{"id":7152,"date":"2017-03-29T08:10:37","date_gmt":"2017-03-29T16:10:37","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-943\/"},"modified":"2017-03-29T08:10:37","modified_gmt":"2017-03-29T16:10:37","slug":"news-943","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-943\/","title":{"rendered":"Explained: Sage ransomware"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 29 Mar 2017 15:00:24 +0000<\/strong><\/p>\n<p>Sage is yet another ransomware that has become a common threat nowadays. Similarly to <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/spora-ransomware\/\" target=\"_blank\">Spora<\/a>, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/6709cd1d5f0998ca9355b7f3bb86edc7d6ae7dd44598c18a8eb6d6dbe185eb12\/analysis\/\" target=\"_blank\">3686b6642cf6a3d97e368590557ac3f2<\/a> &#8211; JS downloader<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/a36c836d1283efba8903583ad5fcee0a3f16b0d9b52fa87e82478245950b19a5\/analysis\/\" target=\"_blank\">d8226b7697524c60eddd22a46b588ff7<\/a> &#8211; original payload (dropped by the script)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/de4d32cf30b81cf3761b34940ae82e086cb1dbd34a4fd1d630d0416a6721324a\/analysis\/1490385348\/\" target=\"_blank\">159af0102877e71a1c3f5468bd02a8f3<\/a> &#8211; unpacked payload<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Distribution method<\/h3>\n<p>Most often, Sage is dropped by downloader scripts distributed via phishing e-mails (office documents with malicious macros or standalone JS files). In the analyzed case, the sample was dropped via\u00a0a JavaScript file.<\/p>\n<h3>Behavioral analysis<\/h3>\n<p>After being deployed, Sage deletes the original sample and runs another copy, dropped in %APPDATA% (names of the dropped files are different for different machines &#8211; probably generated basing on GUID):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17043\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_copy-1.png\" alt=\"\" width=\"593\" height=\"141\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_copy-1.png 593w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_copy-1-300x71.png 300w\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" \/><\/p>\n<p>The dropped copy deploys itself once again, with a parameter &#8216;g&#8217;. Example:<\/p>\n<pre>\"C:UserstesterAppDataRoamingFkGtk5ju.exe\" g<\/pre>\n<p>After finishing its work, that dropped copy is also being deleted with the help of a batch script dropped in the %TEMP% folder.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17042\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/working_sage-1.png\" alt=\"\" width=\"696\" height=\"82\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/working_sage-1.png 696w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/working_sage-1-300x35.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/working_sage-1-600x71.png 600w\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" \/><\/p>\n<p>The content dropped in %TEMP% is shown on the below picture. We can see the batch scripts and the BMP that is being set as a wallpaper:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17030\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_temp.png\" alt=\"\" width=\"595\" height=\"190\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_temp.png 595w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_temp-300x96.png 300w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/p>\n<p>Sample contents of the batch scripts is given below. As we can see, the ping command is used to delay operations.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17031\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script1.png\" alt=\"\" width=\"405\" height=\"113\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script1.png 405w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script1-300x84.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script1-400x113.png 400w\" sizes=\"auto, (max-width: 405px) 100vw, 405px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17032\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script2.png\" alt=\"\" width=\"492\" height=\"116\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script2.png 492w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/script2-300x71.png 300w\" sizes=\"auto, (max-width: 492px) 100vw, 492px\" \/><\/p>\n<p>Just in case the system gets restarted before the encryption finished, Sage sets a link in the Startup folder, so that it can continue after the reboot:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17051\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/startup_link.png\" alt=\"\" width=\"658\" height=\"36\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/startup_link.png 658w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/startup_link-300x16.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/startup_link-600x33.png 600w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/p>\n<p>However, if the ransomware successfully completed encryption process and deleted itself, the link is left abandoned.<\/p>\n<p>After finishing, the wallpaper is changed. In version 2.2 the wallpaper looks very similar to 2.0, except the font is green instead of red:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17024\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/wallpaper_changed.png\" alt=\"\" width=\"961\" height=\"559\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/wallpaper_changed.png 1420w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/wallpaper_changed-300x174.