A newly observed ransomware variant is being distributed via malicious spam normally distributing Cerber and is demanding a $2,000 ransom for the decryption key.
Dubbed Sage 2.0, the new ransomware family was initially spotted in December, but hasn’t been seen in major campaigns until now, with the first reports on it emering in forum posts last month.
According to Brad Duncan, Rackspace security researcher and handler at the SANS Internet Storm Center, Sage is a variant of CryLocker. This particular piece of ransomware was seen being distributed by the Sundown and RIG exploit kits in a campaign that also leveraged steganography to hide information about the infected systems inside PNG files and exfiltrate it.
The emails used in the malspam campaign distributing Sage 2.0 normally don’t feature subject lines, and never have a message text, the security researcher says. They do, however, feature a ZIP attachment that contains a Word document with malicious macros meant to download and install the malware. The ZIP archive might sometimes include a .js file instead, but the purpose wouldn’t be different.
One other characteristic of this campaign, Duncan says, is that the recipient’s name is often part of the attachment’s file name. Moreover, some of the attachments are double-zipped, meaning that they contain another ZIP archive that the user has to open before getting to the Word document or .js file.
The macro-enabled Word documents and the .js files would download mostly the Sage 2.0 ransomware on Friday, but some of them were dropping the well-known Cerber file-encrypting malware.
When infecting Windows 7 devices, Sage triggers the User Account Control (UAC) technology and security infrastructure, prompting users to accept its execution. The window would keep popping up until the user clicks “Yes.”
“The infected Windows host has an image of the decryption instructions as the desktop background. There’s also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ‘.sage’ is the suffix for all encrypted files,” the security researcher explains.
To maintain persistence on infected machines, Sage uses a scheduled task and stores its executable in the user’s AppDataRoaming directory. In the ransom note, victims are instructed to go to a Tor-based domain with a decryptor screen, where they are presented with a demand of $2,000 as a “fee” for the decryption operation.
The security researcher also discovered that Sage generates post-infection traffic in the form of HTTP POST requests. “When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted,” the security researcher says. CryLocker generated similar traffic, albeit not encrypted.
“I’m not sure how widely-distributed Sage ransomware is. I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far. I’m also not sure how effective this particular campaign is. It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals,” Duncan concludes.