Sigrun 1.0 Ramsomware spotted

May 25, 2018

The SonicWall Capture Labs Threat Research Team have observed reports of ransomware named Sigrun, after the Norse mythological figure.  As expected, this Trojan encrypts files and demands a ransom for recovery.  To lighten the mood it attempts to play Vivaldi’s The Four Seasons in the background.

 

Infection Cycle:

Upon infection, the Trojan immediately encrypts files on the system.  Encrypted files are given a .sigrun extension.  The following files are dropped into all directories containing encrypted files:

    • RESTORE-SIGRUN.html
    • RESTORE-SIGRUN.txt

RESTORE-SIGRUN.html is displayed and contains the following ransom note :

 

The HTML page also contains code to play Vivaldi’s The Four Seasons in the background:

 

RESTORE-SIGRUN.txt contains the following message:

image-invert

 

We reached out to sigrun_decryptor@protonmail.ch and received the following message:

 

However the $500 ransom quickly grew to 1 BTC ($7550 at the time of writing) in an email received the following day.  Additionally, a threat is made to increase the ransom to 2 BTC if not paid within 24 hours:

 

It seems that the operators may have been successful.  The transaction history of the supplied bitcoin address 1XPYJt98eZDcPfLd57ysaGbc7Lp7pBnFr shows 18 transactions totaling 3.56 BTC so far.  The history also suggests that some form of the malware may have been in effect as early as March 2018:

 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Sigrun.RSM (Trojan)