Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sigma Ransomware Help & Support Topic (ReadMe.txt & ReadMe.html)


  • Please log in to reply
35 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:48 AM

Posted 12 March 2018 - 04:13 PM

This topic is to help those who are infected with the Sigma Ransomware. Sigma Ransomware is currently being distributed using malspam campaigns that pretend to be emails from Craigslist.
 
When infected, the encrypted files will not have their extension changed, but a ransom note named ReadMe.html and ReadMe.txt will be created.
 
More information about Sigma Ransomware can be found here: Sigma Ransomware Being Distributed Using Fake Craigslist Malspam
 
Below is an image of their support site:
 
 

payment-portal.jpg



BC AdBot (Login to Remove)

 


#2 tessinnerview

tessinnerview

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 14 March 2018 - 07:56 AM

Unfortunately, I saw this post too late.  We posted an ad for a truck driver on Craigslist and received a email with a Word doc resume supposedly attached, and, well, the rest is exactly as described above.  I have Carbonite backup on my computer and can restore files, but how do I know that I have removed the problem executable and virus?  This is way out of my element, so any information you can provide is appreciated.



#3 Xagon

Xagon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 14 March 2018 - 09:16 PM

So, a friend of mine has been infected with this Sigma ransomware, and paid the ransom. Successfully.

 

Problem is, their decrypter doesn't work properly. It generates a file list with associated AES keys, but crashes during the decryption process.

 

The text file has a number of lines of the following format. According to the program, the string at the end is an AES key.

 

C:\Exact\Filepath\File.doc,aHR8MxmO5lv8Ne6D1ihtJuydqnEFSU4k

 

What can I effectively do with this information?



#4 hillage

hillage

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 14 March 2018 - 10:07 PM

Spreading the knowledge... 

Paid and received RSA key and decryptor. Decryptor effectively generates filelist and AES keys, decrypts fine until it hits a read-only file then crashes. file and key list are accurate. In touch with some better programmers than myself in hopes that a better fix can be made, and hopefully a free decrypter. 



#5 Grooty

Grooty

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 15 March 2018 - 08:27 AM

So thanks to the information on this site I was able to retrieve the file with the instructions on how to get the money for the ransom. It's $400 which is a lot of money but I have no choice but I have some questions.

 

I created the wallet as per instructions and I found an ATM Bitcoin about 3 blocks from my office. I downloaded the app on my phone so I had the scanner code and even went to the ATM and started the process but on the ATM I kept reading about all the Bitcoin scams and I stopped the process.

 

1. Is it assured that if I get the Bitcoins to them that I will get a decrypter file? I can't lose the $400

2. Is it a simple matter to decrypt all the files? Does the decrypter go through all the data and decrypt or will it be a manual nightmare?

3. After the decryption, does this guarantee the files to be clean? Is there anything hidden that will recrypt the files in 30 days?

4. After the decryption can I safely back up the entire computer, send the files to a cloud backup without worry about them still being infected somehow?

 

Thank you as your answers will help me.



#6 Xagon

Xagon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 March 2018 - 01:32 PM

I've made some progress with this ransomware decryptor. It doesn't like empty (0kb) files, filenames with weird characters in front (~$, -, . etc), and seems to randomly not like certain files including a small txt file.

 

Additionally it doesn't like network drives, saying to contact Sigma support for assistance.

 

My success with the program has been to use it along with procmon, wait until it crashes, and remove/rename the offending file.


Edited by Xagon, 15 March 2018 - 01:33 PM.


#7 hillage

hillage

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 March 2018 - 02:23 PM

I've made some progress with this ransomware decryptor. It doesn't like empty (0kb) files, filenames with weird characters in front (~$, -, . etc), and seems to randomly not like certain files including a small txt file.

 

Additionally it doesn't like network drives, saying to contact Sigma support for assistance.

 

My success with the program has been to use it along with procmon, wait until it crashes, and remove/rename the offending file.

 

When I specifically ran the exe as admin I no longer received the error message in regards to network drives. That being said, I have no idea if that makes a difference. 

 

I DID put in a message on their ticketing system and received a reply. Hopefully our captives provide us some tech support  :lmao:



#8 hillage

hillage

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 March 2018 - 02:45 PM

It appears running the program more than once will "decrypt" the files more than once. Files that should have been decrypted are still not opening.

 

Edit: New Decryption .exe uploaded to same download link. Works better, still crashes on some instances but it made it through the process on 3 runs for me. Number of files went down significantly each run. Give it a try.


Edited by hillage, 15 March 2018 - 03:18 PM.


