Threat actors go Greek using Sigma Ransomware

Thursday, November 9, 2017

Sigma is the newest and stealthiest ransomware that I've seen delivered via phishing email. The email warns you that charges will be billed against your MasterCard if you do not open the attached encrypted Word document.

Sigma Phishing Email
Once you enter the password to view the Word document, the macro performs makes a GET request to hxxp:// to download the dropper for Sigma. Once Sigma is launched, it makes an ICMP echo request to to check for internet connectivity. Then it performs several anti-vm techniques to ensure it is not being analyzed. If it detects that it is in an analysis environment, it terminates. However, if you your system passes the initial assessment, it will drop its payload. The payload will send a GET request to hxxp://ip.api/json.txt to provide IP and geolocation details to the malware.
IP/Geolocation data from
It will then download the component to communicate over TOR and make multiple call outs to TOR exit nodes. Sigma will assign an ID to the computer, then encrypt the files and rename them with a
.6Tdp extension. It also displays the ransom note on the desktop with the TOR paysite information and ID.
Sigma ransom note
If you visit the paysite, it will inform you that if you can pay $1000 in Bitcoin within 7 days to get the special rate. After 7 days, the ransom increases to $2000 in Bitcoin. 
I found it interested that you can chat with the threat actors via XMPP chat to get one or possibly several of your files decrypted for free. The threat actors XAMP account is

Contact me via social media or email if you would like artifacts or IOCs. My email is

Post a Comment

© Malware Mayhem. Design by FCD.