Sigma Ransomware is currently distributed via malicious emails masquerading as responses to Craigslist temporary job postings listed under the website's “Gigs" category. These emails contain a password-protected Word or RTF document that the sender claims is a resume. The body of the message references a job posting and provides a password that can be used to the view the attached file. Recipients who open the attachment and enter the password will be prompted to enable macros on the document. If macros are enabled, Sigma Ransomware will download and install on the machine via an embedded VBA script. Contrary to many other ransomware variants, Sigma Ransomware does not append anything to the names of encrypted files. Instead, a file marker and possible encrypted key are embedded at the bottom of each file. A ransom note named ReadMe.txt is placed in every folder where files have been encrypted. The note instructs victims to download the TOR browser and visit a specific address for payment instructions. Additionally, the TOR site provides victims with the option to generate a “support” ticket for assistance.
- Bleeping Computer provides additional information on Sigma Ransomware here.
- The NJCCIC is not currently aware of any free decryption tools available for Sigma Ransomware.
Image Source: Bleeping Computer