In December last year, the security researcher Kafeine posted a forum support topic discussing a new ransomware strain, called Sage. According to the researcher, the ransomware was a variant of the notorious CryLocker malware and was distributed via the RIG exploit kit. However, back then the number of infected users was relatively small and not much was known about the infection.
And yet, only a month later, on January 21st, the security researcher and ISC Handler, Brad Duncan, posted a new ISC diary entry, reporting that a new ransomware piece, dubbed Sage 2.0 is being spread via malicious spam emails. Moreover, the Sage current distributor appears to be one of the cybercriminals behind the distribution campaigns of Locky, Cerber and Spora ransomware strains. This means that Sage 2.0`s spreading has a potential to drastically increase in the near future.
According to Duncan, Sage 2.0 infects users via spam email messages that have no subject but they contain ZIP attachments. The attachments have names like EMAIL_[random_numbers]_recipient.zip or only [random_numbers].zip. These zip files comprise other zip files, which, in turn, contain a Word document or a JavaScript (JS) file.
What is also important about this ransomware strain is that it adds persistence so the infection would start every time a user logs into Windows. Moreover, Sage 2.0 also deletes the Windows Shadow Volume Copies so that the victim cannot use them to recover their files. And, just like CryLocker, Sage uses SSIDs and Google Maps API of nearby wireless networks to find out the victim`s location.
Finally, the ransomware displays its ransom note and adds its text to the victim`s desktop background. The note contains links to the payment sites where the victims can pay the ransom as well as their unique IDs.
Sage uses a TOR-based payment site called User Cabinet or Sage 2.0 User Area. The site provides information about what happened to the victims` files as well as payment instruction on how they can obtain the decryption tool. At the moment the ransom demanded by Sage`s authors is 2.14 Bitcoins or $2,000. However, if the victim doesn’t pay within a week, the amount doubles. The payment site also contains an instruction page with a tutorial on how to purchase Bitcoins and use them to pay the ransom as well as the ransom sum and the bitcoin address that the victim must send the payment to. Sage 2.0 User Area also provides victims the opportunity to contact the ransomware authors. Last but not least, on the site, there are instructions on how the victims can download the Sage2Decrypter.exe and how to use it to unlock their files once they have paid the ransom sum.
Unfortunately, a free decrypter for the Sage 2.0 infection is not available at the moment.
