Security Experts:

Connect with us

Hi, what are you looking for?



Sage 2.0 Ransomware Demands $2,000 Ransom

A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.

A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.

Dubbed Sage 2.0, the new ransomware family was initially spotted in December, but hasn’t been seen in major campaigns until now, with the first reports on it emering in forum posts last month.

According to Brad Duncan, Rackspace security researcher and handler at the SANS Internet Storm Center, Sage is a variant of CryLocker. This particular piece of ransomware was seen being distributed by the Sundown and RIG exploit kits in a campaign that also leveraged steganography to hide information about the infected systems inside PNG files and exfiltrate it.

The emails used in the malspam campaign distributing Sage 2.0 normally don’t feature subject lines, and never have a message text, the security researcher says. They do, however, feature a ZIP attachment that contains a Word document with malicious macros meant to download and install the malware. The ZIP archive might sometimes include a .js file instead, but the purpose wouldn’t be different.

One other characteristic of this campaign, Duncan says, is that the recipient’s name is often part of the attachment’s file name. Moreover, some of the attachments are double-zipped, meaning that they contain another ZIP archive that the user has to open before getting to the Word document or .js file.

The macro-enabled Word documents and the .js files would download mostly the Sage 2.0 ransomware on Friday, but some of them were dropping the well-known Cerber file-encrypting malware.

When infecting Windows 7 devices, Sage triggers the User Account Control (UAC) technology and security infrastructure, prompting users to accept its execution. The window would keep popping up until the user clicks “Yes.”

“The infected Windows host has an image of the decryption instructions as the desktop background. There’s also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ‘.sage’ is the suffix for all encrypted files,” the security researcher explains.

To maintain persistence on infected machines, Sage uses a scheduled task and stores its executable in the user’s AppDataRoaming directory. In the ransom note, victims are instructed to go to a Tor-based domain with a decryptor screen, where they are presented with a demand of $2,000 as a “fee” for the decryption operation.

The security researcher also discovered that Sage generates post-infection traffic in the form of HTTP POST requests. “When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted,” the security researcher says. CryLocker generated similar traffic, albeit not encrypted.

“I’m not sure how widely-distributed Sage ransomware is. I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far. I’m also not sure how effective this particular campaign is. It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals,” Duncan concludes.

Related: Ransomware Campaign Targets HR Departments

Related: Destructive KillDisk Malware Turns Into Ransomware

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.