LTS Secure Warning: Malspam Distributing Sigma Ransomware Using Fake Mails

Sigma Ransomware was first reported in November 2017 by places like Malware Mayhem and Cofense (formerly PhishMe). Sigma Ransomware distributed from Russia-based IP’s with the variety of social engineering techniques to compromise victims and lock the infected computer.

Users are targeting via malicious spam emails that contain a statement, which comes from “United States District Court” with a malicious attachment.

Technical Details

Sigma Ransomware Attack conducted from around 32 Russian based IP’s and the attacker registered the specific domain which is specified using to perform various attacks. Malware authors used more obfuscation functions by requesting the password to open the file to evade the detection.

Initially, the malicious files required a password to open because it tricks the user to download the attachment that should be protected since the mail come from the court. A clever trick used by an attacker, if it finds the Macros are turned, off on the victim’s machine then it convenience the users to turn it on which contains malicious VBScript. Later on, VBScript will download the original Sigma Ransomware payload from attack command and control server and save it into percentage %TEMP% folder. Downloaded malware mimics as a legitimate svchost.exe process, which helps to download one more malware. The Malware use several of obfuscation technique to hide it and evade the detection and it kills itself if it finds ay virtual machine or sandboxes. After complete encryption, it will display the ransom notes that contain the detailed information of the attack and the attack request the victims to contact them via and also victim need to mention the infection ID.


Sigma Ransomware encrypts all your files and it requires a specific decryption process. In addition, you cannot solve them with the exclusive decoding application because already set a barrier for their functions. You have to contact their technicians and pay them ransom, As a result, your identity will be reviled.

Recommended Actions

For those who are infected with the Sigma Ransomware, there is currently no way to decrypt files free. If you need assistance in removing the infection or would like to discuss the Ransomware, you can use our dedicated Sigma Ransomware Help & Support topic.

Follow these cautions to keep your computer safe:

  • Pay close attention when browsing the Internet. Never open attachments received from suspicious email addresses – these emails should be deleted without reading.
  • Download your software from official sources only and, preferably, using a direct download link (third-party download/installation tools often include dubious apps).
  • Keep installed software updated and use a legitimate anti-virus/anti-spyware suite. The best way to avoid damage from Ransomware infections is to maintain regular up-to-date backups.

Best way to remove Sigma Ransomware from the system and recover your locked files, click on link Guidelines to remove Sigma Ransomware.

LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013