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/wallpaper_changed-600x349.png 600w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><\/p>\n<p>At the end of the execution, the ransom note <em>!HELP_SOS.hta<\/em> opens automatically:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17022\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage22.png\" alt=\"\" width=\"813\" height=\"496\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage22.png 1061w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage22-300x183.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage22-600x366.png 600w\" sizes=\"auto, (max-width: 813px) 100vw, 813px\" \/><\/p>\n<p>In addition to the written information, Sage 2.2 plays a\u00a0voice message informing about the infection. It is deployed via WScript running the default Microsoft voice-to-speech service &#8211; just like in the case of <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/03\/cerber-ransomware-new-but-mature\/\" target=\"_blank\">Cerber<\/a>.<\/p>\n<p>Some content is left in %APPDATA%:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17033\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_appdata.png\" alt=\"\" width=\"623\" height=\"373\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_appdata.png 623w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_appdata-300x180.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_in_appdata-600x359.png 600w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><\/p>\n<p>Encrypted files are added to the &#8220;sage&#8221;extension and their icons are changed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17026\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/encrypted_files.png\" alt=\"\" width=\"594\" height=\"166\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/encrypted_files.png 594w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/encrypted_files-300x84.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/p>\n<p>Visualization of a file \u2013 before and after encryption:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11700\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/enc_square1.png\" alt=\"\" width=\"219\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/enc_square1.png 219w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/enc_square1-150x150.png 150w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17027\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/enc_square1.bmp_.sage_.png\" alt=\"\" width=\"219\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/enc_square1.bmp_.sage_.png 219w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/enc_square1.bmp_.sage_-150x150.png 150w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/><\/p>\n<p>Files with the same plaintext produce different ciphertexts, that leads to the conclusion that each file is encrypted with a new key.<\/p>\n<p>Sage can work well without internet connection, however, if connected it sends data via UDP (similarly to <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/03\/cerber-ransomware-new-but-mature\/\" target=\"_blank\">Cerber<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17037\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/udp_traffic.png\" alt=\"\" width=\"443\" height=\"177\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/udp_traffic.png 443w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/udp_traffic-300x120.png 300w\" sizes=\"auto, (max-width: 443px) 100vw, 443px\" \/><\/p>\n<p>The traffic is encrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17038\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/udp_traffic_cap.png\" alt=\"\" width=\"580\" height=\"123\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/udp_traffic_cap.png 580w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/udp_traffic_cap-300x64.png 300w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/p>\n<h3>Page for the victim<\/h3>\n<p>The ransom note contains a link to the page for the victim. Encrypted and Base64 encoded key of the victim is passed via URL to the server of attackers. Example: <em>http:\/\/7gie6ffnkrjykggd.onion\/login\/AQAAAAAAAAAAv4NRzsVPkfwPPWixq2mqtFwGWlZTeCDpL_BGPyeJFhDA<br \/> <\/em><\/p>\n<p>The key can be also pasted via field on the website:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17028\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/via_field.png\" alt=\"\" width=\"644\" height=\"349\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/via_field.png 644w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/via_field-300x163.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/via_field-600x325.png 600w\" sizes=\"auto, (max-width: 644px) 100vw, 644px\" \/><\/p>\n<p>Keep in mind that the first login on the page for the victim triggers the timer to start. From this moment, the countdown to the price increment is running.<\/p>\n<p>The website is protected by a simple captcha and allows for a simple customization &#8211; the victim can choose one of the supported languages (currently 17):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17059\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/language_choose.png\" alt=\"\" width=\"617\" height=\"403\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/language_choose.png 617w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/language_choose-300x196.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/language_choose-600x392.png 600w\" sizes=\"auto, (max-width: 617px) 100vw, 617px\" \/><\/p>\n<p>The page contains typical information, such as the amount of ransom to be paid and further instructions:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17084\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage_page.png\" alt=\"\" width=\"782\" height=\"730\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage_page.png 1001w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage_page-300x280.