January 24, 2017
Back in December 2016, a member posted a forum support topic regarding a new ransomware called Sage, which is a variant of the CryLocker infection. At the time, there was not much known about it and its distribution seemed small as not a lot of victims were reporting being affected by it.
Looking back at the topic, though, since security researcher Kafeine posted and stated that it was being distributed by the RIG exploit kit, it should have tipped me off that it may be something bigger than we thought.
Fast forward a little over a month later to January 21st when ISC Handler and security researcher Brad Duncan posted a new ISC diary entry. In his diary entry, Brad discussed how a new ransomware called Sage 2.0 is now being distributed via SPAM emails. What is even more disconcerting is that the current Sage 2.0 distributor also appears to be one of the actors that we commonly see distributing Cerber, Locky, and now Spora. This means that there is a good potential that there may be an increased distribution of the Sage 2.0 ransomware in the future.
For those who need support or wish to discuss this ransomware, you can do so in our Sage Ransomware Help & Support Topic.
How is the Sage 2.0 Ransomware Infecting Victims?
Brad observed that Sage 2.0 is infecting victims through SPAM emails with no subject, but that contain ZIP attachments with names like EMAIL_[random_numbers]_recipient.zip or just [random_numbers].zip. This zip file would contain a further zip that contains either a JS file or a word document.
An example of a SPAM email can be seen below.
Sage 2.0 SPAM Email
The JS and Malicious Word docs both contain obfuscated scripts that will download the Sage 2.0 installer to the %Temp% folder using an URL like [hostname]/read.php?f=0.dat or [hostname]/user.php?f=0.dat.
Obfuscated JS Downloader Malicious Word Document Downloader
The malicious script will then automatically launch the ransomware, which is described in the next section.
How Sage 2.0 Ransomware Encrypts a Victim's Files
Using the samples provided by Brad Duncan, I was able to analyze how the ransomware encrypt a victim's computer. When the Sage 2.0 ransomware is downloaded and executed it, it will sleep for a short period of time and then copy itself to the C:\Users\[loginname]\AppData\Roaming folder as a random 8 character name. This new file is then executed, which will cause a User Account Control, or UAC, prompt to be displayed as shown below.
UAC Prompt for Sage 2.0
When this file is launched, it will begin the process of searching the drive for targeted file types to encrypt. When it detects a targeted file, it will encrypt it and then append the .sage extension to the file name. For example, a file named test.jpg would be encrypted as test.jpg.sage The encryption algorithm used to encrypt the files is currently being analyzed by Fabian Wosar of Emsisoft, but at first glance does not appear to use AES.
Examples of encrypted files can be seen below and a list of targeted extensions, which were provided by Fabian, can be found at the end of this article.
Sage 2.0 Encrypted Files
In each folder that a file is encrypted, it will also create a ransom note that has a name similar to !Recovery_[3_random_chars].html in each folder that a file was encrypted.
What is unusual for this ransomware, is that it will also add persistence so that the infection starts every time a user logs into Windows through a random named scheduled task as seen below.
Scheduled Task to Launch Sage 2.0 on Login
The ransomware will then delete the Windows Shadow Volume Copies so that they cannot be used to recover encrypted files. It does this by using the following command:
Furthermore, like its predecessor CryLocker, Sage 2.0 continues to use the Google Maps API and SSIDs of nearby wireless networks to determine the location of the victim.
Finally, the ransomware will display the ransom note and add the text of the ransom note to the Windows desktop background.
Sage 2.0 Ransom Note
This ransom note contains the victim's unique ID and links to the payment sites where a victim can pay the ransom. Information about this payment site is detailed in the next section.
The Sage 2.0 Ransomware User Area Payment Site
Sage 2.0 utilizes a TOR payment sites called the Sage 2.0 User Area or User Cabinet. This payment site will contain information as to what happened to the victims files and payment instructions on how to purchase the decryption key. Currently, the ransomware payment is set to ~$2,000 USD or 2.14 bitcoins. This amount doubles, though, if the ransom is note paid within 7 days.
An example of this payment site can be seen below.
Sage 2.0 User Area Payment System
Click to see Larger Image
The Sage 2.0 User Area site also contains a payment instructions page, which provides a brief tutorial on how to purchase bitcoins and pay the ransom. It also contains the ransom amount and the bitcoin address that the payment must be sent to.
Sage 2.0 User Area Payment Instructions
Click to see Larger Image
On the payment site is also a support page that a victim can use to contact the ransomware developers.
Sage 2.0 User Area Support Page
Last, but not least, there is a page that provides instructions on how to download the Sage2Decrypter.exe and use to decrypt a victim's files after they have paid the ransom.
Sage 2.0 User Area Decryption Instructions
Unfortunately, at this time there is no way to decrypt Sage 2.0 encrypted files for free.
Files associated with the Sage 2.0 Ransomware
Registry Entries Associated with the Sage 2.0 Ransomware
File Extensions Targeted by the Sage 2.0 Ransomware
Sage 2.0 Ransom Note Text
News Courtesy : https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/