Remove Sage Virus (Update November 2017) – Restore .Sage Files

Sage Virus – Remove It and Restore .Sage Files

Article, created to help users remove the .Sage file virus and try to restore AES encrypted files by Sage ransomware for free.

Users have begun to complain about a new ransomware threat on the loose that has the ability to render the files on targeted computers no longer openable. The virus is named Sage and its primary goal is to extort users for the decryption of their files, which the virus scrambles after infecting. The virus demands different sum for different infection. Some websites report it to want the sum of approximately 0.7 BTC and we have seen a website related to it, which demands the sum of 0.2 BTC. Anyone who has been infected by Sage ransomware is strongly advised not to pay any ransom amount and to focus on removing the virus and restoring the files using alternative file restoration methods.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe Sage ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsSage ransomware encrypts the files and adds the .sage file extension. A ransom note is dropped on the desktop with the following content.
Distribution MethodSpam Emails, Email Attachments, malicious .xls files, .htm Files, .js files, .ZIP archives
Detection Tool See If Your System Has Been Affected by Sage


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Sage.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update November 2017. After Sage’s initial appearance on the malware scene in December 2016, the virus continues to attack users, encrypting their files and demanding ransom in exchange for decryption. Sage has also seen 2 updates in Sage 2.0 and Sage 2.2. In terms of distribution, it has been established that Sage operators mostly rely on phishing emails containing Microsoft Office documents with malicious macros. The virus continues to be dropped by downloader scripts spread via the very same malicious emails. Malwarebytes researchers were able to identify the list of files targeted by Sage ransomware. The ransomware comes with an extensive list of the targeted extensions, which is hard-coded in the binary. Here is the list:

dat mx0 cd pdb xqx old cnt rtp qss qst fx0 fx1 ipg ert pic img cur fxr
slk m4u mpe mov wmv mpg vob mpeg 3g2 m4v avi mp4 flv mkv 3gp asf m3u m3u8
wav mp3 m4a m rm flac mp2 mpa aac wma djv pdf djvu jpeg jpg bmp png jp2 lz
rz zipx gz bz2 s7z tar 7z tgz rar ziparc paq bak set back std vmx vmdk vdi
qcow ini accd db sqli sdf mdf myd frm odb myi dbf indb mdb ibd sql cgn dcr
fpx pcx rif tga wpg wi wmf tif xcf tiff xpm nef orf ra bay pcd dng ptx r3d
raf rw2 rwl kdc yuv sr2 srf dip x3f mef raw log odg uop potx potm pptx rss
pptm aaf xla sxd pot eps as3 pns wpd wps msg pps xlam xll ost sti sxi otp
odp wks vcf xltx xltm xlsx xlsm xlsb cntk xlw xlt xlm xlc dif sxc vsd ots
prn ods hwp dotm dotx docm docx dot cal shw sldm txt csv mac met wk3 wk4
uot rtf sldx xls ppt stw sxw dtd eml ott odt doc odm ppsm xlr odc xlk ppsx
obi ppam text docb wb2 mda wk1 sxm otg oab cmd bat h asx lua pl as hpp clas
js fla py rb jsp cs c jar java asp vb vbs asm pas cpp xml php plb asc lay6
pp4 pp5 ppf pat sct ms11 lay iff ldf tbk swf brd css dxf dds efx sch dch
ses mml fon gif psd html ico ipe dwg jng cdr aep aepx 123 prel prpr aet
fim pfb ppj indd mhtm cmx cpt csl indl dsf ds4 drw indt pdd per lcd pct
prf pst inx plt idml pmd psp ttf 3dm ai 3ds ps cpx str cgm clk cdx xhtm
cdt fmv aes gem max svg mid iif nd 2017 tt20 qsm 2015 2014 2013 aif qbw
qbb qbm ptb qbi qbr 2012 des v30 qbo stc lgb qwc qbp qba tlg qbx qby 1pa
ach qpd gdb tax qif t14 qdf ofx qfx t13 ebc ebq 2016 tax2 mye myox ets
tt14 epb 500 txf t15 t11 gpc qtx itf tt13 t10 qsd iban ofc bc9 mny 13t
qxf amj m14 _vc tbp qbk aci npc qbmb sba cfp nv2 tfx n43 let tt12 210
dac slp qb20 saj zdb tt15 ssg t09 epa qch pd6 rdy sic ta1 lmr pr5 op sdy
brw vnd esv kd3 vmb qph t08 qel m12 pvc q43 etq u12 hsr ati t00 mmw bd2
ac2 qpb tt11 zix ec8 nv lid qmtf hif lld quic mbsb nl2 qml wac cf8 vbpf
m10 qix t04 qpg quo ptdb gto pr0 vdf q01 fcr gnc ldc t05 t06 tom tt10
qb1 t01 rpf t02 tax1 1pe skg pls t03 xaa dgc mnp qdt mn8 ptk t07 chg
#vc qfi acc m11 kb7 q09 esk 09i cpw sbf mql dxi kmo md u11 oet ta8 efs
h12 mne ebd fef qpi mn5 exp m16 09t 00c qmt cfdi u10 s12 qme int? cf9
ta5 u08 mmb qnx q07 tb2 say ab4 pma defx tkr q06 tpl ta2 qob m15 fca eqb
q00 mn4 lhr t99 mn9 qem scd mwi mrq q98 i2b mn6 q08 kmy bk2 stm mn1 bc8
pfd bgt hts tax0 cb resx mn7 08i mn3 ch meta 07i rcs dtl ta9 mem seam
btif 11t efsl $ac emp imp fxw sbc bpw mlb 10t fa1 saf trm fa2 pr2 xeq
sbd fcpa ta6 tdr acm lin dsb vyp emd pr1 mn2 bpf mws h11 pr3 gsb mlc
nni cus ldr ta4 inv omf reb qdfx pg coa rec rda ffd ml2 ddd ess qbmd
afm d07 vyr acr dtau ml9 bd3 pcif cat h10 ent fyc p08 jsd zka hbk bkf
mone pr4 qw5 cdf gfi cht por qbz ens 3pe pxa intu trn 3me 07g jsda
2011 fcpr qwmo t12 pfx p7b der nap p12 p7c crt csr pem gpg key

Sage Virus – Distribution Strategy

In order to successfully spread and infect users, Sage ransomware may use spam campaigns that redistribute different types of files. These spam campaigns are focused primarily on inexperienced users and may contain e-mail attachments as well as malicious web links that may cause an infection via several different methods:

  • Via malicious javascript.
  • Via malicious macros.
  • Via executables that are contained directly in an archive uploaded as an attachment.

After the user has already opened the malicious Sage files, the ransomware performs several different activities to drop malicious files In important Windows folders like the following:

  • %AppData%
  • %Roaming%
  • %Local%
  • %SystemDrive%

Sage Ransomware – Post-Infection Analysis

As soon as Sage ransomware has infected the user, the virus immediately modifies the registry entries of the affected computer. To perform this, sage may attack the following Windows registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Besides the Run and RunOnce keys which make its malicious executables encrypt files on Windows startup, the Sage virus may also perform other modifications of other types of files on compromised machines, such as add value strings in keys that change the wallpaper, drop files on the desktop and open them and others.

To encrypt user files, the Sage virus uses the AES encryption algorithm. This cipher is used with the one and only purpose of encrypting blocks of data in the source code of the infected file. This encryption procedure is enough to render a file no longer openable. For the encryption, Sage ransomware attacks files that are:

  • Videos.
  • Audio files.
  • Files, related to Microsoft Office documents.
  • Adobe Reader files.
  • Images.
  • Database files.
  • Virtual drives.

As soon as Sage ransomware has performed the encryption, it adds the .sage file extension to the encrypted files. When this has been done, the files look like the following:

After encryption, Sage ransomware drops a very large ransom note to notify the user to open their website, which in return has the following message:

The website of Sage ransomware also includes advanced instructions on how to turn money in to BitCoin and use this to conduct a payment to the user.

Not only this, but similar to Cerber ransomware, Sage also offers decryption of 1 file for free as customer support.

Remove Sage Ransowmare and Restore Encrypted Files

In order to completely remove Sage ransomware, we urge you to follow the removal instructions below. In case you are having difficulties in manually removing the virus from your computer, experts recommend deleting it automatically via downloading and installing an advanced program for malware removal which will take care of this threat for you automatically. The instructions also include Alternative file restoration methods in step “2. Restore files encrypted by Sage” below. We advise you to backup the encrypted files before testing those tools since they may damage them. Also, bear in mind that those methods are not 100% effective, but they may also partially work for you.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share