New Craigslist Malvertising Campaign Spreading Sigma Ransomware


A new malvertising campaign is underway which pretends to be from Craigslist, but instead installs the Sigma Ransomware on a victim’s machine. This is mainly done with the help of malicious password protected RTF or Word documents arrived to your spam mailbox that ultimately install the payload of a destructive ransomware virus through a harmful VBA script. The start of events which leads to the invasion of Sigma Ransomware is when a targeted computer user receives an email that pretending to be a job postings on Craigslist named Gigs. When the users downloads and open the attached file, they will be instructed to enter a password and then asked to enable the content of attached document.

Sigma Ransomware

Once the users click on enable content button, the VBA script embedded on the document will be launched which installs the malicious payload of Sigma Ransomware. If the password protected RAR file gets downloaded onto the computer, it extracts the file into %Temp% folder and launch ransomware executable file identified as ‘svchost.exe’ which initiates the file-encryption process. After the successful intrusion of Sigma Ransomware virus on targeted Windows system, it enciphers the specific file types without appending the file name by adding a weird extension. Unlike other notorious ransomware infections, this threat includes a file marker at the bottom of each enciphered files which appears to be an encrypted key.

Moreover, when the Sigma Ransomware encodes the targeted file types stored on victim’s computer, it displays a ransom note named ‘ReadMe.txt’ and dropped onto each folder containing encrypted files. The ransom notification displayed by this dangerous file-encrypting virus contains detailed information on what has happened to your computer files and also instruct the victimized users to pay a hefty sum of ransom money in order to get the decryption key which is extremely needed for file restoration. Besides, the ransom message of Sigma Ransomware provides information on connecting the victimized users with its related TOR payment portal and then victim’s will receive the instructions to pay a specific amount of ransom money in order to get back access to their precious system files.

Related Article: GandCrab Ransomware Delivered Using GrandSoft and RIG Exploit Kit

However, if the victimized computer users need help related to ransom payment, the TOR payment website also includes a link of a web page where the victims can easily create their ‘support’ tickets. Technically speaking, malware researchers from a reputed security firm haven’t tested the responsiveness or functionality of support method provided in the ransom note of Sigma Ransomware. Unfortunately, there is no way to decode the files enciphered by this malware for free. Most importantly, you should refrain from paying the asked ransom money and boost the evil moral of cyber extortionists. In such circumstances, you should take immediate action for Sigma Ransomware removal and then try alternative method to restore the encoded files.


Leave a Comment

Your email address will not be published. Required fields are marked *