January 24, 2017

Back in December 2016, a member posted a forum support topic regarding a new ransomware called Sage, which is a variant of the CryLocker infection. At the time, there was not much known about it and its distribution seemed small as not a lot of victims were reporting being affected by it.

Looking back at the topic, though, since security researcher Kafeine posted and stated that it was being distributed by the RIG exploit kit, it should have tipped me off that it may be something bigger than we thought.

Fast forward a little over a month later to January 21st when ISC Handler and security researcher Brad Duncan posted a new ISC diary entry. In his diary entry, Brad discussed how a new ransomware called Sage 2.0 is now being distributed via SPAM emails. What is even more disconcerting is that the current Sage 2.0 distributor also appears to be one of the actors that we commonly see distributing Cerber, Locky, and now Spora. This means that there is a good potential that there may be an increased distribution of the Sage 2.0 ransomware in the future.

For those who need support or wish to discuss this ransomware, you can do so in our Sage Ransomware Help & Support Topic.

How is the Sage 2.0 Ransomware Infecting Victims?

Brad observed that Sage 2.0 is infecting victims through SPAM emails with no subject, but that contain ZIP attachments with names like EMAIL_[random_numbers] or just [random_numbers].zip. This zip file would contain a further zip that contains either a JS file or a word document.

An example of a SPAM email can be seen below.

spam email                                                                                         Sage 2.0 SPAM Email

The JS and Malicious Word docs both contain obfuscated scripts that will download the Sage 2.0 installer to the %Temp% folder using an URL like [hostname]/read.php?f=0.dat or [hostname]/user.php?f=0.dat.

js attachment installermalicious word doc

                        Obfuscated JS Downloader                                                                     Malicious Word Document Downloader

The malicious script will then automatically launch the ransomware, which is described in the next section.

How Sage 2.0 Ransomware Encrypts a Victim's Files

Using the samples provided by Brad Duncan, I was able to analyze how the ransomware encrypt a victim's computer. When the Sage 2.0 ransomware is downloaded and executed it, it will sleep for a short period of time and then copy itself to the C:\Users\[loginname]\AppData\Roaming folder as a random 8 character name. This new file is then executed, which will cause a User Account Control, or UAC, prompt to be displayed as shown below.

uac                                                                                     UAC Prompt for Sage 2.0

When this file is launched, it will begin the process of searching the drive for targeted file types to encrypt. When it detects a targeted file, it will encrypt it and then append the .sage extension to the file name. For example, a file named test.jpg would be encrypted as test.jpg.sage The encryption algorithm used to encrypt the files is currently being analyzed by Fabian Wosar of Emsisoft, but at first glance does not appear to use AES.

Examples of encrypted files can be seen below and a list of targeted extensions, which were provided by Fabian, can be found at the end of this article.

encrypted files                                                                                      Sage 2.0 Encrypted Files

In each folder that a file is encrypted, it will also create a ransom note that has a name similar to  !Recovery_[3_random_chars].html in each folder that a file was encrypted.

What is unusual for this ransomware, is that it will also add persistence so that the infection starts every time a user logs into Windows through a random named scheduled task as seen below.

scheduled task                                                                         Scheduled Task to Launch Sage 2.0 on Login

The ransomware will then delete the Windows Shadow Volume Copies so that they cannot be used to recover encrypted files. It does this by using the following command:

Furthermore, like its predecessor CryLocker, Sage 2.0 continues to use the Google Maps API and SSIDs of nearby wireless networks to determine the location of the victim.

Finally, the ransomware will display the ransom note and add the text of the ransom note to the Windows desktop background.

ransom note                                                                                   Sage 2.0 Ransom Note

This ransom note contains the victim's unique ID and links to the payment sites where a victim can pay the ransom. Information about this payment site is detailed in the next section.

The Sage 2.0 Ransomware User Area Payment Site

Sage 2.0 utilizes a TOR payment sites called the Sage 2.0 User Area or User Cabinet. This payment site will contain information as to what happened to the victims files and payment instructions on how to purchase the decryption key. Currently, the ransomware payment is set to ~$2,000 USD or 2.14 bitcoins. This amount doubles, though, if the ransom is note paid within 7 days.

An example of this payment site can be seen below.

payment site

                                                                       Sage 2.0 User Area Payment System
                                                                              Click to see Larger Image

The Sage 2.0 User Area site also contains a payment instructions page, which provides a brief tutorial on how to purchase bitcoins and pay the ransom. It also contains the ransom amount and the bitcoin address that the payment must be sent to.

payment procedure page

                                                                         Sage 2.0 User Area Payment Instructions
                                                                               Click to see Larger Image

On the payment site is also a support page that a victim can use to contact the ransomware developers.

support page                                                                        Sage 2.0 User Area Support Page

Last, but not least, there is a page that provides instructions on how to download the Sage2Decrypter.exe and use to decrypt a victim's files after they have paid the ransom.
decryption instructions page                                                                       Sage 2.0 User Area Decryption Instructions

Unfortunately, at this time there is no way to decrypt Sage 2.0 encrypted files for free.

Files associated with the Sage 2.0 Ransomware
ransomware gearing1Registry Entries Associated with the Sage 2.0 Ransomware
ransomware gearing2File Extensions Targeted by the Sage 2.0 Ransomware
ransomware gearing4Network Communication
ransomware gearing5Hashes
ransomware gearing6Sage 2.0 Ransom Note Text
ransomware gearing7News Courtesy :