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sage_page-600x560.png 600w\" sizes=\"auto, (max-width: 782px) 100vw, 782px\" \/><\/p>\n<p>The malware allows to test decryption capabilities by permitting the\u00a0victim to upload some encrypted files (the size of the file must be lesser than 15 KB):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17044\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test1.png\" alt=\"\" width=\"770\" height=\"415\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test1.png 943w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test1-300x162.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test1-600x323.png 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/p>\n<p>However, the result is not available instantly:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17045\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test2.png\" alt=\"\" width=\"798\" height=\"286\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test2.png 949w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test2-300x107.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/test2-600x215.png 600w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/p>\n<p>After some hours, the decrypted version of the uploaded file is indeed available to download:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17058\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/download.png\" alt=\"\" width=\"787\" height=\"245\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/download.png 998w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/download-300x93.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/download-600x187.png 600w\" sizes=\"auto, (max-width: 787px) 100vw, 787px\" \/><\/p>\n<h3>Inside<\/h3>\n<p>Sage is delivered packed by various crypters. After defeating the first layer we obtain second PE file &#8211; the malicious core, that is not further obfuscated.<\/p>\n<p>At the beginning of the execution, Sage generates the Victim ID\/key and saves it in the .tmp file dropped in %APPDATA% folder. Then, it removes backups from the system:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17080\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/delete_shadows-1.png\" alt=\"\" width=\"611\" height=\"165\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/delete_shadows-1.png 611w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/delete_shadows-1-300x81.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/delete_shadows-1-600x162.png 600w\" sizes=\"auto, (max-width: 611px) 100vw, 611px\" \/><\/p>\n<p>Executed commands:<\/p>\n<pre>vssadmin.exe delete shadows \/all \/quiet  bcdedit.exe \/set {default} recoveryenabled no  bcdedit.exe \/set {default} bootstatuspolicy ignoreallfailures  <\/pre>\n<p>Sage enumerates through the files, and if they matched the defined criteria, they are getting encrypted. First, the malware creates a file with the same name as the attacked one, but with three dots at the end.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17072\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/started_enc_file.png\" alt=\"\" width=\"742\" height=\"285\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/started_enc_file.png 742w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/started_enc_file-300x115.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/started_enc_file-600x230.png 600w\" sizes=\"auto, (max-width: 742px) 100vw, 742px\" \/><\/p>\n<p>Both files coexist in the system until the encrypting is finished.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17073\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_of_sage_file.png\" alt=\"\" width=\"584\" height=\"75\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_of_sage_file.png 584w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_of_sage_file-300x39.png 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/p>\n<p>Then, the original file is deleted and the newly created one &#8211; renamed with the extension <em>.sage<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17074\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/move_to_sage.png\" alt=\"\" width=\"998\" height=\"161\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/move_to_sage.png 998w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/move_to_sage-300x48.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/move_to_sage-600x97.png 600w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/p>\n<p>At the end, only the <em>.sage<\/em> file is left:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17075\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_of_sage_s2.png\" alt=\"\" width=\"574\" height=\"57\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_of_sage_s2.png 574w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_of_sage_s2-300x30.png 300w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><\/p>\n<h4>What is attacked?