The creators behind the Sigrun ransomware seem to be favoring Russian victims infected by their malicious code, security researchers have discovered. The author of the Sigrun ransomware has been found providing free decryption for Russian victims, while demanding a ransom payment of $2500 in Bitcoin or Dash for others.
This notable trend was first discovered and reported on Twitter by security researcher Alex Svirid who specializes in analyzing ransomware weaknesses. Malwarebytes security researcher S!Ri later replied to Svirid's tweet with email proof illustrating the malware author’s intentions not to harm Russian victims.
While one email featured conversations between the ransomware author and a US-based victim, a second included the conversation with a Russian victim.
“You do not have to pay,” the ransomware author wrote to the Russian victim. “I’ll just help you.”
Russian malware authors usually program their malicious codes to avoid infecting Russian-speaking victims to evade detection by authorities. In fact, the Sigrun ransomware, when executed, immediately looks to detect the keyboard layout. If a Russian layout is detected, it will not encrypt the system and deletes itself. However, if a Russian victim does not happen to be using a Russian keyboard layout, they could find themselves accidentally infected by the ransomware.
Sigrun will scan the entire computer for files to encrypt and skip certain files, extensions and filenames. Encrypted files are appended with the extension .sigrun. The malware also displays two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each encrypted folder. The ransom note contains information about the attack and the email ID to be used by the victim to get further instructions regarding payment and decryption.
Ransom note (Image credit : Bleeping computer)
The author behind Sigrun told Bleeping Computer that he is “not from former USSR republics.”
"I added it because of my Belarus partners" he claimed,according to Bleeping Computer reports."Ukrainian users don't use Russian layout because of political reasons. So we decided to help them if they was infected. We have already added avoiding Ukrainian layout like was in Sage ransomware before."
Sigrun ransomware currently cannot be decrypted for free without help from the authors themselves, if you happen to be a Russian victim.