We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.
The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.
The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.
Yup, many are doing that. Guess who is Russian and who is American? pic.twitter.com/1pS6NhPtXN
— S!Ri (@siri_urz) May 31, 2018
The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.
When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.
Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.
“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email.
“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.
Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.
“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.
When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name. The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.
Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.
“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.
Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.
(Security Affairs – cybercrime, Sigrun Ransomware)