Severity scale:

(97/100)

Remove Sigma ransomware / virus (Removal Instructions) - Apr 2020 update

removal by Julie Splinters - - 2020-04-01 | Type: Ransomware

Add comment

1 solved questions

17898 views

Sigma ransomware is a dangerous virus which can cause massive losses for its victim

Questions about Sigma ransomware virus

Sigma virus removal request 11/03/18 1

Sigma ransomware is a dangerous cyber threat that uses RSA-2048 encryption and appends a random 4-character file extension to the targeted data. Following data encryption, it drops the ReadMe.html or ReadMe.txt file which redirects to ransom payment website. The most common way to get infected with this malware is to open a malicious email attachment. Though, security experts warn that a new malspam campaign spreading the virus was noticed in March 2018.

Summary
Name	Sigma
Type	Ransomware
AV detection names	Trojan.Agent.CPOW, Trojan.Ransom.Shade!1.A988 (CLASSIC), Trojan.Generic.bcnxb etc.
Danger Level	High. Ransomware corrupts important Windows processes, installs malicious components and encrypts files.
Symptoms	Inability to open and use files due to the unknown file extension.
File extension	Appends random 4-character file extension.
Ransom note	ReadMe.html, ReadMe.txt
Files associated with ransomware	GUID.exe, GUID.txt, Automated Universal MultiBoot UFD Creation Tool.exe,

At the moment, Sigma ransomware analysis reveals that the virus has a high detection ratio. It is spreads disguised as Automated Universal MultiBoot UFD Creation Tool.exe file or Guid.exe.bin. It can be detected by your anti-virus as Trojan.Agent.CPOW,^[1], Trojan.Ransom.Shade!1.A988 (CLASSIC), etc. The former sample is only identified by one security tool as Trojan.Generic.bcnxb.^[2] Observing that the design of the ransom note is almost identical to Shade ransomware, it seems that their developers are related or maybe the same person.

Once inside the target computer system, virus reads technical computer details, particularly RDP protocols. It also creates a counterfeited system process to disguise its activity. Interestingly, Sigma ransomware has anti-sandboxing feature which is used to prevent the detection. If the occupied system happens to be natural OS environment rather than a virtual machine, the malware connects to http://ip.api/json.txt^[3] and sends the data about victim’s geolocation. Hence, Sigma ransomware removal is needed to prevent additional damage caused by this virus to the device.

However, the main task of the ransomware is to encrypt files on the affected computer. During the process, it places ReadMe.html file which directs users to an online payment site. It briefly informs users about the encrypted data. It instructs them to download TorBrowser and access the specific .onion page.^[4] The latter presents a page entitled a “Sigma Ransomware” and asks to enter machine GUID. It also includes a link to download the GUID Helper.

Once the encryption is finished, malware also changes the desktop background. The message urges users to find “Readme” file or visit the mentioned .onion link and enter the personal ID number indicated on the ransom note. Sigma ransomware also leaves GUID.exe and GUID.txt files on computer's desktop.

Speaking of the payment site, it consists of several pages. One of them indicated the exact time when your files were encrypted. It demands $1000 for the decryption software. If payment is not remitted within 7 days, the ransom amount will double. On the same .onion page, victims are encouraged to create Bitcoin wallet.

Unlike standard ransomware, this malware does not provide an email address but instead suggests using Xamp account. It also includes Pidgin Installation Guide link. Therefore, they contact the perpetrator via Sigmaxxx@jabb.im^[3] address.

Instead of complying with the demands, remove Sigma ransomware. You can do so with the assistance of Reimage Reimage Cleaner Intego or Malwarebytes. You might need to boot your computer into Safe Mode. Further instructions are indicated below. Unfortunately, Sigma ransomware decryptor is not available yet. However, you can try alternative recovery methods that are also given at the end of the article.

Sigma ransomware illustration
Sigma malware perpetrators give 4 months to pay the ransom, after that the decryption key is said to be deleted permanently.

Fake Craigslist emails were noticed spreading Sigma ransomware in March 2018

Authors of Sigma virus launched a new malspam campaign to spread malware payload. This time crooks sent fake emails from Craiglist that contained password-protected Word or RTF documents. Of course, these documents include ransomware executable.

Users who open an infected email and enter the password are asked to enable content on the document. As soon as it's done, a malicious VBA script is launched. Immediately after the click on “Enable Content Button,” a password-protect RAR is downloaded and extracted to %Temp% folder. This folder contains svchost.exe file which executes ransomware.

Fake scanned files include malware executable

While the malware presents detailed GUI and payment sites, its distribution campaign is quite distinctive than other crypto-malware. Malware is delivered in a spam email attachment “Scan_[number].doc” file.

The email message briefly states the that the receiver is going to be billed [money amount] on their personal Mastercard balance right away. In order to avoid it, they should review the attachment. It also includes a passcode. However, entering the code activates the virus. Interestingly, though the malware is written in English, it was spotted in Greek^[5] domains.

Besides spam emails, users should be also vigilant while downloading applications. Pay attention to what source you download it and whether it is certified. Pay attention to the installation wizard stages to deselect optional and unnecessary add-ons. Now let us move to ransomware fix section.

Instructions on how to remove Sigma ransomware

Sigma ransomware removal is needed to clean the computer and use it normally again. Besides, this procedure will prevent the further loss of your files. Unfortunately, virus elimination does not help to recover encrypted files. However, you can try using third-party software or backups of your encrypted files as soon as your computer is ransomware-free.

To recover yourself after ransomware attack, use one of these tools: Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, Malwarebytes. In case you cannot launch any of them to remove Sigma ransomware, perform System Restore or restart the computer in Safe Mode. Only after you eliminate the malware, proceed to data recovery. Options that you can use are provided below as well.

Offer

do it now!

Download
Reimage Happiness
Guarantee Download
Intego Happiness
Guarantee

Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions

What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

press

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Download Combo Cleaner Review »

To remove Sigma virus, follow these steps:

Remove Sigma using Safe Mode with Networking

Follow these steps to boot the computer into Safe Mode with Networking and get rid of crypto-virus from your computer:

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Sigma

Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sigma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sigma using System Restore

Use System Restore to disable Sigma and launch automatic virus removal software:

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sigma. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Sigma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sigma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Sigma, you can use several methods to restore them:

Recover your data

Data Recovery Pro software can help to restore files

Though this software is designed to recover files after a system crash, it might prove to be effective in this case as well.

Download Data Recovery Pro;
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by Sigma ransomware;
Restore them.

The benefits of ShadowExplorer

There are no reports about Sigma ransomware deleting shadow volume copies, so this software might help you recover some of the files by using the mentioned copies.

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Sigma Decryptor

At the moment, there is no free decryption software released for this ransomware variant. It is not recommended to use the one offered by the malware developers as it may only facilitate future hijack of the operating system.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sigma and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions