What is Sage 2.2 Ransomware?
Sage 2.2 Ransomware is a new computer malware that is capable of encrypting your personal files offline. It is not accidental that its name features a 2.2 version identifier because it has been actively developed. Needless, to say, you have to remove this ransomware if your PC were to become infected with it. In this article, we will provide you with an in-depth analysis of this particular ransomware. We will discuss how it is distributed, how it works, and how to get rid of its junk files as its main files auto-delete themselves after the encryption is complete.
Where does Sage 2.2 Ransomware come from?
How does Sage 2.2 Ransomware work?
After completing the encryption, the copy dropped in %APPDATA%. Is deleted using a batch script dropped in the %TEMP% folder. In the event the computer is restarted before the encryption is complete, Sage 2.2 Ransomware creates a link the Startup to continue the encryption on the next system startup. However, if this ransomware completes the encryption and deletes itself, the link is left behind.
Once the encryption is finished, this ransomware changes the desktop wallpaper. The new background image serves as a ransom note, and the 2.2 version is similar to 2.0 version, but the main difference is that the font is a green color instead of red. Then, this ransomware will open a second ransom note that is a file named !HELP_SOS.hta. This note is in several languages that include English, German, and Italian, among others. Furthermore, this ransomware plays a voice message that is deployed via WScript. The note contains a link to the victim. You need to enter your personal ID that is included in the note to access it. Note that as soon as you enter the site. The ransomware will start a timer that will increase the ransom payment as it depletes. The starting price for the decryption key is 99 USD or 0.1 BTC.
Research has shown that this particular ransomware is set to connect to the Internet and send data via UDP or HTTP POST request. However, if there is no connection, then this ransomware will work as normal. Sage 2.2 Ransomware does not require any data from the command and control server to work. The data is encrypted using ChaCha20 before it is sent. Our researchers say that this ransomware uses two cryptographic algorithms. The ChaCha20 is used to encrypt the content of each file and ECC is used to protect the keys. Each key is retrieved using SystemFunction036. The program creates a random buffer and encrypts it using ECC. Then, on the second pass , it encrypts the random value using ECC and produces the Victim ID. On the third pass, the buffer is encrypted with EEC once again and produces the Encrypted Victim ID. Researchers say that both buffers are stored in the memory of the program and used.
This ransomware was designed to encrypt a long list of file extensions. Our malware analysts say that each file is encrypted using a unique encryption key and, while encrypting your files, this ransomware will append them with a “.sage” file extension. In order to access all of your files, this ransomware terminates some running processes that include msftesql.exe, sqlbrowser.exe, sqlagent.exe, , sqlservr.exe, sqlwriter.exeoracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, and many others. However, it will also skip some folders. Most notably, it will skip Program Files (x86), Program Files, $Recycle, System32, Microsoft, and so on. Furthermore, this ransomware excludes countries based on their default keyboard layout. So the ransomware will not encrypt your files if you reside in Belarus, Ukraine, Russia, Latvia, Kazakhstan, and Uzbekistan.
How do I remove Sage 2.2 Ransomware?
Sage 2.2 Ransomware deletes itself after encryption but leaves some files that you should remove to ensure your computer’s security. This particular ransomware is quite sophisticated as it uses a complex method of deriving keys. It can enter your computer secretly, so you should protect your PC if you fear it might target your PC. Our security specialists recommend using SpyHunter as it can stop this ransomware dead in its tracks. However, if your files have already been encrypted by it, then all you can do at this point is to remove its junks files because there is currently no free decryption tool.
- Press Windows+E keys.
- Enter the following file paths in the address box and press Enter.
- %USERPROFILE%\My Documents
- You should look for 1 image, 3 .txt, and 3 .html files.
- Right-click them and click Delete.
- Then, go to %APPDATA% and delete all suspicious files with random strings in the name.
- Finally, go to %ALLUSERSPROFILE%\Start Menu\Programs\Startup
- Delete the shortcut.
- Empty the Recycle Bin.
tested removal of Sage 2.2 Ransomware*100% FREE spyware scan and