Users have begun to complain about a new ransomware threat on the loose that has the ability to render the files on the computers it infects no longer openable. The virus is named Sage and it’s primary goal is to extort users for the decryption of their files, which the virus scrambles after infecting. The virus demands different sum for different infection. Some websites report it to want the sum approximately 0.7 BTC and we have seen a website related to it, which demands the sum of 0.2 BTC. Anyone who has been infected by Sage ransomware is strongly advised not to pay any ransom amount and to focus on removing the virus and restoring the files using alternative file restoration methods.
|Short Description||The Sage ransomware encrypts your data and then displays a ransom message with instructions for payment.|
|Symptoms||Sage ransomware encrypts the files and adds the .sage file extension. A ransom note is dropped on the desktop with the following content.|
|Distribution Method||Spam Emails, Email Attachments, malicious .xls files, .htm Files, .js files, .ZIP archives|
See If Your System Has Been Affected by Sage
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Sage.|
|Data Recovery Tool||Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Sage Virus – Distribution Strategy
In order to successfully spread and infect users, Sage ransomware may use spam campaigns that redistribute different types of files. These spam campaigns are focused primarily on inexperienced users and may contain e-mail attachments as well as malicious web links that may cause an infection via several different methods:
- Via malicious macros.
- Via executables that are contained directly in an archive uploaded as an attachment.
After the user has already opened the malicious Sage files, the ransomware performs several different activities to drop malicious files In important Windows folders like the following:
Sage Ransomware – Post-Infection Analysis
As soon as Sage ransomware has infected the user, the virus immediately modifies the registry entries of the affected computer. To perform this, sage may attack the following Windows registry keys:
Besides the Run and RunOnce keys which make its malicious executables encrypt files on Windows startup, the Sage virus may also perform other modifications of other types of files on compromised machines, such as add value strings in keys that change the wallpaper, drop files on the desktop and open them and others.
To encrypt user files, the Sage virus uses the AES encryption algorithm. This cipher is used with the one and only purpose of encrypting blocks of data in the source code of the infected file. This encryption procedure is enough to render a file no longer openable. For the encryption, Sage ransomware attacks files that are:
- Audio files.
- Files, related to Microsoft Office documents.
- Adobe Reader files.
- Database files.
- Virtual drives.
As soon as Sage ransomware has performed the encryption, it adds the .sage file extension to the encrypted files. When this has been done, the files look like the following:
After encryption, Sage ransomware drops a very large ransom note to notify the user to open their website, which in return has the following message:
The website of Sage ransomware also includes advanced instructions on how to turn money in to BitCoin and use this to conduct a payment to the user.
Not only this, but similar to Cerber ransomware, Sage also offers decryption of 1 file for free as customer support.
Remove Sage Ransowmare and Restore Encrypted Files
In order to completely remove Sage ransomware, we urge you to follow the removal instructions below. In case you are having difficulties in manually removing the virus from your computer, experts recommend deleting it automatically via downloading and installing an advanced program for malware removal which will take care of this threat for you automatically. The instructions also include Alternative file restoration methods in step “2. Restore files encrypted by Sage” below. We advise you to backup the encrypted files before testing those tools since they may damage them. Also, bear in mind that those methods are not 100% effective, but they may also partially work for you.
Manually delete Sage from your computer
Note! Substantial notification about the Sage threat: Manual removal of Sage requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.