Saturday, October 14, 2017

Notes on Sage 2.2 ransomware version

Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.

There's a good blog post on BleepingComputer on the first version of Sage, id est "Sage 2".

Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2

Sage 2.2 appears to have been out for a while, at least since February of this year:

Some figures of Sage 2.2 follow below:

Figure 1 - Sage 2.2 desktop background

Figure 2 - Sage 2.2 file recovery instructions

The message reads:

You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key.

Typical features of Sage 2.2, include, but are not limited to:

  • Refresh or update of payment pages is possible;
  • Ransom note (!HELP_SOS) and portal, including CAPTCHA;

It speaks! Just like Cerber did at some point, Sage 2.2 has a message for the victim using Microsoft SAPI:

Figure 3 - VBscript which will speak to the victim (click to enlarge)

Interestingly enough, even though the version number still indicates 2.2, there's at least one slight change:
  • Deletion or purge of backup catalog/history by using:
    wbadmin delete catalog -quiet

The portal or decryption pages look as follows, stepping through:

Figure 4 - Sage 2.2 user login portal

Figure 5 - Captcha

Figure 6 - Language selection

Figure 7 - Final portal

The victim can choose from a multitude of languages, and, at the final portal, there is a special price for the decryption, for a selected time (7 days): currently 0.17720 BTC, which is about $1000.

As usual, there's a Payment, Test decryption, Instructions, and even a Support tab:

Figure 8 - Payment tab
Figure 9 - Test Decryption tab

Figure 10 - Instructions tab

Figure 11 - Support requests tab

Sage 2.2 will append the .sage extension to encrypted files and currently, it does not appear files can be decrypted without the cybercriminal's help.

As always, try to restore from a backup if possible, and avoid paying the ransom.

Additionally, have a look at my ransomware prevention page, on how to protect yourself.


Wednesday, October 11, 2017

Rick and Morty episode? Nope, another CoinMiner

Last week I got an email from someone requesting help in regards to a possible malware infection: that person downloaded a torrent, and believed it was a legitimate episode of Rick and Morty, an animated series.

A file called Rick.and.Morty.S03E10.HDTV.x264-BATV.MKV.exe (116 MB in filesize) is of our interest and, what you'll notice first is of course the file extension - it's an executable Riiiiiiiiiiiick!

In fact, this file is a self-extracting and password-protected archive which contains two other files:

Figure 1 - two new files in the archive

One file is indeed a legitimate video file, which features the following:

Figure 2 - clip

This short clip has nothing to do with Rick and Morty, but seems to be a promo clip for a new series, called '1922'.

Inside the other file however, another executable, is another self-extracting and password-protected archive, sometimes referred to as 'SFX' with inside ... More archives.

In short, what you actually end up with is a cryptominer or coinminer. In Figure 3 below, you can spot both the passwords used for the archives, as well as the mining pool of interest:

Figure 3 - Passwords, and cryptominer pool (click to enlarge)

The line of interest is as follows, in where the IP points to a US server:

START "{1}" /B /WAIT /LOW "%ALLUSERSPROFILE%\{1}\{1}.exe" -o -u off.x -p off.x -k --nicehash -o -u off.y -p off.y -k -v 0 --donate-level 1 -B

Basically, this is yet another cryptominer or coinminer. This one is rather interesting, for several reasons. If you'd like to know more, feel free to have a play around with the files, they are included as IOCs at the end of this post.


If you've been hit by this, then...:

  • Navigate to C:\ProgramData or %ALLUSERSPROFILE%
  • Search for a folder with random names. If you don't see any, you may want to follow the instructions here. Delete said folder, if possible. If not possible:
  • Open Task Manager, and search for any process with a random name. End the process and repeat step 1 to 2.
  • Perform a scan with your installed antivirus product.
  • Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.
You may also leave a comment should any difficulties arise.


  • Install an antivirus (free or not).
  • Enable showing file extensions. This is hidden by default by Windows, and will enable you to see if that 'video' is indeed a video, or not. Guide here.
  • Do not download any torrents or at least try to avoid those that are either suspicious-looking, or too good to be true.


Coinminers have been on the rise for a while now, and illegitimately use a person's machine for mining, which may additionally lead to an increased (and undesired) CPU usage.

While coinminers for now are relatively less dangerous than what's usually out there, for example banking trojans, it should not be underestimated - and the sample analysed in this post proves the point, as it employed some rather unique, or at least varied, techniques.

It is likely safe to assume that not only the malicious use of coinminers will increase, but also that other malware may jump aboard - attempting to maximize profits (or vice versa, a coinminer with added persistence or other malware on board). The latter has already been observed, for example, in AdylKuzz.