Sigma Ransomware” and asks to enter machine GUID. It also includes a link to download the GUID Helper.

Once the encryption is finished, malware also changes the desktop background. The message urges users to find “Readme” file or visit the mentioned .onion link and enter the personal ID number indicated on the ransom note. Sigma ransomware also leaves GUID.exe and GUID.txt files on computer's desktop.

Speaking of the payment site, it consists of several pages. One of them indicated the exact time when your files were encrypted. It demands $1000 for the decryption software. If payment is not remitted within 7 days, the ransom amount will double. On the same .onion page, victims are encouraged to create Bitcoin wallet.

Sigma payment website

Unlike standard ransomware, this malware does not provide an email address but instead suggests using Xamp account. It also includes Pidgin Installation Guide link. Therefore, they contact the perpetrator via Sigmaxxx@jabb.im[3] address.

Instead of complying with the demands, remove Sigma ransomware. You can do so with the assistance of ReimageIntego or Malwarebytes. You might need to boot your computer into Safe Mode. Further instructions are indicated below. Unfortunately, Sigma ransomware decryptor is not available yet. However, you can try alternative recovery methods that are also given at the end of the article.

Sigma ransomware illustrationSigma malware perpetrators give 4 months to pay the ransom, after that the decryption key is said to be deleted permanently.

Fake Craigslist emails were noticed spreading Sigma ransomware in March 2018

Authors of Sigma virus launched a new malspam campaign to spread malware payload. This time crooks sent fake emails from Craiglist that contained password-protected Word or RTF documents. Of course, these documents include ransomware executable.

Sigma ransomware is spread via malicious emails

Users who open an infected email and enter the password are asked to enable content on the document. As soon as it's done, a malicious VBA script is launched. Immediately after the click on “Enable Content Button,” a password-protect RAR is downloaded and extracted to %Temp% folder. This folder contains svchost.exe file which executes ransomware.

Sigma is downloaded from Word document

Fake scanned files include malware executable

While the malware presents detailed GUI and payment sites, its distribution campaign is quite distinctive than other crypto-malware. Malware is delivered in a spam email attachment “Scan_[number].doc” file.

The email message briefly states the that the receiver is going to be billed [money amount] on their personal Mastercard balance right away. In order to avoid it, they should review the attachment. It also includes a passcode. However, entering the code activates the virus. Interestingly, though the malware is written in English, it was spotted in Greek[5] domains.

Besides spam emails, users should be also vigilant while downloading applications. Pay attention to what source you download it and whether it is certified. Pay attention to the installation wizard stages to deselect optional and unnecessary add-ons. Now let us move to ransomware fix section.

Instructions on how to remove Sigma ransomware

Sigma ransomware removal is needed to clean the computer and use it normally again. Besides, this procedure will prevent the further loss of your files. Unfortunately, virus elimination does not help to recover encrypted files. However, you can try using third-party software or backups of your encrypted files as soon as your computer is ransomware-free.

To recover yourself after ransomware attack, use one of these tools: ReimageIntego, SpyHunter 5Combo Cleaner, Malwarebytes. In case you cannot launch any of them to remove Sigma ransomware, perform System Restore or restart the computer in Safe Mode. Only after you eliminate the malware, proceed to data recovery. Options that you can use are provided below as well.

Offer
do it now!
Download
Reimage Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Press mentions on Reimage
press
Reimage review | Terms of Use | Privacy policy | Refund Policy | Press | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of Sigma virus. Follow these steps

Manual removal using Safe Mode

Follow these steps to boot the computer into Safe Mode with Networking and get rid of crypto-virus from your computer:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Sigma using System Restore

Use System Restore to disable Sigma and launch automatic virus removal software:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sigma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Sigma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sigma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Sigma, you can use several methods to restore them:

Recover your data
Recover your data

Data Recovery Pro software can help to restore files

Though this software is designed to recover files after a system crash, it might prove to be effective in this case as well.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Sigma ransomware;
  • Restore them.

The benefits of ShadowExplorer

There are no reports about Sigma ransomware deleting shadow volume copies, so this software might help you recover some of the files by using the mentioned copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Sigma Decryptor

At the moment, there is no free decryption software released for this ransomware variant. It is not recommended to use the one offered by the malware developers as it may only facilitate future hijack of the operating system.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sigma and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.

 

Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References
Removal guides in other languages