January 24, 2017

This material is made to help you remove the Sage 2.0 ransomware virus version 2.0 and try and decrypt .sage encrypted files.

A second version of the Sage ransomware has come out in the open, after the first iteration was spotted back in December. This virus has been reported to be an evolved version of CryLocker ransomware. The Sage 2.0 ransomware virus spreads via malicious spam campaigns via different types of files and it performs heavy modification on infected system, besides encrypting it’s important files possibly with the AES encryption algorithm. For a ransom, the Sage ransomware virus wants the user to pay the large sum of 2.2 BTC or approximately 2000 dollars. If you have been infected by Sage ransomware, we urge you to read the following article and learn more about Sage ransomware, how to remove it and try decrypting the files.
sage ransomware3Sage Ransomware – Malspam and Infection Process

The Distribution and Malspam

In order for Sage ransomware to cause a successful infection, the virus uses a combination of the whole two malicious spam techniques – spammed JavaScript file that downloads and installs the virus and a Word document with malicious macros. The files usually contain completely randomly generated names and they are archived in a .ZIP file. Sometimes Sage ransomware sends double zipped files (.zip in a .zip) to avoid detection, according to Brad Duncan at The names of the zip files may be as the below-mentioned example displays:

malicious zip file sage ransomware sensorstechforum

One of the malicious files that may be contained in those zip files is a Word document with embedded malicious macros inside of it, that may be named something like 188241.doc. The document displays a coded messages and prompts to enable macros to decode it. Once the user enables them, the malicious script connects to the remote server of the cyber-criminals and downloads Sage ransomware on the computer:

ransomware infection macro payload download sensorstechforum 768x480
Relatively the same process is conducted with the malicious JavaScript file. After the user opens it in the archive the infection takes place in the rather same manner:
malicous js file infection sensorstechforum 768x455

At the moment of the Infection, Windows displays a User Account Control Windows which asks the user to click on Yes and does not close until this happens.

user account control sage 2

Sage Ransomware – Post-Infection and Encryption

After this has been done, the virus begins encrypting files. With the help of several commands and pre-configured code, Sage is able to render videos, music, pictures, audio files and others, completely non-openable. To make it’s presence known, this virus also appends the .sage file extension to those encrypted files, just like it’s previous version did:
sage ransomware encrypted picture file extension decrypt sage sensorstechforum com
The virus also drops it’s .HTML ransom note, named !Recovery_{random 3 letters}.html. It looks like the following:

sage ransomware recovery file sensorstechforum

Sage ransomware does not end the terror there. Malware researchers report it to also change the wallpaper of the user to further scare him. The wallpaper is very similar to the 1st version’s wallpaper:
sage ransomware 1st version sensorstechforum
The difference is in the actual text message, which is the following:
sage ransomware1

Sage ransomware does not self-delete. Instead, the virus creates an executable file with a completely random name in the %Roaming% directory.

After the user opens the URL in the ransom instructions, he is led to the original Sage 2.0 web-page, which has the same well-crafted design, just like the 1.0 version had:
sage ransomware wallpaper sensorstechforum 2.0
The virus even threatens the user that if in approximately 7 days the ransom is not paid, the price for the important files will double to 2000 dollars.

Remove Sage 2.0 Ransomware and Restore .sage Encrypted Files

Despite that Sage 2.0 may tempt you to pay the ransom, malware researchers advise not paying any form of ransom. The primary reason for this is that the criminals of this virus may not return your files and in addition to this, you support their virus to continue spreading. Instead, advices are to focus on removing the malware and saving the encrypted files whilst trying alternative methods, like the ones in step “Restore files encrypted by Sage 2.0 below”. For all of this information, you may want to refer to the removal instructions below. They are divided in Manual (for experienced in malware removal) and Automatic (recommended) removal instructions. Advices are to use an advanced anti-malware tool which will focus on performing multiple different processes which will eliminate all of the objects created by Sage 2.0 Ransomware automatically.

Manually delete Sage 2.0 from your computer
sage ransomware2

 News Courtesy :