Sage Ransomware

Posted: December 5, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	2,647

First Seen:	December 5, 2016
Last Seen:	October 22, 2024
OS(es) Affected:	Windows

The Sage Ransomware is a Trojan that encrypts your files so that you can't open them and, then, delivers instructions on paying its threat actors to get access to the decryptor. If not blocked by security software before its most visible symptoms appear, this threat may cause permanent file damage. Malware experts recommend having anti-malware tools for quarantining or removing the Sage Ransomware, and backups for recovering from worst-case scenarios.

The Flavor Your Files Don't Need

Just as legal businesses know that ease of use and consumer comfort affects spending habits, con artists also try their best to lubricate the act of transferring money. This repeating theme is one that malware analysts find in different threat campaigns expressing itself through attacks like timer-based warnings, such as the Sage Ransomware's pop-up. However, these strategies also have the support of causing real damage to the files on your computer.

Confirmation is underway for which infection methods the Sage Ransomware uses for installing itself, although the Trojan doesn't exhibit any traits that would let it spread without assistance from a third-party. Common exploits for spreading threats of the same category include spam e-mails disguising themselves as work documentation and manual attacks against network accounts with easily hacked passwords. Once the victim or threat actor installs it, the Sage Ransomware begins scanning for files that it can lock through an encryption cipher.

Malware analysts verified the Sage Ransomware targeting files including formats such as XLS spreadsheets and JPG images. After blocking these data types, which may or may not have their names modified, the Sage Ransomware displays two messages to its victims in a wallpaper image and an HTML pop-up.

This second message includes most of the Sage Ransomware's notable features through its Web infrastructure: detailed guidelines on how to pay Bitcoins, a live countdown, and warnings about failures to pay incurring increases in the ransom fee. Since the Sage Ransomware's decryption service requires a separate download, con artists may not provide it after taking their money necessarily, and the use of Bitcoins prevents the victim from canceling the payment.

Getting Rid of that Dash of the Sage

The Sage Ransomware uses a streamlined Web interface to tempt its victims into paying ransoms for potentially no file recovery, which is becoming increasingly common with file-encrypting Trojan campaigns run by experienced threat actors. Although malware experts discourage relying on local backups to nullify the damages of threats like the Sage Ransomware, most backups stored on non-local drives not directly accessible by the Trojan should be safe. To date, only a handful of Trojans are verifiable for targeting cloud services, and no threat can target any removable devices left detached until after you disinfect your PC.

Third parties in the PC security industry speculate that the Sage Ransomware may be the product of recycling from the code of the TeslaCrypt Ransomware project. While malware experts can't confirm this potential lead, victims are welcome to attempt using decryptors for that family, if no other file recovery options are practical. The use of decryption solutions never should impact the actual deletion of the Sage Ransomware beforehand through appropriate anti-malware tools.

Countdowns and escalating expenses are socially manipulative tools that both legal and illegal capitalistic ventures use for manipulating their customers. Failing to fall for upfront cons like the Sage Ransomware's pop-up is both a matter of questioning warnings from con artists and taking the right steps to keep your computer safe in advance.
[

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 287.87 KB (287872 bytes)
MD5: c167732d2390deb95b081c97caf23cc2
Detection count: 90
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017

dir\name.exe

File name: name.exe
Size: 360.53 KB (360538 bytes)
MD5: 5c57696e646f776563757465646e6465
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: February 1, 2017

%APPDATA%\f1.hta

File name: f1.hta
Size: 102.11 KB (102119 bytes)
MD5: 22dda250b1f467bdc19d4075c9da1327
Detection count: 23
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%USERPROFILE%\Start Menu\Programs\Startup\!HELP_SOS.hta

File name: !HELP_SOS.hta
Size: 102.11 KB (102119 bytes)
MD5: b339f1cdfd77aeb604727798e33af202
Detection count: 21
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\bSgt9RXM.exe

File name: bSgt9RXM.exe
Size: 106.5 KB (106508 bytes)
MD5: cdf028573073e55ee536cd748dcd064e
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: December 5, 2016

More files

Registry Modifications

The following newly produced Registry Values are:

File name without path!HELP_SOS.htaRegexp file mask%APPDATA%\f[NUMBERS].hta