FANDOM


Sage is a ransomware trojan that is spread via spam emails and is considered one of the types of ransomware that could cause massive destruction. The .JS or .DOCX file for Sage arrives in a .ZIP file attached to an email message, when the user opens the .ZIP file, it auto-extracts the payload.

The JS and Malicious Word docs both contain obfuscated scripts that will download the Sage 2.0 installer to the %Temp% folder using an URL such as

[hostname]/read.php?f=0.dat 

OR

[hostname]/user.php?f=0.dat. 
It communicates with a Command and Control server after encrypting the user files, and sends encrypted data including a campaign ID. We can infer that this ransomware may be distributed in the Dark Web as a Ransomware-as-a-service (Raas).
Sage-ransomware-payment-page

Sage 2.0 User Area Payment System

It will append encrypted files the extension .sage, meaning that if a file is named "Hog.jpg", it will be renamed to "Hog.jpg.sage".

Sage's payload encrypts the victim's files using a method of encryption that is extremely hard to crack or decrypt, and refuses to unlock the files until the ransom of approximately $2,000 is paid. After 7 days, the price will double to $4000. All of these transactions have to be made in a Tor website in the form of Bitcoin.


SourcesEdit

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.