There are hundreds of ransomware running in the wild, taking over systems and asking for a ransom to unlock the system. Recently, a new ransomware – Sigma is spreading from Russia-based IP addresses along with a variety of social engineering techniques.
Sigma ransomware attacking method
In the present days, email scam is the most efficient and effective ways for baiting victims into traps. Sigma is spreading using malicious spam emails. The email contains a statement coming from “United States District Court” with a malicious attachment.
The email plays with the mind of the target with some emergency strings boasting with fear to increase the curiosity of the victim. There were total 32 Russia-based IP addresses and the attacker registered the specific domain for the campaign.
Sigma working methods
The main spreading method is via spam emails. The attachment contains the ransomware that will infect your system.
The trick is, the email tries to earn trust by password protecting the attachment. This way, it forces the target to believe that the attachment is from an authentic source (from the court), a nice mind game the attacker uses.
If macros are turned off on the victim’s machine, it convinces the users for turning it on for running the malicious VBScript. The script then downloads the original Sigma Ransomware payload from the C&C server and saves it into “%temp” folder. The downloaded mimics “svchost.exe” as a legitimate service process.
In the background, the malware downloads more payloads from the server for more power over the system.
It also follows various clever techniques to hide from detection. It even kills itself if it understands the machine as a virtual machine or sandbox. If there’s no file to encrypt, then the malware also deletes itself. If the location of the victim is within Russia or Ukraine, the malware doesn’t infect as well.
In other scenarios, the malware connects with the C&C server, establishes a Tor connection and encrypts the file in the system.
Then, you’ll see the ransom note and the asking for money to unlock your system.
How to stay secure
If you want to stay secure, you have to be careful not to open file attachments from unknown sources, even if the source seems legitimate. Make sure that the source is real, as a sharp look from the email is enough to identify that it’s a spam.
Recently, security researchers discovered a super powerful spyware called InvisiMole. It’s way more sophisticated and improved than any general spyware in lots of cases. Learn more about InvisiMole.