Sigrun Ransomware: A Jingoistic Offering by Russian Operators

Aside from committing for monetary gains or to build a clout, cybercrimes has now also become a part of the cold war between nation-states. In last two years, the issue of Russian hackers manipulating the results of US presidential elections has been a regular item of headlines.

Besides, every so often we come to know about a malicious cyber activity allegedly instigated by state actors. For instance, last year, WannaCry ransomware attack jolted the users all around the year. The attacks affected hundreds and thousands of users in more than 140 countries. The US authorities blamed North Korea to harbor this damaging cyber attack resulting in ransomware removal and recovery activities of millions of dollars.

What we are trying to establish here is that there are some ransomware activities where nationalism also enter into the equation. For instance, in the first week of June, cybersecurity researchers came to know about a ransomware strain that goes with the name Sigrun. The operators of this cryptovirological strain only demands ransomware removal extortion money from non-Russian users.

Sigrun Operators Avoid to Target Russian Users

The researchers have found out that the operators of Sigrun deliberately avoid targeting Russian users. They have added a feature in the script of the ransomware to detect keyboard layout of the targeted computer. If it detects Russian layout, then the strain doesn’t initiate its encryption process and deletes itself.

However, not all Russian users are using that layout. So, there are chances that a Russian can be affected by the cryptovirological activity of Sigrun. For all those ‘wrongly targeted’ users, the operators come off as accommodating individuals and offer them free ransomware removal. It is worth noting that the same operators are asking for $2,500 in cryptocurrency from non-Russian victims.

The encryption process of Sigrun ransomware is quite similar to most of the cryptovirological strains. It appends every encrypted file with the extension ‘.Sigrun’ and leave an HTML and text files as ransom notes on the desktop. Barring few extensions, nearly every file is vulnerable to the activity of Sigrun. This means extensive ransomware removal activities will be required to disinfect the affected device.



Related Posts