Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Sage Virus – Remove It and Restore .Sage Files

Article, created to help users remove the .Sage file virus and try to restore AES encrypted files by Sage ransomware for free.

Users have begun to complain about a new ransomware threat on the loose that has the ability to render the files on the computers it infects no longer openable. The virus is named Sage and it’s primary goal is to extort users for the decryption of their files, which the virus scrambles after infecting. The virus demands different sum for different infection. Some websites report it to want the sum approximately 0.7 BTC and we have seen a website related to it, which demands the sum of 0.2 BTC. Anyone who has been infected by Sage ransomware is strongly advised not to pay any ransom amount and to focus on removing the virus and restoring the files using alternative file restoration methods.

UPDATE! Sage 2.2 ransomware released. More information:
Sage 2.2 Ransomware (Restore .sage Virus Files)

Threat Summary

Name Sage
Type Ransomware, Cryptovirus
Short Description The Sage ransomware encrypts your data and then displays a ransom message with instructions for payment.
Symptoms Sage ransomware encrypts the files and adds the .sage file extension. A ransom note is dropped on the desktop with the following content.
Distribution Method Spam Emails, Email Attachments, malicious .xls files, .htm Files, .js files, .ZIP archives
Detection Tool See If Your System Has Been Affected by Sage


Malware Removal Tool

User Experience Join Our Forum to Discuss Sage.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Sage Virus – Distribution Strategy

In order to successfully spread and infect users, Sage ransomware may use spam campaigns that redistribute different types of files. These spam campaigns are focused primarily on inexperienced users and may contain e-mail attachments as well as malicious web links that may cause an infection via several different methods:

  • Via malicious javascript.
  • Via malicious macros.
  • Via executables that are contained directly in an archive uploaded as an attachment.

After the user has already opened the malicious Sage files, the ransomware performs several different activities to drop malicious files In important Windows folders like the following:

  • %AppData%
  • %Roaming%
  • %Local%
  • %SystemDrive%

Sage Ransomware – Post-Infection Analysis

As soon as Sage ransomware has infected the user, the virus immediately modifies the registry entries of the affected computer. To perform this, sage may attack the following Windows registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Besides the Run and RunOnce keys which make its malicious executables encrypt files on Windows startup, the Sage virus may also perform other modifications of other types of files on compromised machines, such as add value strings in keys that change the wallpaper, drop files on the desktop and open them and others.

To encrypt user files, the Sage virus uses the AES encryption algorithm. This cipher is used with the one and only purpose of encrypting blocks of data in the source code of the infected file. This encryption procedure is enough to render a file no longer openable. For the encryption, Sage ransomware attacks files that are:

  • Videos.
  • Audio files.
  • Files, related to Microsoft Office documents.
  • Adobe Reader files.
  • Images.
  • Database files.
  • Virtual drives.

As soon as Sage ransomware has performed the encryption, it adds the .sage file extension to the encrypted files. When this has been done, the files look like the following:

After encryption, Sage ransomware drops a very large ransom note to notify the user to open their website, which in return has the following message:

The website of Sage ransomware also includes advanced instructions on how to turn money in to BitCoin and use this to conduct a payment to the user.

Not only this, but similar to Cerber ransomware, Sage also offers decryption of 1 file for free as customer support.

Remove Sage Ransowmare and Restore Encrypted Files

In order to completely remove Sage ransomware, we urge you to follow the removal instructions below. In case you are having difficulties in manually removing the virus from your computer, experts recommend deleting it automatically via downloading and installing an advanced program for malware removal which will take care of this threat for you automatically. The instructions also include Alternative file restoration methods in step “2. Restore files encrypted by Sage” below. We advise you to backup the encrypted files before testing those tools since they may damage them. Also, bear in mind that those methods are not 100% effective, but they may also partially work for you.

Manually delete Sage from your computer

Note! Substantial notification about the Sage threat: Manual removal of Sage requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Sage files and objects
2.Find malicious files created by Sage on your PC

Automatically remove Sage by downloading an advanced anti-malware program

1. Remove Sage with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Sage
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.