ransomware Reading Time: 5 minutes

Would you be scared or at least anxious if you’d found a subpoena to the US district court in your email box? Most of the people definitely would. That’s exactly what the malicious attackers counted for when conducted this massive attack from Russia-based IPs with sophisticated and cunning ransomware payload.

Social engineering: faked authority cause real fear

3582 users became the targets of this malicious email disguised as “United States District Court” subpoena.

As you can see, the email consists of the whole bunch of social engineering tricks to convince the users to open the malicious attachment. Mainly, the perpetrators try to play on the emotional strings of fear, authority and curiosity to manipulate the victims. Installing this emotional-aroused state into the receivers’ minds is aimed to suppress their ability for critical thinking and make them act rashly.

Also, the email address of the sender is “uscourtgove.com”, which, of course, is faked but adds more credibility to the email. Having the password for the attachment strengthens the flavor of the mail solidity. The subject of email is “megaloman” and document attached is named “scan.megaloman.doc” and this match also adds some small touches of credibility. And threatening the victim with responsibility if she “fails to do for is bounden to you” (and the only way to find out that is to open the file in attachment) is the icing on the cake.

This blow-up manipulative cocktail is a potent tool to help the perpetrators to get what they want. So the risk for many people to fall prey to this scam is very high.

Now let’s see what happens if a user opens the file in the attachment.

The malware: first hides, then hits

Of course, it has nothing in common to subpoena. In reality, as Comodo Threat Research Labs analysts discovered, it’s a new variant of cunning and sophisticated Sigma ransomware that will encrypt files on the infected machine and extorts the ransom to decrypt them.

How Sigma ransomware functions:

Sigma ransomware functions
What is special in this new variant of Sigma is that it requests the user to enter the password. Um… password for malware? Throughout it can sound weird, in reality it has the clear purpose: more obfuscation of the malware from detection.

But even if the user will enter the password, the file won’t run immediately. If the macros are turned off on the victim’s machine, it convincingly asks to turn them off. Notice, how this require fits into the whole attackers’ strategy: if it’s a message from the court it definitely can be a protected document, right?

microsoft protected document

But in reality the file includes a malicious VBScript that must be run to begin installing the malware on the victim’s computer. It downloads the next part of the malware from the attackers’ server, saves it to %TEMP% folder, disguises it as svchost.exe process and executes it. This svchost.exe acts as a dropper to download one more part of the malware. Then via a rather long chain of actions – again, for stronger obfuscation – it completes the malicious payload and runs it.

The malware looks really impressive with its variety of tricks to hide and avoid detection. Before running, it checks the environment for virtual machine or sandboxes. If it discovers one, the malware kills itself. It disguises its malicious process and registry entries as legitimate ones like “svchost.exe” and “chrome”. And that’s not all.

Unlike some of its close ransomware relatives, Sigma does not act immediately but lurks and makes covert reconnaissance first. It creates a list of valuable files, counts them and sends this value to its C&C server along with other information about the victim’s machine. If no files were found, Sigma just deletes itself. It also doesn’t infect a computer, if finds out that its country location is Russian Federation or Ukraine.

The malware connection to its Command-and-Control server is also complicated. As the server is TOR-based, Sigma takes a sequence of steps:

1. Downloads the TOR software using this link: https://archive.torproject.org/tor-package-archive/torbrowser/7.0/tor-win32-
2. Saves it to %APPDATA% as System.zip
3. Unzips it to %APPDATA%\Microsoft\YOUR_SYSTEM_ID
4. Deletes System.zip
5. Renames Tor\tor.exe as svchost.exe
6. Executes it
7. Waits for a while and sends its request

And only after that Sigma begins to encrypt files on the victim’s machine. Then ransom note will capture the poisoned machine’s screen.

machine screen

And … finita la commedia. If the victim didn’t previously arrange to make backups, her data is lost. There is no way to restore them.

Protection: how to fight back

“Facing with malware so sophisticated on both sides, social engineering tricks and technical design, is a hard challenge for even security-aware users,” says Fatih Orhan, the Head of Comodo Threat Research Labs. “To protect against such cunning attacks you need to have something more reliable than just people awareness. In this case, a real solution must give 100% guarantee that your assets won’t be harmed even if someone takes the crooks’ bait and run the malware.

That’s exactly what exclusive Comodo auto-containment technology gives our customers: any arriving unknown file is automatically put into the secure environment, where it can be run with no single possibility to harm a host, system or network. And it will stay in this environment until Comodo analysts will have examined it. That’s why no one of Comodo customers has suffered from this sneaky attack”.

Live secure with Comodo!

Below are the heatmap and IPs used in the attack

The attack was conducted from 32 Russian-based (Saint Petersburg) IPs from the email Kristopher.Franko@uscourtsgov.com which domain most likely was created specially for the attack. It started on May 10, 2018, at 02:20 UTC and ended at 14:35 UTC.



CountrySender IP
Total Result 32

Ransomware Attacks

Ransomware Protection Software