Sage Ransomware Gets Anti-Analysis Capabilities

The Sage ransomware, which emerged toward the beginning of this year, has added new functionality that allows it to escalate privileges and evade analysis, Fortinet warns.

The malware was highly active in early 2017, but hasn’t shown significant activity over the past six months. Recently found samples resembling a Sage variant observed in March this year, however, pack both anti-analysis and privilege escalation capabilities, Fortinet’s security researchers warn.

Distributed via spam emails with malicious JavaScript attachments, Sage was also found to share the same distribution infrastructure with the Locky ransomware. The malware was also observed being distributed through document files with malicious macros. It leverages .info and .top top-level domain (TLD) names for malware delivery.

The ransomware uses the ChaCha20 encryption algorithm to encrypt the victim’s files and appends the .sage extension to them. Sage avoids infecting computers that have the following keyboard layouts: Belarusian, Kazak, Uzbek, Russian, Ukrainian, Sakha, and Latvian.

A look at Sage’s code shows that most strings have been encrypted in an attempt to conceal the malicious behavior. The authors used the ChaCha20 cipher for encryption and every encrypted string has its own hard-coded decryption key, Fortinet has discovered.

Furthermore, the malware now performs a variety of checks to determine if it is being loaded into a sandbox or a virtual machine for analysis.

The threat enumerates all active processes on the machine, computes a hash for every one of them, and then checks the hashes against a hardcoded list of blacklisted processes. It also checks the full path of where the malware executes and terminates if it includes strings such as sample, malw, sampel, virus, {sample’s MD5}, and {samples’s SHA1}.

The new Sage variant also checks the computer and user names to determine if they match a list of names normally used in sandbox environments. It also uses the x86 instruction CPUID to get the processor info and compare it to a list of blacklisted CPU IDs.

On top of these, the ransomware checks whether an antivirus runs on the computer (by enumerating the services running under Service Control Manager) and checks it against a set of blacklisted MAC addresses.

Sage was also found to be able to elevate its privilege either by exploiting a patched Windows kernel vulnerability (CVE-2015-0057) or by abusing eventvwr.exe and performing registry hijacking to bypass User Account Control (UAC).

The ransom note has been translated into six more languages, which suggests that the author may aim to target more countries in the future. Victims are instructed to access an onion site using the TOR browser and to pay a $2000 ransom to purchase the “SAGE Decrypter software.”

Related: Sage 2.0 Ransomware Demands $2,000 Ransom

Related: Locky, Sage Ransomware Share Distribution Infrastructure