Sigma ransomware has been in circulation around the world since October 2017
However, the attack strategy and targets of this ransomware have constantly been changing. Furthermore, as no one has ever identified the hacker group behind it, there is the possibility that there has not been just one ransomware with the Sigma name. Still, at least two and entirely separate hacker groups could have produced them.
There are a few standard features with the different versions of Sigma ransomware – mainly the type of encryption cipher they all use. However, as these are the two most frequently-used ciphers for ransomware, this is no indication that the versions all came from the same people.
While most ransomware lasts for just a short season of a few months, Sigma keeps going. This ransomware attacks computers running Windows, and it is still a threat. There is every reason to assume that it will reappear in a different guise again and again well into the future.
Where does Sigma ransomware come from?
The latest version of Sigma was discovered in mid-2020, and security researchers noticed similarities with the Shade ransomware. Shade is one of the oldest and longest-running ransomware systems in the world. It mainly attacked victims in Germany, Russia, and Ukraine. The Shade ransom note was written in Russian and English. This pool of victims shows that Shade, and therefore possibly also Sigma, is not from Russia or Ukraine.
Russia is probably the largest producer of ransomware in the world, closely followed by Ukraine. Hackers from those two countries put routines into the launch code of their ransomware that kills execution of the attack if the system language of the infected computer is set to Russian or one of a former Soviet nation (except for the Baltics).
Shade was also known as Troldesh, and Encoder.858, first emerged in 2014, and it shut down in August 2020. With its end of campaign announcement, the hackers controlling the software released 750,000 decryption keys for its remaining victims. Kaspersky Labs produced a free decryptor from this database.
The Shade gang never published or sold the programs for its ransomware suite. So, it is possible that the very similar version of Sigma that began circulating mid-2020 was just a revamped version of Shade. However, Sigma has been known since 2017, so for several years, these two ransomware systems broadcast simultaneously and then were consolidated. Another possibility is that the Shade gang had nothing to do with Sigma ransomware but decided to appropriate its name for a rebrand of its existing ransomware.
How does Sigma ransomware get onto a computer?
Sigma is currently circulated by spam email. In the past, it has also been hidden in downloads from infected websites, where a popup offered a free software package or through download repository sites for free software.
In earlier versions of Sigma ransomware, the spam email attempt masqueraded as an application for a job advertised on Craigslist. The current incarnation is formatted as a warning email from Mastercard, telling the victim that they are being sued to recover a $3,000 unpaid debt. Some versions of Sigma even include the name of the victim in the email.
The credit card email explains more details of the legal action in an attached Word document. On opening the document, a system popup asks the user to enable macros. With that, the infection is released, placing a Trojan on the computer. This, in turn, opens a connection to a command and control server (C&C), downloading the entire ransomware package.
What happens in a Sigma ransomware attack?
The Sigma ransomware system doesn’t trigger encryption straight away. Instead, modules in the package attempt to spread to other computers on the same network by using the remote desktop protocol (RDP).
The RDP system is a native Microsoft service that enables a computer user to access a remote computer and use it locally. This is useful for telecommuting or roaming staff and also for support technicians.
Not all businesses use this system. However, there is often a service active on many PCs that listens for RDP connection requests and accepts them. This service might have been activated unintentionally, or it might require a specific software package. Even if you remove a piece of software, uninstallers only remove the code and registry entries for that package – they don’t research what settings that software changed and reverse them.
RDP can be accessed without a password. However, if a software installer has been set up, the port is probably password protected but with an easy-to-guess and universal passwords, such as password or guest.
The Sigma ransomware will replicate itself around a network, and this phase might last for weeks. Unfortunately, there is no information on how the ransomware decides that enough computers on the network have been compromised before it triggers encryption.
The Sigma encryption process
Sigma ransomware only encrypts data files, so system files and executables are not affected, and the computer will continue to function. The ransomware uses two encryption ciphers. The first of these is AES with a 256-bit key. This encryption transforms each file, using a different key for each file. The name of each compromised file and the encryption key used on it are then written to a file.
AES uses the same key to encrypt and decrypt data. So, getting access to that file will enable the decryption of all encrypted files. The second encryption system used by Sigma ransomware prevents that discovery, however. This is the RSA cipher, used with a 2048-bit key.
