Threat Actors Put a Greek Twist on Ransomware with Sigma

Share Now


When we think of Greek-themed malware, the trojan family generally comes to mind. Not anymore, Sigma is a new ransomware delivered via phishing email.

On November 8, 2017, threat actors sent a phishing email warning of impending charges to the recipient’s MasterCard if he or she did not open the attached encrypted Word document.

Figure 1 – Phishing email that deliver the malicious Word document.

Unsurprisingly, this document contained a macro that downloaded a payload from hxxp://

Figure 2 – Prompt to enable macros after opening attachment

Leveraging svchost.exe, it drops Sigma onto the host. Once the payload is launched on the machine, it performs several techniques to ensure it is not in an analysis environment and begins to ping and scouring for virtualization signatures. When satisfied with its environment, Sigma downloads the component to connect to Tor. Sigma, then establishes several connections to different Tor exit nodes and begins encrypting files on the host with a .6Tdp extension. After successfully encrypting the files, a ransom message is displayed with instructions on how to navigate to the payment site.

Figure 3 – Ransom message displayed after successfully encrypting files

If a user navigates to the payment site, they will be given instruction on how to pay the ransom. The threat actors also give the user the option to chat with them in exchange for decrypting one of their files.

Figure 4 – Sigma payment site with instructions on how to pay the ransom

With the threat landscape constantly evolving, analysts and network defenders must employ both their skills and advanced technology to overcome adversaries. In the Phishing Defense Center, our threat analysts were able to quickly discover and escalate this threat for in depth analysis thanks to the visibility provided by PhishMe Triage™.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.