Security Experts:

Connect with us

Hi, what are you looking for?



Sage 2.0 Ransomware Demands $2,000 Ransom

A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.

A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.

Dubbed Sage 2.0, the new ransomware family was initially spotted in December, but hasn’t been seen in major campaigns until now, with the first reports on it emering in forum posts last month.

According to Brad Duncan, Rackspace security researcher and handler at the SANS Internet Storm Center, Sage is a variant of CryLocker. This particular piece of ransomware was seen being distributed by the Sundown and RIG exploit kits in a campaign that also leveraged steganography to hide information about the infected systems inside PNG files and exfiltrate it.

The emails used in the malspam campaign distributing Sage 2.0 normally don’t feature subject lines, and never have a message text, the security researcher says. They do, however, feature a ZIP attachment that contains a Word document with malicious macros meant to download and install the malware. The ZIP archive might sometimes include a .js file instead, but the purpose wouldn’t be different.

One other characteristic of this campaign, Duncan says, is that the recipient’s name is often part of the attachment’s file name. Moreover, some of the attachments are double-zipped, meaning that they contain another ZIP archive that the user has to open before getting to the Word document or .js file.

The macro-enabled Word documents and the .js files would download mostly the Sage 2.0 ransomware on Friday, but some of them were dropping the well-known Cerber file-encrypting malware.

When infecting Windows 7 devices, Sage triggers the User Account Control (UAC) technology and security infrastructure, prompting users to accept its execution. The window would keep popping up until the user clicks “Yes.”

“The infected Windows host has an image of the decryption instructions as the desktop background. There’s also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ‘.sage’ is the suffix for all encrypted files,” the security researcher explains.

To maintain persistence on infected machines, Sage uses a scheduled task and stores its executable in the user’s AppDataRoaming directory. In the ransom note, victims are instructed to go to a Tor-based domain with a decryptor screen, where they are presented with a demand of $2,000 as a “fee” for the decryption operation.

The security researcher also discovered that Sage generates post-infection traffic in the form of HTTP POST requests. “When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted,” the security researcher says. CryLocker generated similar traffic, albeit not encrypted.

“I’m not sure how widely-distributed Sage ransomware is. I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far. I’m also not sure how effective this particular campaign is. It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals,” Duncan concludes.

Related: Ransomware Campaign Targets HR Departments

Related: Destructive KillDisk Malware Turns Into Ransomware

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.