Sage is a ransomware trojan that is spread via spam emails and is considered one of the types of ransomware that could cause massive destruction. The .JS or .DOCX file for Sage arrives in a .ZIP file attached to an email message, when the user opens the .ZIP file, it auto-extracts the payload.

The JS and Malicious Word docs both contain obfuscated scripts that will download the Sage 2.0 installer to the %Temp% folder using an URL such as



It communicates with a Command and Control server after encrypting the user files, and sends encrypted data including a campaign ID. We can infer that this ransomware may be distributed in the Dark Web as a Ransomware-as-a-service (Raas).

Sage 2.0 User Area Payment System

It will append encrypted files the extension .sage, meaning that if a file is named "Hog.jpg", it will be renamed to "Hog.jpg.sage".

Sage's payload encrypts the victim's files using a method of encryption that is extremely hard to crack or decrypt, and refuses to unlock the files until the ransom of approximately $2,000 is paid. After 7 days, the price will double to $4000. All of these transactions have to be made in a Tor website in the form of Bitcoin.