Sage 2.2 Ransomware

What is Sage 2.2 Ransomware?

Sage 2.2 Ransomware is a new computer malware that is capable of encrypting your personal files offline. It is not accidental that its name features a 2.2 version identifier because it has been actively developed. Needless, to say, you have to remove this ransomware if your PC were to become infected with it. In this article, we will provide you with an in-depth analysis of this particular ransomware. We will discuss how it is distributed, how it works, and how to get rid of its junk files as its main files auto-delete themselves after the encryption is complete.testtesttest

Where does Sage 2.2 Ransomware come from?

Our malware analysts at have concluded that this particular ransomware is distributed through phishing emails. These emails might be sent from a dedicated email server automatically. However, we do not know the methodology behind selecting the particular email addresses to which the malicious emails are sent. Furthermore, it is also unclear how the cybercriminals trick users into opening the malicious file attached to the email. Nevertheless, our analysts have confirmed that the emails can feature an attached MS Office documents with malicious macros. Nevertheless, JavaScript files are also used. If you open or extract the attached file and run it, Sage 2.2 Ransomware will delete the original and create a copy in %APPDATA%. The names of the malicious files vary between cases because it seems that the program generates the named based on GUID.

How does Sage 2.2 Ransomware work?

After completing the encryption, the copy dropped in %APPDATA%. Is deleted using a batch script dropped in the %TEMP% folder. In the event the computer is restarted before the encryption is complete, Sage 2.2 Ransomware creates a link the Startup to continue the encryption on the next system startup. However, if this ransomware completes the encryption and deletes itself, the link is left behind.

Once the encryption is finished, this ransomware changes the desktop wallpaper. The new background image serves as a ransom note, and the 2.2 version is similar to 2.0 version, but the main difference is that the font is a green color instead of red. Then, this ransomware will open a second ransom note that is a file named !HELP_SOS.hta. This note is in several languages that include English, German, and Italian, among others. Furthermore, this ransomware plays a voice message that is deployed via WScript. The note contains a link to the victim. You need to enter your personal ID that is included in the note to access it. Note that as soon as you enter the site. The ransomware will start a timer that will increase the ransom payment as it depletes. The starting price for the decryption key is 99 USD or 0.1 BTC.

Research has shown that this particular ransomware is set to connect to the Internet and send data via UDP or HTTP POST request. However, if there is no connection, then this ransomware will work as normal. Sage 2.2 Ransomware does not require any data from the command and control server to work. The data is encrypted using ChaCha20 before it is sent. Our researchers say that this ransomware uses two cryptographic algorithms. The ChaCha20 is used to encrypt the content of each file and ECC is used to protect the keys. Each key is retrieved using SystemFunction036. The program creates a random buffer and encrypts it using ECC. Then, on the second pass , it encrypts the random value using ECC and produces the Victim ID. On the third pass, the buffer is encrypted with EEC once again and produces the Encrypted Victim ID. Researchers say that both buffers are stored in the memory of the program and used.

This ransomware was designed to encrypt a long list of file extensions. Our malware analysts say that each file is encrypted using a unique encryption key and, while encrypting your files, this ransomware will append them with a “.sage” file extension. In order to access all of your files, this ransomware terminates some running processes that include msftesql.exe, sqlbrowser.exe, sqlagent.exe, , sqlservr.exe, sqlwriter.exeoracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, and many others. However, it will also skip some folders. Most notably, it will skip Program Files (x86), Program Files, $Recycle, System32, Microsoft, and so on. Furthermore, this ransomware excludes countries based on their default keyboard layout. So the ransomware will not encrypt your files if you reside in Belarus, Ukraine, Russia, Latvia, Kazakhstan, and Uzbekistan.

How do I remove Sage 2.2 Ransomware?

Sage 2.2 Ransomware deletes itself after encryption but leaves some files that you should remove to ensure your computer’s security. This particular ransomware is quite sophisticated as it uses a complex method of deriving keys. It can enter your computer secretly, so you should protect your PC if you fear it might target your PC. Our security specialists recommend using SpyHunter as it can stop this ransomware dead in its tracks. However, if your files have already been encrypted by it, then all you can do at this point is to remove its junks files because there is currently no free decryption tool.

Removal Instructions

  1. Press Windows+E keys.
  2. Enter the following file paths in the address box and press Enter.
    • %USERPROFILE%\My Documents
    • %TEMP%
  3. You should look for 1 image, 3 .txt, and 3 .html files.
  4. Right-click them and click Delete.
  5. Then, go to %APPDATA% and delete all suspicious files with random strings in the name.
  6. Finally, go to %ALLUSERSPROFILE%\Start Menu\Programs\Startup
  7. Delete the shortcut.
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Sage 2.2 Ransomware*

Leave a Comment

Enter the numbers in the box to the right *