Severity scale:  
  (97/100)

Remove Sigma ransomware / virus (Removal Instructions) - Aug 2019 update

removal by Julie Splinters - - | Type: Ransomware
Add comment
1 solved questions
12865 views

Sigma ransomware is a dangerous virus which can cause massive losses for its victim

Sigma ransomware. The screenshot

Questions about Sigma ransomware virus

Sigma ransomware is a dangerous cyber threat that uses RSA-2048 encryption and appends a random 4-character file extension to the targeted data. Following data encryption, it drops the ReadMe.html or ReadMe.txt file which redirects to ransom payment website. The most common way to get infected with this malware is to open a malicious email attachment. Though, security experts warn that a new malspam campaign spreading the virus was noticed in March 2018.

Summary
Name Sigma
Type Ransomware
AV detection names Trojan.Agent.CPOW, Trojan.Ransom.Shade!1.A988 (CLASSIC), Trojan.Generic.bcnxb etc.
Danger Level High. Ransomware corrupts important Windows processes, installs malicious components and encrypts files.
Symptoms Inability to open and use files due to the unknown file extension.
File extension Appends random 4-character file extension.
Ransom note ReadMe.html, ReadMe.txt
Files associated with ransomware GUID.exe, GUID.txt, Automated Universal MultiBoot UFD Creation Tool.exe,

At the moment, Sigma ransomware analysis reveals that the virus has a high detection ratio. It is spreads disguised as Automated Universal MultiBoot UFD Creation Tool.exe file or Guid.exe.bin. It can be detected by your anti-virus as Trojan.Agent.CPOW,[1], Trojan.Ransom.Shade!1.A988 (CLASSIC), etc. The former sample is only identified by one security tool as Trojan.Generic.bcnxb.[2] Observing that the design of the ransom note is almost identical to Shade ransomware, it seems that their developers are related or maybe the same person.

Once inside the target computer system, virus reads technical computer details, particularly RDP protocols. It also creates a counterfeited system process to disguise its activity. Interestingly, Sigma ransomware has anti-sandboxing feature which is used to prevent the detection. If the occupied system happens to be natural OS environment rather than a virtual machine, the malware connects to http://ip.api/json.txt[3] and sends the data about victim’s geolocation. Hence, Sigma ransomware removal is needed to prevent additional damage caused by this virus to the device.

Sigma wallpaper

However, the main task of the ransomware is to encrypt files on the affected computer. During the process, it places ReadMe.html file which directs users to an online payment site. It briefly informs users about the encrypted data. It instructs them to download TorBrowser and access the specific .onion page.[4] The latter presents a page entitled a “Sigma Ransomware” and asks to enter machine GUID. It also includes a link to download the GUID Helper.

Once the encryption is finished, malware also changes the desktop background. The message urges users to find “Readme” file or visit the mentioned .onion link and enter the personal ID number indicated on the ransom note. Sigma ransomware also leaves GUID.exe and GUID.txt files on computer's desktop.

Speaking of the payment site, it consists of several pages. One of them indicated the exact time when your files were encrypted. It demands $1000 for the decryption software. If payment is not remitted within 7 days, the ransom amount will double. On the same .onion page, victims are encouraged to create Bitcoin wallet.

Sigma payment website

Unlike standard ransomware, this malware does not provide an email address but instead suggests using Xamp account. It also includes Pidgin Installation Guide link. Therefore, they contact the perpetrator via Sigmaxxx@jabb.im[3] address.

Instead of complying with the demands, remove Sigma ransomware. You can do so with the assistance of Reimage or Malwarebytes. You might need to boot your computer into Safe Mode. Further instructions are indicated below. Unfortunately, Sigma ransomware decryptor is not available yet. However, you can try alternative recovery methods that are also given at the end of the article.

Sigma ransomware illustration
Sigma malware perpetrators give 4 months to pay the ransom, after that the decryption key is said to be deleted permanently.

Fake Craigslist emails were noticed spreading Sigma ransomware in March 2018

Authors of Sigma virus launched a new malspam campaign to spread malware payload. This time crooks sent fake emails from Craiglist that contained password-protected Word or RTF documents. Of course, these documents include ransomware executable. 

Sigma ransomware is spread via malicious emails

Users who open an infected email and enter the password are asked to enable content on the document. As soon as it's done, a malicious VBA script is launched. Immediately after the click on “Enable Content Button,” a password-protect RAR is downloaded and extracted to %Temp% folder. This folder contains svchost.exe file which executes ransomware.

Sigma is downloaded from Word document

Fake scanned files include malware executable

While the malware presents detailed GUI and payment sites, its distribution campaign is quite distinctive than other crypto-malware. Malware is delivered in a spam email attachment “Scan_[number].doc” file.

The email message briefly states the that the receiver is going to be billed [money amount] on their personal Mastercard balance right away. In order to avoid it, they should review the attachment. It also includes a passcode. However, entering the code activates the virus. Interestingly, though the malware is written in English, it was spotted in Greek[5] domains.

Besides spam emails, users should be also vigilant while downloading applications. Pay attention to what source you download it and whether it is certified. Pay attention to the installation wizard stages to deselect optional and unnecessary add-ons. Now let us move to ransomware fix section.

Instructions on how to remove Sigma ransomware

Sigma ransomware removal is needed to clean the computer and use it normally again. Besides, this procedure will prevent the further loss of your files. Unfortunately, virus elimination does not help to recover encrypted files. However, you can try using third-party software or backups of your encrypted files as soon as your computer is ransomware-free.

To recover yourself after ransomware attack, use one of these tools: Reimage, SpyHunter 5Combo Cleaner, Malwarebytes. In case you cannot launch any of them to remove Sigma ransomware, perform System Restore or restart the computer in Safe Mode. Only after you eliminate the malware, proceed to data recovery. Options that you can use are provided below as well.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Press mentions on Reimage
Reimage review | Terms of Use | Privacy policy | Refund Policy | Press | Uninstall guide Reimage review | Terms of Use | Privacy policy | Refund Policy | Press | Uninstall guide
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

To remove Sigma virus, follow these steps:

Remove Sigma using Safe Mode with Networking

Follow these steps to boot the computer into Safe Mode with Networking and get rid of crypto-virus from your computer:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sigma

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sigma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sigma using System Restore

Use System Restore to disable Sigma and launch automatic virus removal software:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sigma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Sigma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sigma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Sigma, you can use several methods to restore them:

Recover your data

Data Recovery Pro software can help to restore files

Though this software is designed to recover files after a system crash, it might prove to be effective in this case as well.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Sigma ransomware;
  • Restore them.

The benefits of ShadowExplorer

There are no reports about Sigma ransomware deleting shadow volume copies, so this software might help you recover some of the files by using the mentioned copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Sigma Decryptor

At the moment, there is no free decryption software released for this ransomware variant. It is not recommended to use the one offered by the malware developers as it may only facilitate future hijack of the operating system.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sigma and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

Removal guides in other languages

  Kom van het Sigma-gijzelsofware-virus af
  избавляться от вирус-вымогателя Sigma
  Sigma usuwanie
  Werden Sie die Sigma-Erpressersoftware los
  Livre-se do vírus ransomware Sigma
  Instrucciones de eliminación de Sigma
  Kuinka poistaa Sigma lunnasohjelma virus
  Sigma ランサムウェア・ウィルスの除去方法

This entry was posted on 2019-08-01 at 00:40 and is filed under Ransomware, Viruses.

Your opinion regarding Sigma ransomware virus