<\/h4>\n<p>Sage comes with a long list of the attacked extensions, that is hard-coded in the binary:<\/p>\n<pre>dat mx0 cd pdb xqx old cnt rtp qss qst fx0 fx1 ipg ert pic img cur fxr   slk m4u mpe mov wmv mpg vob mpeg 3g2 m4v avi mp4 flv mkv 3gp asf m3u m3u8   wav mp3 m4a m rm flac mp2 mpa aac wma djv pdf djvu jpeg jpg bmp png jp2 lz   rz zipx gz bz2 s7z tar 7z tgz rar ziparc paq bak set back std vmx vmdk vdi   qcow ini accd db sqli sdf mdf myd frm odb myi dbf indb mdb ibd sql cgn dcr   fpx pcx rif tga wpg wi wmf tif xcf tiff xpm nef orf ra bay pcd dng ptx r3d   raf rw2 rwl kdc yuv sr2 srf dip x3f mef raw log odg uop potx potm pptx rss  pptm aaf xla sxd pot eps as3 pns wpd wps msg pps xlam xll ost sti sxi otp   odp wks vcf xltx xltm xlsx xlsm xlsb cntk xlw xlt xlm xlc dif sxc vsd ots   prn ods hwp dotm dotx docm docx dot cal shw sldm txt csv mac met wk3 wk4   uot rtf sldx xls ppt stw sxw dtd eml ott odt doc odm ppsm xlr odc xlk ppsx   obi ppam text docb wb2 mda wk1 sxm otg oab cmd bat h asx lua pl as hpp clas   js fla py rb jsp cs c jar java asp vb vbs asm pas cpp xml php plb asc lay6   pp4 pp5 ppf pat sct ms11 lay iff ldf tbk swf brd css dxf dds efx sch dch   ses mml fon gif psd html ico ipe dwg jng cdr aep aepx 123 prel prpr aet   fim pfb ppj indd mhtm cmx cpt csl indl dsf ds4 drw indt pdd per lcd pct   prf pst inx plt idml pmd psp ttf 3dm ai 3ds ps cpx str cgm clk cdx xhtm   cdt fmv aes gem max svg mid iif nd 2017 tt20 qsm 2015 2014 2013 aif qbw   qbb qbm ptb qbi qbr 2012 des v30 qbo stc lgb qwc qbp qba tlg qbx qby 1pa   ach qpd gdb tax qif t14 qdf ofx qfx t13 ebc ebq 2016 tax2 mye myox ets   tt14 epb 500 txf t15 t11 gpc qtx itf tt13 t10 qsd iban ofc bc9 mny 13t   qxf amj m14 _vc tbp qbk aci npc qbmb sba cfp nv2 tfx n43 let tt12 210   dac slp qb20 saj zdb tt15 ssg t09 epa qch pd6 rdy sic ta1 lmr pr5 op sdy   brw vnd esv kd3 vmb qph t08 qel m12 pvc q43 etq u12 hsr ati t00 mmw bd2   ac2 qpb tt11 zix ec8 nv lid qmtf hif lld quic mbsb nl2 qml wac cf8 vbpf   m10 qix t04 qpg quo ptdb gto pr0 vdf q01 fcr gnc ldc t05 t06 tom tt10   qb1 t01 rpf t02 tax1 1pe skg pls t03 xaa dgc mnp qdt mn8 ptk t07 chg   #vc qfi acc m11 kb7 q09 esk 09i cpw sbf mql dxi kmo md u11 oet ta8 efs   h12 mne ebd fef qpi mn5 exp m16 09t 00c qmt cfdi u10 s12 qme int? cf9   ta5 u08 mmb qnx q07 tb2 say ab4 pma defx tkr q06 tpl ta2 qob m15 fca eqb   q00 mn4 lhr t99 mn9 qem scd mwi mrq q98 i2b mn6 q08 kmy bk2 stm mn1 bc8   pfd bgt hts tax0 cb resx mn7 08i mn3 ch meta 07i rcs dtl ta9 mem seam   btif 11t efsl $ac emp imp fxw sbc bpw mlb 10t fa1 saf trm fa2 pr2 xeq   sbd fcpa ta6 tdr acm lin dsb vyp emd pr1 mn2 bpf mws h11 pr3 gsb mlc   nni cus ldr ta4 inv omf reb qdfx pg coa rec rda ffd ml2 ddd ess qbmd   afm d07 vyr acr dtau ml9 bd3 pcif cat h10 ent fyc p08 jsd zka hbk bkf   mone pr4 qw5 cdf gfi cht por qbz ens 3pe pxa intu trn 3me 07g jsda   2011 fcpr qwmo t12 pfx p7b der nap p12 p7c crt csr pem gpg key  <\/pre>\n<p>In order to access all the files without any interference, Sage searches and terminates any associated processes. Processes are identified by their names:<\/p>\n<pre>msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe   oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exe  isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe    encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe  mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe  <\/pre>\n<p>As it is common in ransomware, some paths are excluded from the attack. In this case, blacklisted are not only system directories, but also others, related to popular games like &#8220;League of Legends&#8221;, &#8220;steamapps&#8221;, &#8220;GOG Games&#8221;, and etc.<\/p>\n<pre>tmp Temp winnt 'Application Data' AppData ProgramData   'Program Files (x86)' 'Program Files' '$Recycle Bin'   '$RECYCLE BIN' Windows.old $WINDOWS.~BT DRIVER DRIVERS   'System Volume Information' Boot Windows WinSxS DriverStore   'League of Legends' steamapps cache2 httpcache GAC_MSIL   GAC_32 'GOG Games' Games 'My Games' Cookies History IE5   Content.IE5 node_modules All Users AppData ApplicationData   nvidia intel Microsoft System32 'Sample Music'   'Sample Pictures' 'Sample Videos' 'Sample Media' Templates  <\/pre>\n<p>Some countries (recognized by keyboard layouts) are also excluded from the attack. Below is the function checking if the selected keyboard layout is present in the system:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17049\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/has_keyboard.png\" alt=\"\" width=\"593\" height=\"491\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/has_keyboard.png 593w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/has_keyboard-300x248.png 300w\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" \/><\/p>\n<p>Systems with the following <a href=\"https:\/\/github.com\/FreeRDP\/FreeRDP\/blob\/master\/winpr\/include\/winpr\/locale.h\" target=\"_blank\">keyboard layouts<\/a> are omitted by Sage 2.2: Belarusian, Kazak, Ukrainian, Uzbek, Sakha, Russian, Latvian.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17050\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/blacklisted_layouts.png\" alt=\"\" width=\"712\" height=\"139\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/blacklisted_layouts.png 712w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/blacklisted_layouts-300x59.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/blacklisted_layouts-600x117.png 600w\" sizes=\"auto, (max-width: 712px) 100vw, 712px\" \/><\/p>\n<h4>How does the encryption works?<\/h4>\n<p>Sage uses two cryptographic algorithms: Elliptic Curves and ChaCha20. ChaCha20 is used to encrypt content of each file, while ECC is used to protect the randomly generated keys.<\/p>\n<p>Each random key is retrieved using a cryptographically secure generator (<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa387694(v=vs.85).aspx\" target=\"_blank\">SystemFunction036<\/a>). The filled buffer is preprocessed by a simple algorithm:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17065\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_random_key.png\" alt=\"\" width=\"692\" height=\"153\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_random_key.png 692w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_random_key-300x66.