One example of the Sage variant. Image Source: Bleeping Computer

Sage, a variant of CryLocker, was originally seen in December 2016 targeting Windows OS and being distributed via the RIG exploit kit. One month later, Sage 2.0 had been spotted being distributed via spam emails and researchers concluded that the Sage 2.0 distributor appears to be related to the Cerber, Locky, and Spora ransomware campaigns. The spam emails distributing Sage 2.0 have an empty subject line and ZIP attachments that are either named MAIL_[random_numbers] or [random_numbers].zip. These ZIP files contain either a malicious JavaScript file or a malicious Microsoft Word document. Once the malicious file is opened, the ransomware hibernates for a brief amount of time and then copies itself into the %UserProfile%\AppData\Roaming folder as a random eight character name. It then executes the copied file which results in a UAC prompt to be displayed to the user asking permission to make changes to the computer. If approved, it starts looking for targeted file types and encrypts them, appending .sage to the file name. Early analysis suggests that AES encryption is not used. Sage 2.0 also drops a ransom note named !Recovery_[3_random_chars].html in each folder containing encrypted files. Sage 2.0 maintains persistence by creating a random scheduled task and deletes Shadow Volume Copies using the vssadmin delete shadows /all /quiet command to prevent data restoration by the victim. It uses the Google Maps API and the SSIDs of local wireless networks to determine the victim’s location. Each victim gets a unique victim ID which is displayed on the ransom note. The initial ransom payment demand for Sage 2.0 is 2.14 Bitcoin and it increases to twice that amount if the ransom is not paid within one week.

  • Bleeping Computer provides more information about Sage here.
  • The NJCCIC is not currently aware of any free decryption tool available for Sage.