The author of the Sigrun Ransomware is providing decryption for Russian victims for free, while asking for a ransom payment of $2,500 in Bitcoin or Dash for everyone else. It is not uncommon for Russian ransomware developers to purposely avoid targeting Russian citizens and to outwardly help such victims for free.
This was first reported by Alex Svirid, a security researcher who is know for analyzing ransomware for weaknesses, shared his discovery on Twitter.
Sigrun Ransomware author free decrypt files for users from some countries former USSR (with Russian primary language)— Alex Svirid (@thyrex2002) May 31, 2018
Malwarebytes security researcher S!Ri then replied to Svirid's tweet showing emails to a ransomware author from both a U.S. based victim and a Russian victim to illustrate this point.
|Click on email to see a larger version|
Russian malware developers typically try to avoid infecting Russian victims as they are concerned the authorities won't continue to turn a blind eye as they do when attacking victims from other countries.
Sigrun already tries to avoid Russian victims by detecting the keyboard layout when the ransomware is executed. If it detects a Russian layout, it will not encrypt the computer and delete itself. Unfortunately, not every former USSR republic continues to use the Russian keyboard layout and thus get caught by the Ransomware.
"Ukranian users don't use russian layout because of political reasons. So we decided to help them if they was infected," the Sigrun author told BleepingComputer via email. "We have already added avoiding Ukrainian layout like was in Sage ransomware before." They also told us that the email images above are not from Sigrun but another ransomware.
Finally, the Sigrun developer told us that they are "not from former USSR republics. I added it because of my Belarus partners."
When Sigrun is executed it will first check "HKEY_CURRENT_USER\Keyboard Layout\Preload" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself.
Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders. The files, folders, and file extensions that will be skipped are:
\ProgramData\, \IETldCache\, \Boot\, \Program Files\, \Tor Browser\, \All Users\, \Local Settings\, \Windows\, desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, thumbs.db, ntldr, NTDETECT.COM, Bootfont.bin, A:\, SQL, .ani , .cab , .cpl , .cur , .diagcab , .diagpkg , .dll , .drv , .hlp , .ldf , .icl , .icns , .ico , .ics , .lnk , .key , .idx , .mod , .mpa , .msc , .msp , .msstyles , .msu , .nomedia , .ocx , .prf , .rom , .rtp , .scr , .shs , .spl , .sys , .theme , .themepack , .exe , .bat , .cmd , .sigrun_key , .sigrun , .admin
When encrypting files it will append the .sigrun extension to the encrypted file's name. For example, the file test.jpg would be encrypted and then renamed to test.jpg.sigrun.
In each folder that a file is encrypted, it will also create two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html. These ransom note contain information regarding what happened to a victim's files and instructions to email firstname.lastname@example.org for payment instructions.
You can see an example of the Sigrun HTML ransom note below.
At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you.
For those who wish to discuss or receive support for the Sigrun Ransomware, you can use our dedicated Sigrun Ransomware Help & Support Topic in the forums.
In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
Update 6/1/18: Added info about checking for Russian keyboard layout and response from Sigrun author.
SIGRUN 1.0 RANSOMWARE All your important files are encrypted Your files has been encrypted by sigrun ransomware with unique decryption key. There is only one way to get your files back: contact with us, pay, and get decryptor software. We accept Bitcoin and Dash, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/ and others. You have unique idkey (in a yellow frame), write it in letter when contact with us. Also you can decrypt 3 files for test, its guarantee what we can decrypt your files. IDKEY: >>> [id_key] <<< Contact information: email: email@example.com
~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~ Attention! All your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. But don't worry! You still can restore it! In order to restore it you need to contact with us via e-mail. ----------------------------------------------- |Our e-mail is: firstname.lastname@example.org| ----------------------------------------------- As a proof we will decrypt 3 files for free! Please, attach this to your message: [id_key]