The combination of AES for file encryption and RSA for a key locker file is prevalent with ransomware. This is because RSA uses a different key to decrypt data than that used for encryption. Therefore, there is no risk to the strength of the attack if the RSA encryption key is found on the local computer. However, RSA encryption is slow. This is why AES is used for the heavy workload of encrypting all of the files.
While earlier versions of Sigma did not alter the names of encrypted files, the latest version adds an extension of four random characters. So, a file called Expenses.txt would become something like Expenses.txt.gFte.
The Sigma ransom
The Sigma ransomware generates an attack ID. This is included in the ransom note, left on the Desktop as a file called README.txt. The note, with its errors of grammar and punctuation, reads:
What has happened to my files ? Why i am seeing this ? All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly. It does NOT mean they are damaged. Solution Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decyption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decryptor along with your private key , once you run that , All of your files will be unlocked and back to normal.
The note instructs the victim to install a Tor browser and then use that to go to a specific site, which has payment instructions. The ransom note also includes a reference code required in the Tor site to identify the attack.
The ransom is set at $1,000 paid in Bitcoin. That sum doubles to $2,000 if the ransom is not paid within seven days.
Preventing Sigma ransomware attacks
A Sigma attack always starts through user action. So, your main vulnerability to this ransomware lies with your user community—Institute, an information campaign, to dissuade users from opening attachments from unknown sources or downloading free software sites.
You need to check that your RDP ports are either closed or protected by specific rotated passwords that are not initially set by any software that opened the port.
Tools for protection against Sigma ransomware
There are three types of security software that you need to prevent or detect and block Sigma ransomware. These are:
- Next-generation AV to spot unusual behavior on endpoints and shut it down
- A vulnerability manager that includes a port scanner to spot open RDP ports
- Competent backup management software that scans for viruses before uploading files
For three examples of suitable security packages to guard against Sigma ransomware, try the following three tools.
CrowdStrike Falcon Insight includes Falcon Prevent, which is a next-generation antivirus system. First, you install the Prevent module on each endpoint. This will monitor activity, establishing a baseline of normal behavior. If unusual activity occurs, such as the routines of Sigma ransomware, Prevent will shut down those processes and isolate the device from the network to stop the malware from spreading.
What makes Insight better than Falcon Prevent is a cloud-based controller. This acts as a SIEM service, gathering log files and activity reports uploaded by each Falcon Prevent instance. A threat intelligence feed informs the Insight service, and it performs secondary scans of activity by looking through the log files.
Insight passes on threat information between endpoints and also threats identified centrally. Each Prevent instance can carry on working even if the device is disconnected from the network. The endpoint protection extends to remediation actions to stop Sigma ransomware from progressing to its encryption phase.
You can get a 15-day free trial of Falcon Prevent.
ManageEngine Log360 includes a combination of security systems. It is called a threat intelligence platform. The “platform” part of that term doesn’t imply that this is a cloud service because it installs on-premises. Instead, the tool operates as a SIEM by examining all of the log files produced by the equipment and software on your system. This capability isn’t limited to logs generated on Windows computers. It is also able to gather information from Linux systems and cloud services.
The Log360 also analyses and monitors Active Directory. It identifies incorrect or lose permissions structures and then watches the activity on each account. The system is also able to interact with firewalls to gather information and also to block malicious traffic.
The threat detection procedures in Log360 will detect Sigma ransomware activity before it starts its encryption phase. A threat intelligence feed constantly updates the service, so it will know what to look for. The Log360 system will then interact with other services to block Sigma ransomware processes and shut them down.
Log360 installs on Windows and Windows Server There is a free version that is limited to monitoring five devices. The full version can be assessed on a 30-day free trial.
BitDefender GravityZone is a bundle of several security systems. This includes antivirus packages that are deployed at several points on the system, including endpoints. There is also a vulnerability scanner and patch manager in the bundle and a service to scan ports. These systems will block Sigma ransomware from getting on an endpoint and spreading around the network.
The processes of GravityZone aren’t designed just to catch Sigma ransomware. Instead, the service can block all types of malware from causing damage and will continue to be effective whenever new threats emerge.
An essential service in the GravityZone bundle is its backup manager. This scans each file for infection before uploading it. With a safe backup of all of your files, you can safely recover from any ransomware attack without having to pay the ransom.
GravityZone operates as a virtual appliance, and it is available for a one-month free trial.