Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.

The emails pretend to be responses to short term job postings on Craigslist called Gigs. Similar to a previous Sigma malspam campaign that pretended to be resumes, these emails contain malicious password protected Word or RTF documents that supposedly contain the information regarding the respondent. 

Malspam Email
Malspam Email

When a recipient opens the attachment and enters the password, they will be presented with a screen that asks them to enable the content in the document.

Enable Content Button
Enable Content Button

Once the enable content button is pressed, an embedded VBA script will be launched that downloads and installs the Sigma Ransomware onto the machine. It does this by downloading a password protected RAR file, extracting it into the %Temp% folder, and then launching the extracted svchost.exe file. The svchost.exe is the ransomware executable that will begin encrypting the computer.

An example of a cleaned up version of this script can be seen  below.

Cleanup Installer Script
Cleanup Installer Script

Once the ransomware is installed, it will begin to encrypt the files on a victim's computer. These files will not have a new extension appended to them like most ransomware, but will include a file marker and what appears to be an encrypted key at the bottom of each file.

Encrypted File
Encrypted File

While encrypting the computer, Sigma will create ransom notes named ReadMe.txt in each folder that a file was encrypted.

Ransom Note Part 1
Ransom Note Part 1
Ransom Note Part 1
Ransom Note Part 2

These ransom notes will provide information about how to connect to the ransomware's TOR payment site and receive payment instructions. This site is shown below.

Sigma Ransomware TOR Payment Portal
Sigma Ransomware TOR Payment Portal

This payment portal also includes a site where victims can create "support" tickets if they need help.  I did not test the functionality or responsiveness of this support method.

For those who are infected with the Sigma Ransomware, there is currently no way to decrypt files for free. If you need assistance in removing the infection or would like to discuss the ransomware, you can use our dedicated Sigma Ransomware Help & Support topic.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files




Ransom Note:

What has happened to my files ? Why i am seeing this ?
All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly.   It does NOT mean they are damaged. 

Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal.

So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files.

Payment procedure
First try to open decrypter page in normal browser

Wait a few seconds, and site will open then enter your GUID mentioned below and process. 


If you failed to open links in normal browsers
Download a special browser called "TOR browser" and then open the given below link. Steps for the same are - 

1. Go to to download the "TOR Browser". 
2. Click the purple button which says "Download TOR Browser" 
3. Run the downloaded file, and install it. 
4. Once installation is completed, run the TOR browser by clicking the icon on Desktop. 
5. Now click "Connect button", wait a few seconds, and the TOR browser will open. 
6. Copy and paste the below link in the address bar of the TOR browser.


Now HIT "Enter"

7. Wait a few seconds, and site will open then enter your GUID mentioned below and process. 


If you have problems during installation or use of Tor Browser, please, visit Youtube and search for "Install Tor Browser Windows" and you will find a lot of videos.

Network Communication:

Associated Files:


Associated Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\chrome	Rundll32.exe SHELL32.DLL,ShellExec_RunDLL %UserProfile%\AppData\Roaming\Microsoft\660F187B8C71F670E76F70C7EDAFE4E7\taskwgr.exe -p252589