diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index b4dd14e..29f7d4f 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -9694,12 +9694,22 @@
         ]
       },
       "uuid": "39cb0268-528b-11e8-ac30-0fa44afdc8de"
+    },
+    {
+      "value": "Sigrun Ransomware",
+      "description": "When Sigrun is executed it will first check \"HKEY_CURRENT_USER\\Keyboard Layout\\Preload\" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself. Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders. ",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/"
+        ]
+      },
+      "uuid": "5a53eec2-6993-11e8-a4d5-67480005dcbd"
     }
   ],
   "source": "Various",
   "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
   "name": "Ransomware",
-  "version": 21,
+  "version": 22,
   "type": "ransomware",
   "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }