.Sage 2.0 File Virus (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.Sage 2.0 File Virus (Restore Files)


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Sage 2.0 and other threats.
Threats such as Sage 2.0 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This material is made to help you remove the Sage 2.0 ransomware virus version 2.0 and try and decrypt .sage encrypted files.

A second version of the Sage ransomware has come out in the open, after the first iteration was spotted back in December. This virus has been reported to be an evolved version of CryLocker ransomware. The Sage 2.0 ransomware virus spreads via malicious spam campaigns via different types of files and it performs heavy modification on infected system, besides encrypting it’s important files possibly with the AES encryption algorithm. For a ransom, the Sage ransomware virus wants the user to pay the large sum of 2.2 BTC or approximately 2000 dollars. If you have been infected by Sage ransomware, we urge you to read the following article and learn more about Sage ransomware, how to remove it and try decrypting the files.

Threat Summary

NameSage 2.0
TypeRansomware, Cryptovirus
Short DescriptionThe Sage ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsSage ransomware encrypts the files and adds the .sage file extension. A ransom note is dropped on the desktop with the following content.
Distribution MethodSpam Emails, Email Attachments, malicious .xls files, .htm Files, .js files, .ZIP archives
Detection Tool See If Your System Has Been Affected by Sage 2.0


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Sage 2.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Sage Ransomware – Malspam and Infection Process

The Distribution and Malspam

In order for Sage ransomware to cause a successful infection, the virus uses a combination of the whole two malicious spam techniques – spammed JavaScript file that downloads and installs the virus and a Word document with malicious macros. The files usually contain completely randomly generated names and they are archived in a .ZIP file. Sometimes Sage ransomware sends double zipped files (.zip in a .zip) to avoid detection, according to Brad Duncan at malware-traffic-analysis.net. The names of the zip files may be as the below-mentioned example displays:

One of the malicious files that may be contained in those zip files is a Word document with embedded malicious macros inside of it, that may be named something like 188241.doc. The document displays a coded messages and prompts to enable macros to decode it. Once the user enables them, the malicious script connects to the remote server of the cyber-criminals and downloads Sage ransomware on the computer:

Relatively the same process is conducted with the malicious JavaScript file. After the user opens it in the archive the infection takes place in the rather same manner:

At the moment of the Infection, Windows displays a User Account Control Windows which asks the user to click on Yes and does not close until this happens.

Sage Ransomware – Post-Infection and Encryption

After this has been done, the virus begins encrypting files. With the help of several commands and pre-configured code, Sage is able to render videos, music, pictures, audio files and others, completely non-openable. To make it’s presence known, this virus also appends the .sage file extension to those encrypted files, just like it’s previous version did:

The virus also drops it’s .HTML ransom note, named !Recovery_{random 3 letters}.html. It looks like the following:

Sage ransomware does not end the terror there. Malware researchers report it to also change the wallpaper of the user to further scare him. The wallpaper is very similar to the 1st version’s wallpaper:

The difference is in the actual text message, which is the following:

All your important and critical files as well as databases, images and videos and so on were encrypted by strong encryption.
SAGE 2.0 uses military grade elliptic curve cryptography and you have no chances restoring your files.
But if you follow our instructions we guarantee that you can restore all your files quickly.
For your convenience, we created copies of this message, named !Recovery_{random}.html on your desktop.
To get the instructions open any of this temporary links in your browser.”

Sage ransomware does not self-delete. Instead, the virus creates an executable file with a completely random name in the %Roaming% directory.

After the user opens the URL in the ransom instructions, he is led to the original Sage 2.0 web-page, which has the same well-crafted design, just like the 1.0 version had:

The virus even threatens the user that if in approximately 7 days the ransom is not paid, the price for the important files will double to 2000 dollars.

Remove Sage 2.0 Ransomware and Restore .sage Encrypted Files

Despite that Sage 2.0 may tempt you to pay the ransom, malware researchers advise not paying any form of ransom. The primary reason for this is that the criminals of this virus may not return your files and in addition to this, you support their virus to continue spreading. Instead, advices are to focus on removing the malware and saving the encrypted files whilst trying alternative methods, like the ones in step “Restore files encrypted by Sage 2.0 below”. For all of this information, you may want to refer to the removal instructions below. They are divided in Manual (for experienced in malware removal) and Automatic (recommended) removal instructions. Advices are to use an advanced anti-malware tool which will focus on performing multiple different processes which will eliminate all of the objects created by Sage 2.0 Ransomware automatically.

Note! Your computer system may be affected by Sage 2.0 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Sage 2.0.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Sage 2.0 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Sage 2.0 files and objects
2. Find files created by Sage 2.0 on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Sage 2.0

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share