Sigrun creates ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in every folder where files have been encrypted and appends .sigrun to the names of encrypted files. The ransom notes instruct victims to contact threat actors via for payment instructions. In an effort to avoid infecting Russian victims, Sigrun detects the keyboard layout prior to encrypting files and will delete itself if a Russian layout is detected. At the time of writing, the current ransom amount is $2,500 USD accepted in Bitcoin; however, the malware author behind the campaign provides free decryption to Russian victims.

  • Bleeping Computer provides additional information on Sigrun here.
  • The NJCCIC is not aware of any free decryption tools available for Sigrun. However, Russian victims may receive assistance from the malware author.


Image Source: Bleeping Computer