Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Sage 2.0 Ransomware Demands $2,000 Ransom

A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.

A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.

Dubbed Sage 2.0, the new ransomware family was initially spotted in December, but hasn’t been seen in major campaigns until now, with the first reports on it emering in forum posts last month.

According to Brad Duncan, Rackspace security researcher and handler at the SANS Internet Storm Center, Sage is a variant of CryLocker. This particular piece of ransomware was seen being distributed by the Sundown and RIG exploit kits in a campaign that also leveraged steganography to hide information about the infected systems inside PNG files and exfiltrate it.

The emails used in the malspam campaign distributing Sage 2.0 normally don’t feature subject lines, and never have a message text, the security researcher says. They do, however, feature a ZIP attachment that contains a Word document with malicious macros meant to download and install the malware. The ZIP archive might sometimes include a .js file instead, but the purpose wouldn’t be different.

One other characteristic of this campaign, Duncan says, is that the recipient’s name is often part of the attachment’s file name. Moreover, some of the attachments are double-zipped, meaning that they contain another ZIP archive that the user has to open before getting to the Word document or .js file.

The macro-enabled Word documents and the .js files would download mostly the Sage 2.0 ransomware on Friday, but some of them were dropping the well-known Cerber file-encrypting malware.

When infecting Windows 7 devices, Sage triggers the User Account Control (UAC) technology and security infrastructure, prompting users to accept its execution. The window would keep popping up until the user clicks “Yes.”

“The infected Windows host has an image of the decryption instructions as the desktop background. There’s also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ‘.sage’ is the suffix for all encrypted files,” the security researcher explains.

Advertisement. Scroll to continue reading.

To maintain persistence on infected machines, Sage uses a scheduled task and stores its executable in the user’s AppDataRoaming directory. In the ransom note, victims are instructed to go to a Tor-based domain with a decryptor screen, where they are presented with a demand of $2,000 as a “fee” for the decryption operation.

The security researcher also discovered that Sage generates post-infection traffic in the form of HTTP POST requests. “When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted,” the security researcher says. CryLocker generated similar traffic, albeit not encrypted.

“I’m not sure how widely-distributed Sage ransomware is. I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far. I’m also not sure how effective this particular campaign is. It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals,” Duncan concludes.

Related: Ransomware Campaign Targets HR Departments

Related: Destructive KillDisk Malware Turns Into Ransomware

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.