NewsJanuary 26, 2017 @ 1:30 PM

Sage Ransomware Levels Up

Security researcher and SANS Internet Storm Center (ISC) handler Brad Duncan discovered a new ransomware variant. The malware, dubbed Sage 2.0, is a variant of CryLocker and requires victims to pay $2,000 in bitcoin to recover encrypted files, SecurityWeek reported.

Unzipping Sage Ransomware

The researcher found Sage 2.0 in a .zip file distributed by a spam campaign known to deliver Cerber payloads. In general, the emails contained blank subject lines and no text.

According to Duncan’s report, the malware appears as a .js file or Word document once a victim unzips the attachment. While most attachments observed contained Sage 2.0, some delivered Cerber malware instead, which may point to testing or load balancing efforts on the cybercriminals’ end.

The malware must remain persistent within the system to prevent resource access, so it stores a scheduled task as an executable in the user’s AppData/Roaming directory.

Traffic Jam

After infection, Duncan wrote, Sage 2.0 generates callback traffic in the form of HTTP POST requests. When the DNS fails to resolve some callback domains, the infected host sends user datagram protocol (UDP) packets to more than 7,000 IP addresses.

CryLocker also generates this kind of UDP-based peer-to-peer traffic, but Duncan noted that Sage 2.0’s output “appears to be somehow encoded or encrypted.” This difference in implementation justifies Duncan’s classification of Sage 2.0 as a CryLocker variant, since the two do basically the same thing post-infection.

Sage Advice

Duncan acknowledged the limitations of his observations. “I’m not sure how widely distributed Sage ransomware is,” he admitted, adding that he had only observed it in one spam campaign over a single day.

Given the hefty ransom it demands, it’s worth every user’s time to take steps to protect their systems from Sage ransomware. Blocking spam emails is a good start. In any case, just say no to unknown attachments.

Share this Article:
Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He wrote for IBM's DeveloperWorks site for seven years and has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange.