Security researchers have recently published some details on a new version of the Sage ransomware. This new version is known as Sage 2.0 and there are only a few known differences between this and its predecessor. But those differences are definitely significant.
Sage is a variant of CryLocker and was discovered late in 2016. Research on Sage reports that it uses asymmetric cryptography to encrypt the victim's files, and the encrypted files are then renamed with a .sage extension. The initial ransom for the decryption key is 150 bitcoins. This ransom doubles if the victim doesn't pay within the specified timeframe. Sage was spread using malicious email attachments, infected freeware, and peer-to-peer networks.
You can see more details and screenshots of Sage in this December 2016 article.
By including Sage 2.0 in Rig and Sundown, attackers will be spreading Sage 2.0 much more widely than ever before. According to research from Bleeping Computer, here's how Sage 2.0 works when it comes in via malicious email attachment:
- The spam email has no subject or message body, but includes a .zip attachment. The zip attachment will include a second .zip file, which includes either a .js or Word document. These documents will download the Sage 2.0 installer to a temporary folder.
- Once Sage 2.0 is installed, it will be inactive for a short period of time before copying itself to a hidden folder under a random 8 character name. This copy of the program will then launch a User Access Control (UAC) prompt, which will continue to pop up until the user chooses “yes,” allowing the file to execute. This marks the beginning of the search for targeted files. You can see a full list of the targeted file types at the bottom of this article.
- When Sage 2.0 finds a targeted file, it uses a ChaCha cipher to encrypt the file, then renames the file with the .sage extension. Ransom notes are created in every folder that includes an encrypted file. A scheduled task is created to start Sage 2.0 every time a user logs into Windows.
- The ransomware then moves on to delete all Windows Shadow Volume Copies, and it attempts to identify the location of the victim by searching nearby wireless networks. It also displays a ransom note on the desktop, demanding a $2,000 payment for the decryption key.
See this article for screenshots and more information on the payment process, network traffic, associated files, and more.
Sage 2.0 also generates encrypted post-infection traffic to over 7,000 IP addresses. The encryption differentiates this ransomware from other variants, that send their post-infection traffic in plain text.
The good news about Sage 2.0 is that the email carrying the malicious attachment is easily stopped by many antivirus solutions. The bad news is that it's picking up steam and may be profitable enough to encourage criminals to modify it to work smarter against your defenses. Since it is now included in the two most popular exploit kits, we may start seeing Sage 3.0 soon.
If you would like more information on ransomware and Sage 2.0, check out these resources:
- Barracuda ransomware corporate site
- Barracuda malware detection site
- Slawek Ligier series on preventing and recovering from ransomware
- Ransomware on the Barracuda blog
- NoMoreRansom project
- Bleeping Computer