#9 Xagon

Xagon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 March 2018 - 04:35 PM

So thanks to the information on this site I was able to retrieve the file with the instructions on how to get the money for the ransom. It's $400 which is a lot of money but I have no choice but I have some questions.

 

I created the wallet as per instructions and I found an ATM Bitcoin about 3 blocks from my office. I downloaded the app on my phone so I had the scanner code and even went to the ATM and started the process but on the ATM I kept reading about all the Bitcoin scams and I stopped the process.

 

1. Is it assured that if I get the Bitcoins to them that I will get a decrypter file? I can't lose the $400

2. Is it a simple matter to decrypt all the files? Does the decrypter go through all the data and decrypt or will it be a manual nightmare?

3. After the decryption, does this guarantee the files to be clean? Is there anything hidden that will recrypt the files in 30 days?

4. After the decryption can I safely back up the entire computer, send the files to a cloud backup without worry about them still being infected somehow?

 

Thank you as your answers will help me.

1. You will likely get a decrypter file from this specific ransomware "vendor"

2. It is not a simple matter to decrypt the files. They get hung up on certain things such as weird filenames or folder names. It's a manual nightmare...

3. Not necessarily.

4. Not Necessarily.



#10 hillage

hillage

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 March 2018 - 07:40 PM

So thanks to the information on this site I was able to retrieve the file with the instructions on how to get the money for the ransom. It's $400 which is a lot of money but I have no choice but I have some questions.

 

I created the wallet as per instructions and I found an ATM Bitcoin about 3 blocks from my office. I downloaded the app on my phone so I had the scanner code and even went to the ATM and started the process but on the ATM I kept reading about all the Bitcoin scams and I stopped the process.

 

1. Is it assured that if I get the Bitcoins to them that I will get a decrypter file? I can't lose the $400

2. Is it a simple matter to decrypt all the files? Does the decrypter go through all the data and decrypt or will it be a manual nightmare?

3. After the decryption, does this guarantee the files to be clean? Is there anything hidden that will recrypt the files in 30 days?

4. After the decryption can I safely back up the entire computer, send the files to a cloud backup without worry about them still being infected somehow?

 

Thank you as your answers will help me.

I'll add my 2 cents as well:

1. So far they've been giving up the decrypter and RSA key.

2. The program was having issues but it appears they are actively working on fixing bugs. I've been reporting errors with info as needed via the ticketing system and 'Sigma' has been responsive. In the end I think we all want everything decrypted without issues, as this is still a business to them.

3. No, but from what I see the files are indeed clean. Your best bet would be to run multiple scans with multiple programs to ensure the original infection is gone.

4. Again, scan the files, but you SHOULD be ok. My personal plan is to back up all documents to an external drive and fresh reinstall windows. The initial infection was a Word doc that downloaded a .exe payload.


Edited by hillage, 15 March 2018 - 07:40 PM.


#11 hateway

hateway

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 AM

Posted 19 March 2018 - 09:15 AM

I was redirected here by a moderator from a post I entered on Saturday. So as it stands, we should go ahead and pay the $400 now before the price jumps and monkey with the decryptor tool while it crashes to try to retrieve our files?



#12 kukumber

kukumber

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 19 March 2018 - 09:31 AM

Are there any indications that the attacker knows the identity of the victim?



#13 Grooty

Grooty

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 19 March 2018 - 01:14 PM

I sent the money at about 9am EST and have not received anything yet. The page still says it is waiting. My wallet shows no issues with it moving the money to the account number they told me to use.

Does it take long for me to be able to access the decrypter?



#14 hillage

hillage

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 19 March 2018 - 01:56 PM

I sent the money at about 9am EST and have not received anything yet. The page still says it is waiting. My wallet shows no issues with it moving the money to the account number they told me to use.

Does it take long for me to be able to access the decrypter?

 

You may have to click on "live chat" and create a ticket letting them know you paid. They claim it is "automated" but I think they manually change your status on the backend.


Edited by hillage, 19 March 2018 - 01:57 PM.


#15 hillage

hillage

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 19 March 2018 - 01:59 PM

I was redirected here by a moderator from a post I entered on Saturday. So as it stands, we should go ahead and pay the $400 now before the price jumps and monkey with the decryptor tool while it crashes to try to retrieve our files?

 

So far it seems you can pay with confidence. I'm not sure if they've pushed out more updates, however when I ran the latest version at that time it only crashed on 0 byte files. A simple restart of the program then resumed from that point.

 

Note: I'd like to know if others had the same issue, but a few of my files seem to have some degradation, eg color overlays on parts of pictures. Perhaps the decryption isn't perfect.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users