Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.
The emails pretend to be responses to short term job postings on Craigslist called Gigs. Similar to a previous Sigma malspam campaign that pretended to be resumes, these emails contain malicious password protected Word or RTF documents that supposedly contain the information regarding the respondent.
When a recipient opens the attachment and enters the password, they will be presented with a screen that asks them to enable the content in the document.
Once the enable content button is pressed, an embedded VBA script will be launched that downloads and installs the Sigma Ransomware onto the machine. It does this by downloading a password protected RAR file, extracting it into the %Temp% folder, and then launching the extracted svchost.exe file. The svchost.exe is the ransomware executable that will begin encrypting the computer.
An example of a cleaned up version of this script can be seen below.
Once the ransomware is installed, it will begin to encrypt the files on a victim's computer. These files will not have a new extension appended to them like most ransomware, but will include a file marker and what appears to be an encrypted key at the bottom of each file.
While encrypting the computer, Sigma will create ransom notes named ReadMe.txt in each folder that a file was encrypted.
These ransom notes will provide information about how to connect to the ransomware's TOR payment site and receive payment instructions. This site is shown below.
This payment portal also includes a site where victims can create "support" tickets if they need help. I did not test the functionality or responsiveness of this support method.
For those who are infected with the Sigma Ransomware, there is currently no way to decrypt files for free. If you need assistance in removing the infection or would like to discuss the ransomware, you can use our dedicated Sigma Ransomware Help & Support topic.
What has happened to my files ? Why i am seeing this ? All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly. It does NOT mean they are damaged. Solution Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal. So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files. Payment procedure First try to open decrypter page in normal browser http://yowl2ugopitfzzwb.onion.link Wait a few seconds, and site will open then enter your GUID mentioned below and process. 660F187B8C71F670E76F70C7EDAFE4E7 If you failed to open links in normal browsers Download a special browser called "TOR browser" and then open the given below link. Steps for the same are - 1. Go to https://www.torproject.org/download/download-easy.html.en to download the "TOR Browser". 2. Click the purple button which says "Download TOR Browser" 3. Run the downloaded file, and install it. 4. Once installation is completed, run the TOR browser by clicking the icon on Desktop. 5. Now click "Connect button", wait a few seconds, and the TOR browser will open. 6. Copy and paste the below link in the address bar of the TOR browser. http://yowl2ugopitfzzwb.onion/ Now HIT "Enter" 7. Wait a few seconds, and site will open then enter your GUID mentioned below and process. 660F187B8C71F670E76F70C7EDAFE4E7 If you have problems during installation or use of Tor Browser, please, visit Youtube and search for "Install Tor Browser Windows" and you will find a lot of videos.
ReadMe.txt %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Data\Tor\geoip %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Data\Tor\geoip6 %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\test1.bmp %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\libeay32.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\libevent-2-0-5.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\libevent_core-2-0-5.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\libevent_extra-2-0-5.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\libgcc_s_sjlj-1.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\libssp-0.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\ssleay32.dll %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\svchost.exe %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\tor-gencert.exe %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\Tor\zlib1.dll %UserProfile%\AppData\Roaming\tor\cached-certs %UserProfile%\AppData\Roaming\tor\cached-microdesc-consensus %UserProfile%\AppData\Roaming\tor\cached-microdescs.new %UserProfile%\AppData\Roaming\tor\lock %UserProfile%\AppData\Roaming\tor\state %UserProfile%\Desktop\ReadMe.html
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\chrome Rundll32.exe SHELL32.DLL,ShellExec_RunDLL %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\taskwgr.exe -p252589