Sigma ransomware virus. How to remove? (Uninstall guide)
Sigma ransomware is a dangerous virus which can cause massive losses for its victim
Questions about Sigma ransomware virus
Sigma ransomware is a dangerous cyber threat that uses RSA-2048 encryption and appends a random 4-character file extension to the targeted data. Following data encryption, it drops the ReadMe.html or ReadMe.txt file which redirects to ransom payment website. The most common way to get infected with this malware is to open a malicious email attachment. Though, security experts warn that a new malspam campaign spreading the virus was noticed in March 2018.
Summary | |
Name | Sigma |
---|---|
Type | Ransomware |
AV detection names | Trojan.Agent.CPOW, Trojan.Ransom.Shade!1.A988 (CLASSIC), Trojan.Generic.bcnxb etc. |
Danger Level | High. Ransomware corrupts important Windows processes, installs malicious components and encrypts files. |
Symptoms | Inability to open and use files due to the unknown file extension. |
File extension | Appends random 4-character file extension. |
Ransom note | ReadMe.html, ReadMe.txt |
Files associated with ransomware | GUID.exe, GUID.txt, Automated Universal MultiBoot UFD Creation Tool.exe, |
At the moment, Sigma ransomware analysis reveals that the virus has a high detection ratio. It is spreads disguised as Automated Universal MultiBoot UFD Creation Tool.exe file or Guid.exe.bin. It can be detected by your anti-virus as Trojan.Agent.CPOW,[1], Trojan.Ransom.Shade!1.A988 (CLASSIC), etc. The former sample is only identified by one security tool as Trojan.Generic.bcnxb.[2] Observing that the design of the ransom note is almost identical to Shade ransomware, it seems that their developers are related or maybe the same person.
Once inside the target computer system, virus reads technical computer details, particularly RDP protocols. It also creates a counterfeited system process to disguise its activity. Interestingly, Sigma ransomware has anti-sandboxing feature which is used to prevent the detection. If the occupied system happens to be natural OS environment rather than a virtual machine, the malware connects to http://ip.api/json.txt[3] and sends the data about victim’s geolocation. Hence, Sigma ransomware removal is needed to prevent additional damage caused by this virus to the device.
However, the main task of the ransomware is to encrypt files on the affected computer. During the process, it places ReadMe.html file which directs users to an online payment site. It briefly informs users about the encrypted data. It instructs them to download TorBrowser and access the specific .onion page.[4] The latter presents a page entitled a “Sigma Ransomware” and asks to enter machine GUID. It also includes a link to download the GUID Helper.
Once the encryption is finished, malware also changes the desktop background. The message urges users to find “Readme” file or visit the mentioned .onion link and enter the personal ID number indicated on the ransom note. Sigma ransomware also leaves GUID.exe and GUID.txt files on computer's desktop.
Speaking of the payment site, it consists of several pages. One of them indicated the exact time when your files were encrypted. It demands $1000 for the decryption software. If payment is not remitted within 7 days, the ransom amount will double. On the same .onion page, victims are encouraged to create Bitcoin wallet.
Unlike standard ransomware, this malware does not provide an email address but instead suggests using Xamp account. It also includes Pidgin Installation Guide link. Therefore, they contact the perpetrator via Sigmaxxx@jabb.im[3] address.
Instead of complying with the demands, remove Sigma ransomware. You can do so with the assistance of Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. You might need to boot your computer into Safe Mode. Further instructions are indicated below. Unfortunately, Sigma ransomware decryptor is not available yet. However, you can try alternative recovery methods that are also given at the end of the article.


Select 'Safe Mode with Networking'

Select 'Enable Safe Mode with Networking'

Select 'Safe Mode with Command Prompt'

Select 'Enable Safe Mode with Command Prompt'

Enter 'cd restore' without quotes and press 'Enter'

Enter 'rstrui.exe' without quotes and press 'Enter'

When 'System Restore' window shows up, select 'Next'

Select your restore point and click 'Next'

Click 'Yes' and start system restore
Fake Craigslist emails were noticed spreading Sigma ransomware in March 2018
Authors of Sigma virus launched a new malspam campaign to spread malware payload. This time crooks sent fake emails from Craiglist that contained password-protected Word or RTF documents. Of course, these documents include ransomware executable.
Users who open an infected email and enter the password are asked to enable content on the document. As soon as it's done, a malicious VBA script is launched. Immediately after the click on “Enable Content Button,” a password-protect RAR is downloaded and extracted to %Temp% folder. This folder contains svchost.exe file which executes ransomware.
Fake scanned files include malware executable
While the malware presents detailed GUI and payment sites, its distribution campaign is quite distinctive than other crypto-malware. Malware is delivered in a spam email attachment “Scan_[number].doc” file.
The email message briefly states the that the receiver is going to be billed [money amount] on their personal Mastercard balance right away. In order to avoid it, they should review the attachment. It also includes a passcode. However, entering the code activates the virus. Interestingly, though the malware is written in English, it was spotted in Greek[5] domains.
Besides spam emails, users should be also vigilant while downloading applications. Pay attention to what source you download it and whether it is certified. Pay attention to the installation wizard stages to deselect optional and unnecessary add-ons. Now let us move to ransomware fix section.
Instructions on how to remove Sigma ransomware
Sigma ransomware removal is needed to clean the computer and use it normally again. Besides, this procedure will prevent the further loss of your files. Unfortunately, virus elimination does not help to recover encrypted files. However, you can try using third-party software or backups of your encrypted files as soon as your computer is ransomware-free.
To recover yourself after ransomware attack, use one of these tools: Reimage, Malwarebytes MalwarebytesCombo Cleaner, Plumbytes Anti-MalwareMalwarebytes Malwarebytes. In case you cannot launch any of them to remove Sigma ransomware, perform System Restore or restart the computer in Safe Mode. Only after you eliminate the malware, proceed to data recovery. Options that you can use are provided below as well.
To remove Sigma virus, follow these steps:
Remove Sigma using Safe Mode with Networking
Follow these steps to boot the computer into Safe Mode with Networking and get rid of crypto-virus from your computer:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove Sigma
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sigma removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove Sigma using System Restore
Use System Restore to disable Sigma and launch automatic virus removal software:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of Sigma. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Sigma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Sigma, you can use several methods to restore them:
Data Recovery Pro software can help to restore files
Though this software is designed to recover files after a system crash, it might prove to be effective in this case as well.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Sigma ransomware;
- Restore them.
The benefits of ShadowExplorer
There are no reports about Sigma ransomware deleting shadow volume copies, so this software might help you recover some of the files by using the mentioned copies.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Sigma Decryptor
At the moment, there is no free decryption software released for this ransomware variant. It is not recommended to use the one offered by the malware developers as it may only facilitate future hijack of the operating system.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sigma and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes
About the author
References
- ^ Automated Universal MultiBoot UFD Creation Tool.exe. VirusTotal. Free malicious file and URL online analysis service.
- ^ GUID.exe.bin. VirusTotal. Free malicious file and URL online analysis service.
- ^ Threat Actors Go Greek Using Sigma Ransomware. MalwareMayhem. Malware analysis and insights.
- ^ CyberSecurity. Sigma Ransomware random adds extensions to encrypted file!T. Twitter. Online source for news and communication.
- ^ Eliminate computer threats. Ioys. Cybersecurity news in Greek.