We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.
The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.
The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.
The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.
When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.
Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.
“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email.
“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.
Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.
“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.
When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name. The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.
Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.
“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.
Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – cybercrime, Sigrun Ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM) that can let…
Microsoft Patch Tuesday security updates for September 2024 addressed 79 flaws, including four actively exploited…
The Quad7 botnet evolves and targets new SOHO devices, including Axentra media servers, Ruckus wireless…
Poland 's security officials announced that they successfully thwarted cyberattacks that were carried out by…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall SonicOS, ImageMagick and Linux Kernel bugs to…
Payment gateway provider Slim CD disclosed a data breach, credit card and personal data of…
This website uses cookies.