January 26, 2017 By Larry Loeb < 1 min read

Security researcher and SANS Internet Storm Center (ISC) handler Brad Duncan discovered a new ransomware variant. The malware, dubbed Sage 2.0, is a variant of CryLocker and requires victims to pay $2,000 in bitcoin to recover encrypted files, SecurityWeek reported.

Unzipping Sage Ransomware

The researcher found Sage 2.0 in a .zip file distributed by a spam campaign known to deliver Cerber payloads. In general, the emails contained blank subject lines and no text.

According to Duncan’s report, the malware appears as a .js file or Word document once a victim unzips the attachment. While most attachments observed contained Sage 2.0, some delivered Cerber malware instead, which may point to testing or load balancing efforts on the cybercriminals’ end.

The malware must remain persistent within the system to prevent resource access, so it stores a scheduled task as an executable in the user’s AppData/Roaming directory.

Traffic Jam

After infection, Duncan wrote, Sage 2.0 generates callback traffic in the form of HTTP POST requests. When the DNS fails to resolve some callback domains, the infected host sends user datagram protocol (UDP) packets to more than 7,000 IP addresses.

CryLocker also generates this kind of UDP-based peer-to-peer traffic, but Duncan noted that Sage 2.0’s output “appears to be somehow encoded or encrypted.” This difference in implementation justifies Duncan’s classification of Sage 2.0 as a CryLocker variant, since the two do basically the same thing post-infection.

Sage Advice

Duncan acknowledged the limitations of his observations. “I’m not sure how widely distributed Sage ransomware is,” he admitted, adding that he had only observed it in one spam campaign over a single day.

Given the hefty ransom it demands, it’s worth every user’s time to take steps to protect their systems from Sage ransomware. Blocking spam emails is a good start. In any case, just say no to unknown attachments.

More from

Hacking the mind: Why psychology matters to cybersecurity

4 min read - In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it's the…

Stress-testing multimodal AI applications is a new frontier for red teams

5 min read - Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different "modes" of information into a consolidated picture of reality.We’ve now reached the point where artificial intelligence (AI) can do the same, at least to a degree. Much like our brains, multimodal AI applications process different types — or modalities — of data. For example, OpenAI’s ChatGPT 4.0 can reason across text, vision and audio, granting…

Cybersecurity awareness: Apple’s cloud-based AI security system

3 min read - The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns created by the technology, especially as AI is used in cloud systems. Apple addresses AI’s security and privacy issues head-on with its Private Cloud Compute (PCC) system.Apple seems to have solved the problem of offering cloud services without undermining user privacy or adding additional layers of insecurity. It had to do so, as Apple needed to create a cloud infrastructure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today