Sage 2.2 The New Variant Of Crylocker

Sage is another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product.

It comes via emails that often have a missing subject line and no message within the body of text except for a zip file attachment containing malicious macros that download and execute the installer.

The installer stores its executable in the user’s ‘AppData\Roaming’ directory and creates a ‘scheduled task’ to ensure the ransomware runs every time the user logs in to Windows. Any backups taken as Windows Shadow Volume copies are deleted.

The installer execution depends on the user accepting a User Account Control (UAC) prompt to authorise its execution. Targeted files are appended with .sage extension and a ransom note is created in the same directory as the encrypted files.

If a computer on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations.

Sage is not the first malware family to leverage the Windows kernel vulnerability introduced in CVE-2015-0057.

After finishing, the wallpaper is changed. In version 2.2 the wallpaper looks very similar to 2.0, except the font is green instead of red:

At the end of the execution, the ransom note !HELP_SOS.hta opens automatically:

For more information see – https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/