Sigrun creates ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in every folder where files have been encrypted and appends .sigrun to the names of encrypted files. The ransom notes instruct victims to contact threat actors via sigrun_decryptor@protonmail.ch for payment instructions. In an effort to avoid infecting Russian victims, Sigrun detects the keyboard layout prior to encrypting files and will delete itself if a Russian layout is detected. At the time of writing, the current ransom amount is $2,500 USD accepted in Bitcoin; however, the malware author behind the campaign provides free decryption to Russian victims.

  • Bleeping Computer provides additional information on Sigrun here.
  • The NJCCIC is not aware of any free decryption tools available for Sigrun. However, Russian victims may receive assistance from the malware author.


Image Source: Bleeping Computer