The author of the Sigrun Ransomware is providing decryption for Russian victims for free, while asking for a ransom payment of $2,500 in Bitcoin or Dash for everyone else. It is not uncommon for Russian ransomware developers to purposely avoid targeting Russian citizens and to outwardly help such victims for free.

This was first reported by Alex Svirid, a security researcher who is know for analyzing ransomware for weaknesses, shared his discovery on Twitter.

Malwarebytes security researcher S!Ri then replied to Svirid's tweet showing emails to a ransomware author from both a U.S. based victim and a Russian victim to illustrate this point. 

Free Decryption for a Russian Victim
Free Decryption for a Russian Victim
$2,500 Ransom for a U.S. Victim
$2,500 Ransom for a U.S. Victim
Click on email to see a larger version

Russian malware developers typically try to avoid infecting Russian victims as they are concerned the authorities won't continue to turn a blind eye as they do when attacking victims from other countries.

Sigrun already tries to avoid Russian victims by detecting the keyboard layout when the ransomware is executed. If it detects a Russian layout, it will not encrypt the computer and delete itself. Unfortunately, not every former USSR republic continues to use the Russian keyboard layout and thus get caught by the Ransomware.

"Ukranian users don't use russian layout because of political reasons. So we decided to help them if they was infected," the Sigrun author told BleepingComputer via email. "We have already added avoiding Ukrainian layout like was in Sage ransomware before." They also told us that the email images above are not from Sigrun but another ransomware.

Finally, the Sigrun developer told us that they are "not from former USSR republics. I added it because of my Belarus partners."

How Sigrun encrypts a computer

When Sigrun is executed it will first check "HKEY_CURRENT_USER\Keyboard Layout\Preload" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself.

Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders. The files, folders, and file extensions that will be skipped are:

\ProgramData\, \IETldCache\, \Boot\, \Program Files\, \Tor Browser\, \All Users\, \Local Settings\, \Windows\, desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, thumbs.db, ntldr, NTDETECT.COM, Bootfont.bin, A:\, SQL, .ani , .cab , .cpl , .cur , .diagcab , .diagpkg , .dll , .drv , .hlp , .ldf , .icl , .icns , .ico , .ics , .lnk , .key , .idx , .mod , .mpa , .msc , .msp , .msstyles , .msu , .nomedia , .ocx , .prf , .rom , .rtp , .scr , .shs , .spl , .sys , .theme , .themepack , .exe , .bat , .cmd , .sigrun_key , .sigrun , .admin

When encrypting files it will append the .sigrun extension to the encrypted file's name. For example, the file test.jpg would be encrypted and then renamed to test.jpg.sigrun. 

Folder of Encrypted Sigrun Files
Folder of Encrypted Sigrun Files

In each folder that a file is encrypted, it will also create two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html. These ransom note contain information regarding what happened to a victim's files and instructions to email sigrun_decryptor@protonmail.ch for payment instructions.

You can see an example of the Sigrun HTML ransom note below.

Sigrun HTML Ransom Note
Sigrun HTML Ransom Note

At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you. 

For those who wish to discuss or receive support for the Sigrun Ransomware, you can use our dedicated  in the forums.

How to protect yourself from the Sigrun Ransomware

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
 

Update 6/1/18: Added info about checking for Russian keyboard layout and response from Sigrun author.

 

Related Articles:

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens

Free Decrypter Available for the Latest GandCrab Ransomware Versions

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

IOCs

Sigrun Hashes:

SHA256: 664b482e22e0f108660cf03fb7d1507d929e8242eb6c5762e577096a50a8cc5b

Filenames associated with the Sigrun Ransomware Variant:

RESTORE-SIGRUN.txt
RESTORE-SIGRUN.html

RESTORE-SIGRUN.html HTML Ransom Note:

SIGRUN 1.0 RANSOMWARE

All your important files are encrypted

Your files has been encrypted by sigrun ransomware with unique decryption key.

There is  only one way   to get your files back:  contact with us,  pay,  and get  decryptor software. 

We accept Bitcoin and Dash,  you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/  and others.

You have unique idkey (in a yellow frame), write it in letter when contact with us.

Also you can decrypt 3 files for test, its guarantee what we can decrypt your files.

IDKEY:
>>> [id_key] <<<
Contact information:

email: sigrun_decryptor@protonmail.ch 

RESTORE-SIGRUN.txt Text Ransom Note:

~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~

Attention! 

All your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun

The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. 

But don't worry! You still can restore it!

In order to restore it you need to contact with us via e-mail.

-----------------------------------------------
|Our e-mail is: sigrun_decryptor@protonmail.ch|
-----------------------------------------------

As a proof we will decrypt 3 files for free!

Please, attach this to your message:
[id_key]

Emails Associated with the Sigrun Ransomware:

sigrun_decryptor@protonmail.ch