The Sage ransomware, which emerged toward the beginning of this year, has added new functionality that allows it to escalate privileges and evade analysis, Fortinet warns.
The malware was highly active in early 2017, but hasn’t shown significant activity over the past six months. Recently found samples resembling a Sage variant observed in March this year, however, pack both anti-analysis and privilege escalation capabilities, Fortinet’s security researchers warn.
Distributed via spam emails with malicious JavaScript attachments, Sage was also found to share the same distribution infrastructure with the Locky ransomware. The malware was also observed being distributed through document files with malicious macros. It leverages .info and .top top-level domain (TLD) names for malware delivery.
The ransomware uses the ChaCha20 encryption algorithm to encrypt the victim’s files and appends the .sage extension to them. Sage avoids infecting computers that have the following keyboard layouts: Belarusian, Kazak, Uzbek, Russian, Ukrainian, Sakha, and Latvian.
A look at Sage’s code shows that most strings have been encrypted in an attempt to conceal the malicious behavior. The authors used the ChaCha20 cipher for encryption and every encrypted string has its own hard-coded decryption key, Fortinet has discovered.
Furthermore, the malware now performs a variety of checks to determine if it is being loaded into a sandbox or a virtual machine for analysis.
The threat enumerates all active processes on the machine, computes a hash for every one of them, and then checks the hashes against a hardcoded list of blacklisted processes. It also checks the full path of where the malware executes and terminates if it includes strings such as sample, malw, sampel, virus, {sample’s MD5}, and {samples’s SHA1}.
The new Sage variant also checks the computer and user names to determine if they match a list of names normally used in sandbox environments. It also uses the x86 instruction CPUID to get the processor info and compare it to a list of blacklisted CPU IDs.
On top of these, the ransomware checks whether an antivirus runs on the computer (by enumerating the services running under Service Control Manager) and checks it against a set of blacklisted MAC addresses.
Sage was also found to be able to elevate its privilege either by exploiting a patched Windows kernel vulnerability (CVE-2015-0057) or by abusing eventvwr.exe and performing registry hijacking to bypass User Account Control (UAC).
The ransom note has been translated into six more languages, which suggests that the author may aim to target more countries in the future. Victims are instructed to access an onion site using the TOR browser and to pay a $2000 ransom to purchase the “SAGE Decrypter software.”
Related: Sage 2.0 Ransomware Demands $2,000 Ransom
Related: Locky, Sage Ransomware Share Distribution Infrastructure

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
