Home Malware Programs Ransomware Sigma Ransomware

Sigma Ransomware

Posted: November 10, 2017

Threat Metric

Threat Level: 1/10
Infected PCs: 91
First Seen: March 27, 2019
Last Seen: April 12, 2022
OS(es) Affected: Windows

The Sigma Ransomware is a Trojan that blocks the user's files by encrypting them so that it can sell a decryption tool to its victims. Anticipated symptoms related to the Sigma Ransomware attacks include both cosmetic changes to the Windows desktop and a variety of text messages generated for assisting with the extortion. Although malware experts can't confirm the compatibility of third-party decryption software with this threat, users should try to avoid paying the ransom while also removing the Sigma Ransomware with appropriate anti-malware products.

The Greek Alphabet Turns to Ransoming Files

Another Trojan is starting a campaign of its own for turning damaged files into ransoms via the twin features of automatic encryption and simple, document-displaying attacks. Although malware experts can't verify the Sigma Ransomware as being a part of a family like Hidden Tear or the Jigsaw Ransomware, its payload isn't highly innovative and provides the symptoms anyone would expect from similar threats. Spam e-mails are, as per the norm, the infection vector responsible for delivering this Trojan to vulnerable PCs.

After the victim opens the corrupted e-mail attachment, the Sigma Ransomware installs itself through means allowing its automatic startup with Windows as a background process. The Sigma Ransomware then begins searching local directories for files that it can modify with an RSA algorithm that's meant to encode the victim's digital media and prevent it from opening. Unlike similar threats, malware experts note that the Sigma Ransomware uses a semi-random extension of four characters that it adds onto the names of these files, instead of a fixed string (such as the common '.locked' or '.encrypted').

The Sigma Ransomware gives the user several avenues for reading its ransom message, including a desktop wallpaper, a local Web page, and a text file. All these instructions show demands for the victim to visit the Sigma Ransomware's TOR website for further assistance in paying a ransom for the file-unlocking solution. One distinction that the Sigma Ransomware bears to contrast itself with competing Trojans is the customer ID it uses: instead of generating a unique number, it uses the default Windows GUID.

Taking Your Computer Back from Cybercrooks

With a well-developed website and Bitcoin payment demands of thousands of dollars, the Sigma Ransomware is suitable for targeting business entities particularly. Its infection method of spam e-mails also is equally appropriate for such targeted attacks against for-profit organizations, and users should anticipate the Sigma Ransomware's installers to disguise themselves as secure workplace documents. Once on the PC, malware analysts have seen different versions of the Sigma Ransomware hide their executable with various labels, including ones claiming that the Trojan is the Svchost.exe Windows component and a bootable USB tool.

Due to the RSA-based cryptography being, typically, secured from third-party decoding, malware analysts advise that users with any non-disposable media keep spare copies of their work on additional backup devices as a reliable recovery solution. Paying Bitcoin ransoms to this Trojan's authors may or may not provide the victim with the ability to decode and unlock their files. However, a clear majority of anti-malware products may delete the Sigma Ransomware automatically, despite some code obfuscation and anti-sandbox measures present in this threat.

The Sigma Ransomware's campaign is a balanced but not particularly creative one that's likely to make significant profits out of relatively few targets with high-value data worth blocking. The more important your files are to you, the more necessary it is to keep hidden Trojans like the Sigma Ransomware from gaining ownership over them indirectly.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SYSTEMDRIVE%\Users\<username>\Desktop\Downloads\4.5.0_Smart_ActiveX_Errors_Fixer_Pro_Setup.exe File name: 4.5.0_Smart_ActiveX_Errors_Fixer_Pro_Setup.exe
Size: 4.51 MB (4518384 bytes)
MD5: 6c56edb444a5b6b12703ef82dbc18ae5
Detection count: 47
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\Desktop\Downloads\4.5.0_Smart_ActiveX_Errors_Fixer_Pro_Setup.exe
Group: Malware file
Last Updated: December 28, 2022
Loading...