Malware

The author of the Sigrun Ransomware decrypts Russian victims’ files for free

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims.

We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.

The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.

The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.

When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.

Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.

“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email. 

“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.

Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.

“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.

When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name.  The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.

Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.

The ransom notes include information on the infection and payment instructions.

“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.

Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cybercrime, Sigrun Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

CVE-2024-44243 macOS flaw allows persistent malware installation

Microsoft disclosed details of a vulnerability in Apple macOS that could have allowed an attacker…

34 minutes ago

FBI deleted China-linked PlugX malware from over 4,200 US computers

The FBI has removed Chinese PlugX malware from over 4,200 computers in networks across the…

13 hours ago

Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware

Russia-linked threat actor UAC-0063 targets Kazakhstan to gather economic and political intelligence in Central Asia.…

19 hours ago

A new campaign is likely targeting a zero-day in Fortinet FortiGate firewalls<gwmw style="display:none;"></gwmw>

Experts warn of a new campaign targeting an alleged zero-day in Fortinet FortiGate firewalls with…

23 hours ago

Threat actors exploit Aviatrix Controller flaw to deploy backdoors and cryptocurrency miners

A critical vulnerability in Aviatrix Controller is actively exploited to deploy backdoors and cryptocurrency miners…

1 day ago

U.S. CISA adds BeyondTrust PRA and RS and Qlik Sense flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust PRA and RS and Qlik Sense…

2 days ago

This website uses cookies.