Sage 2.0 Ransomware

The Sage 2.0 Ransomware is an updated variant of the Sage Ransomware, a Trojan that locks your files behind an encryption cipher to collect ransom payments. Although free data recovery for threats of this type may be impossible, keeping backups on a non-local drive can give you options for restoring any content without paying a con artist. Anti-malware products also can delete the Sage 2.0 Ransomware before it installs itself through its confirmed infection vector of spam e-mails.

Sages Studying Up on How to Infect Your PC

In late 2016, the early versions of the Sage Ransomware were limited in supply. They were used in-browser exploits operating through the RIG Exploit Kit to install themselves onto vulnerable PCs through compromised websites. However, the threat industry moves at a fast pace. Already, malware analysts take note of a new version of the threat, the Sage 2.0 Ransomware, seemingly upgrading its distribution model for the sake of extorting money from its file-locking attacks.

The Sage 2.0 Ransomware uses the more traditional method of e-mail attachments, obfuscated through ZIP archives, to compromise new computers. The Trojan droppers are JavaScript and Word-based and conceal the Sage 2.0 Ransomware's main installation file in the Windows 'Temp' folder. Although malware experts can confirm the Sage 2.0 Ransomware as being a persistent threat that relaunches itself through scheduled task exploits, it accomplishes the bulk of its payload immediately after the install routine.

The Sage 2.0 Ransomware encrypts a list of hundreds of file formats, including highly specialized ones, as well as general-purpose ones like documents. It deletes the default Windows backups with a simple admin command and displays two types of ransom notes: a desktop wallpaper and an HTML text file. Both messages recommend paying a ransom for recovering your content through the Sage 2.0 Ransomware's Web decryption service, which uses the TOR Browser. At an equivalent of two thousand dollars, the Sage 2.0 Ransomware's campaign demands a payment that is among the highest malware experts have seen.

Protecting Yourself from a Wise Guy of a Trojan

Even though it infiltrates your PC in a new way, the Sage 2.0 Ransomware operates under most of the same principles guiding previous Sage Ransomware attacks. The cyber security industry has yet to discover free decryption solutions for this family and con artists may not provide any services after taking their ransoms (which, via Bitcoin, are non-refundable). Accordingly, having a backup that the Sage 2.0 Ransomware can't delete is highly valuable for keeping this Trojan's payload from holding the contents of your PC hostage.

The Sage 2.0 Ransomware doesn't uninstall itself and will restart with your PC. Before removing the Sage 2.0 Ransomware with an appropriate anti-malware product, boot your computer by using the Safe Mode feature or an external drive. Unfortunately, any encrypted files, while identifiable by their '.sage' extensions are irretrievable without the decryption key the Sage 2.0 Ransomware's authors are selling.

Since the Sage 2.0 Ransomware's threat actors have an appearance of non-negligible experience in their field, this campaign is likely to be just one of several for the near future. With the climbing rates of Trojan ransoms, backing up your files is becoming an increasingly inexpensive chore to ignore.

Technical Details