Sigrun Virus Removal Guide — How To Restore .sigrun Files

Sigrun Virus Removal Guide — How To Restore .sigrun Files

Sigrun virus image

Sigrun virus is a newly discovered test version of a new threat. The security analysis reveals that it does not contain snippets from any of the famous malware families. It is possible that future versions of it are going to feature updated code that add newer functions. Read our complete Sigrun virus removal guide to learn more about it.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .sigrun extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Sigrun


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Sigrun.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Sigrun Virus – Distribution Ways

The Sigrun virus has been detected as a new threat following investigation of a recent ransomware attack. According to the available information the attack was found to be limited in size and the number of potentially impacted targets is probably lower than most common infections. This severely limits further analysis of the distribution methods. It is believed that in future attacks the hackers may use the most popular distribution tactics.

A primary is to take coordinate SPAM email messages that utilize social engineering techniques in order to coerce the targets into infecting themselves. This is usually done by attaching Sigrun virus files directly or hyperlinking them in the body contents. They are also used to spread virus payloads. There are two main types:

  • Infected Documents — They are used to deploy the virus payload through scripts. This is done by displaying a notification prompt that asks the victims to enable the built-in macros. When this is done the infection follows.
  • Software Installers — Using a similar mechanism the criminals can embed the dangerous code in application installers. The hackers typically choose the most popular software: productivity apps, creative solutions, system utilities and even computer games.

The infection can also be spread using web scripts on both hacker-controlled and legitimate web sites. Examples Sigrun virus carriers include all kinds of web banners, pop-ups, in-line scripts and etc. The threat can also be distributed on various file sharing networks as well such as BitTorrent.

The Sigrun virus can use another popular method to spread itself by taking advantage of browser hijackers. They represent malicious web browser plugins that are made compatible with the most popular applications: Mozilla Firefox, Google Chrome, Internet Explorer, Opera, Safari and Microsoft Edge. The various strains are usually advertised on the associated plugn repoitories using fake developer credentials and user reviews. Once the relevant threats are installed the default browser settings (new tabs page, search engine and homepage) are changed. Any dangerous code is installed afterwards.

Sigrun Virus – In-Depth Analysis

The Sigrun virus is a newly discovered ransomware that appears to have been made by an unknown hacker or criminal collective. The initial code analysis shows that it doesn’t include any code snippets from the famous malware families.This means that the Sigrun virus maybe created entirely by its operator(s) or bought from the underground hacker markets as a new ransomware strain sample.

So far it seems that the captured strains associated with it are being distributed in their test versions. This means that future variants of it can include a much more feature-rich behavior pattern.

The infection can begin with a data gathering module that is programmed to automatically hijack sensitive data. The collected information can be used for optimizing the campaign by harvesting data about the installed hardware components and operating system values. The ransomare can also expose personally-identifiable data about the victim’s themselves. The nature of the collected information can reveal their name, address, telephone number, location, interests, passwords and account credentials. The collected data can then be processed by another module called stealth protection which is used to protect the dangerous instance from applications and services that can interfere with it. The list includes anti-virus products, sandbox environments and virtual machine hosts. These steps help to prepare the victim host for further modifications.

Any Windows Registry changes that can occur may perform a variety of damaging actions against user-installed software or the operating system itself. For example a modification to a software service can render certain services or functions non-working. When strings related to the operating system are changed the victims can experience serious performance issues. Such actions are also related to the process of instituting the Sigrun virus as a persistent threat. In connection with various boot options the code can render disallow access to the recovery boot menu which makes most manual removal steps useless. In such cases the best way to restore an infected computer by using a quality anti-spyware removal tool. Refer to our instructions for more information.

Steps that can make recovery more difficult include the removal of identified Shadow Volume Copies of any sensitive data. Usually they are chosen based on the built-in list used by the ransomare component.

Advanced virus threats can lead to a remote network connection wherein the Sigrun virus operators can spy on the victim users in real time as well as overtake control of their machines. Such behavior is also capable of delivering additional malware infections.

Sigrun Virus – Encryption Process

Once all associated modules have completed execution the Sigrun virus ransomware engine is launched. Like other popular strains it uses a built-in list of affected file types. An example list may encrypt the following data:

  • Archives
  • Backups
  • Databases
  • Documents
  • Images
  • Videos
  • Music

All affected data is encrypted with the .sigrun extension. The accompanying ransom note is called RESTORE-SIGRUN and is available in two versions — TXT and HTML. The message reads the following:

~~~~~~SIGRUN RANSOMWARE~~~~~~~~~
Dear user, all your important files have been encrypted!
Don’t worry! Your files still can be restored by us!
In order to restore it you need to contact with us via e-mail.
As a proof we will decrypt 3 files for free!
Please, attach this to your message:
94 04 00 00 50 1a 63 58 dc 54 f5 a7 fa 63 0f e2
13 f5 37 1d e8 4b 68 4d 3d 8a 15 cc 50 47 46 e2
33 0c fa f0 5e ee 21 3e 24 70 f5 55 6e 34 71 b9
2a cd d6 c3 09 07 0b d4 13 77 10 50 35 14 6d af
77 7b aa a4 1b 30 37 bс 3a bd 64 12 79 63 15 9a

Remove Sigrun Virus and Restore .sigrun Files

If your computer system got infected with the Sigrun ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share