Sage Ransomware Escalates Privileges and Evades Analysis

The Fortinet security experts warned that the Sage ransomware has escalated its privileges and added anti-analysis capabilities.

Although the threat was highly active at the beginning of this year, it hasn’t shown any significant activity during the last six months.

In March, the security researchers found samples resembling a version of Sage, however, that one one had anti-analysis and privilege escalation capabilities.

The Sage ransomware is distributed via spam emails with malicious JavaScript attachments. According to the experts, the malware shares the same distribution infrastructure with the Locky ransomware.

In addition, the researchers noticed that the threat is being distributed via document files containing malicious macros. It leverages .info and .top top-level domain (TLD) names for malware delivery.

The Sage ransomware uses the ChaCha20 encryption algorithm to encrypt the victim’s files and appends the .sage extension to them. The malware avoids infecting computers which have the following keyboard layouts: Belarusian, Kazak, Uzbek, Russian, Ukrainian, Sakha, and Latvian.

The analysis of the Sage’s code shows that most strings have been encrypted in an attempt to conceal the malicious behavior. According Fortinet, the malware creators have used the ChaCha20 cipher for encryption and every encrypted string has its own hard-coded decryption key.

Apart from the above-mentioned, Sage already performs a variety of checks to determine if it is being loaded into a sandbox or a virtual machine for analysis.

The ransomware enumerates all active processes on the PC, computes a hash for every one of them, and checks the hashes against a hardcoded list of blacklisted processes. Besides, it checks the full path of where the malware executes and terminates if it includes strings like sample, malw, sampel, virus, {sample’s MD5}, and {samples’s SHA1}.

Additionally, the new variant of Sage checks the computer and user names to determine if they match a list of names normally used in sandbox environments. Besides, it uses the x86 instruction CPUID to get the processor info and compare it to a list of blacklisted CPU IDs.

Apart from all of the other functions so far, the malware checks whether an antivirus runs on the computer (by enumerating the services running under Service Control Manager) and checks it against a set of blacklisted MAC addresses.

The experts also discovered that Sage is capable of elevating its privilege either by exploiting a patched Windows kernel vulnerability (CVE-2015-0057) or by abusing eventvwr.exe and performing registry hijacking to bypass User Account Control (UAC).

The Sage ransom note has been translated into six new languages suggesting that the ransomware creator might target more countries in the future.

At present, the malware victims are instructed to access an onion site using the TOR browser and to pay a $2000 ransom to purchase the “SAGE Decrypter software” and release their files.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.