Security researcher and SANS Internet Storm Center (ISC) handler Brad Duncan discovered a new ransomware variant. The malware, dubbed Sage 2.0, is a variant of CryLocker and requires victims to pay $2,000 in bitcoin to recover encrypted files, SecurityWeek reported.

Unzipping Sage Ransomware

The researcher found Sage 2.0 in a .zip file distributed by a spam campaign known to deliver Cerber payloads. In general, the emails contained blank subject lines and no text.

According to Duncan’s report, the malware appears as a .js file or Word document once a victim unzips the attachment. While most attachments observed contained Sage 2.0, some delivered Cerber malware instead, which may point to testing or load balancing efforts on the cybercriminals’ end.

The malware must remain persistent within the system to prevent resource access, so it stores a scheduled task as an executable in the user’s AppData/Roaming directory.

Traffic Jam

After infection, Duncan wrote, Sage 2.0 generates callback traffic in the form of HTTP POST requests. When the DNS fails to resolve some callback domains, the infected host sends user datagram protocol (UDP) packets to more than 7,000 IP addresses.

CryLocker also generates this kind of UDP-based peer-to-peer traffic, but Duncan noted that Sage 2.0’s output “appears to be somehow encoded or encrypted.” This difference in implementation justifies Duncan’s classification of Sage 2.0 as a CryLocker variant, since the two do basically the same thing post-infection.

Sage Advice

Duncan acknowledged the limitations of his observations. “I’m not sure how widely distributed Sage ransomware is,” he admitted, adding that he had only observed it in one spam campaign over a single day.

Given the hefty ransom it demands, it’s worth every user’s time to take steps to protect their systems from Sage ransomware. Blocking spam emails is a good start. In any case, just say no to unknown attachments.