Security Affairs
U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The author of the Sigrun Ransomware decrypts Russian victims’ files for free

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims. We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is […]

Sigrun ransomware

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims.

We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.

The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.

The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.

When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.

Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.

“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email. 

“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.

Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.

“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.

When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name.  The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.

Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.

The ransom notes include information on the infection and payment instructions.

“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.

Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cybercrime, Sigrun Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]