Sage 2.0 Ransomware

The ransomware, called “Sage 2.0”, is a variant of the CryLocker ransomware and was found in an email campaign for malspam. According to Brad Duncan’s article on SANS ISC InfoSec forum, the ransomware is delivered to your inbox in the form of a zip attachment with a Word document inside. The email has the typical “no subject line” flag that most of you are already looking for, and of course the obvious file attachment is your second red flag.
But if you’re still not convinced that this is going to be harmful to your data, then how about we throw in that the attachment’s file name may have your name in it? Convinced now? So as far as malspam goes, this pretty much has every red flag triggered.
The Word document is where the real problem is. In most malspam there is usually some form of action that you, the user, has to take in order to infect your system. In some cases it’s a .js file or a link that wants you to download an .exe file, or something that requires your interaction. In this case the Word document has a malicious macro in it that will trigger a download and execution of the Sage 2.0 ransomware. I believe in this case the trigger was pulled by tricking the user to enable editing for the document.
Once triggered, Sage 2.0 acts like any other ransomware, by encrypting all your files and displaying a message on your machine on how to decrypt your files before a set period of time runs out. Which of course, will end up costing you a pretty penny.
In conclusion, Sage 2.0 is as dangerous to your files as any other ransomware. But, it’s also fairly easy to detect and requires the user to take a few extra steps in order to trigger the trap. Anyone who is paying attention to what they’re doing is probably going to simply delete the poorly composed (or even empty ) email and avoid all this mess.

Be the first to comment

Leave a Reply

Your email address will not be published.


5 × three =