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/making_random_key-600x133.png 600w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/p>\n<h5>Victim ID<\/h5>\n<p>At the beginning of the execution, Sage creates a random buffer\u00a0and encrypts it using ECC. The buffer created in the first round of encryption we will refer as a Victim ID and the output of the next rounds &#8211; as Encrypted Victim ID.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17120\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/make_keys-1.png\" alt=\"\" width=\"566\" height=\"195\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/make_keys-1.png 566w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/make_keys-1-300x103.png 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/p>\n<p>In the first round, the random value is encrypted using ECC, producing the Victim ID.<\/p>\n<p>In the second round, the same random value is encrypted using ECC along with another buffer, that is hardcoded in the binary. The output is processed in the similar way like the random buffer:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17122\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/preprocess.png\" alt=\"\" width=\"385\" height=\"169\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/preprocess.png 385w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/preprocess-300x132.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/preprocess-195x85.png 195w\" sizes=\"auto, (max-width: 385px) 100vw, 385px\" \/><\/p>\n<p>In the\u00a0third round, the resulting buffer is again encrypted by ECC &#8211; producing the Encrypted Victim ID.<\/p>\n<p>Both output buffers are kept in the memory of the application and used further (also they are saved in the TMP file dropped in %APPDATA% folder).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17145\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/make_victim_key.png\" alt=\"\" width=\"327\" height=\"280\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/make_victim_key.png 327w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/make_victim_key-300x257.png 300w\" sizes=\"auto, (max-width: 327px) 100vw, 327px\" \/><\/p>\n<p>The part highlighted on the screenshot is the Victim ID (after that, next 32 bytes are the Encrypted Victim ID):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17077\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id_temp.png\" alt=\"\" width=\"635\" height=\"338\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id_temp.png 635w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id_temp-300x160.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id_temp-600x319.png 600w\" sizes=\"auto, (max-width: 635px) 100vw, 635px\" \/><\/p>\n<p>The victim ID is also saved in the ransom note, in Base64* encrypted version:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17078\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id.png\" alt=\"\" width=\"713\" height=\"158\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id.png 713w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id-300x66.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/victim_id-600x133.png 600w\" sizes=\"auto, (max-width: 713px) 100vw, 713px\" \/><\/p>\n<p><em>*The character set is slightly modified in comparison to the classic Base64. In order to decode it as Base64 we must replace &#8216;-&#8216; with &#8216;+&#8217; and &#8216;_&#8217; with &#8216;\/&#8217; for example the ID: AQAAAAAAAAAAGwsZ-IAO5_pntzI3UnC8VweSZXaKQ0gTJ9PRS8AkiAnA is Base64: AQAAAAAAAAAAGwsZ+IAO5\/pntzI3UnC8VweSZXaKQ0gTJ9PRS8AkiAnA<\/em><\/p>\n<p>In addition, the Victim ID is also saved in each and every encrypted file:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17079\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/stored_victim_id.png\" alt=\"\" width=\"632\" height=\"185\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/stored_victim_id.png 632w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/stored_victim_id-300x88.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/stored_victim_id-600x176.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/stored_victim_id-630x185.png 630w\" sizes=\"auto, (max-width: 632px) 100vw, 632px\" \/><\/p>\n<p>The Encrypted Victim ID takes part in encrypting file&#8217;s content (as a key unique per victim).<\/p>\n<h5>File encryption<\/h5>\n<p>At the beginning of the file encrypting function, a new 32 bytes long key is generated (unique per each file).<\/p>\n<p>The random number is encrypted with the help of ECC twice:<\/p>\n<ul>\n<li>Individually &#8211; to make the <em>key1<\/em> that is stored in the file<\/li>\n<li>Along with the Encrypted Victim&#8217;s ID &#8211; to make the <em>key2<\/em>, used by ChaCha20<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17067\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha_init-1.png\" alt=\"\" width=\"616\" height=\"422\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha_init-1.png 616w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha_init-1-300x206.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha_init-1-600x411.png 600w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/p>\n<p>As we can see, the <em>key2<\/em> is used to initialize the cryptographic function&#8217;s context. ChaCha20 can be recognized by <a href=\"https:\/\/tools.ietf.org\/html\/rfc7539\" target=\"_blank\">typical constants<\/a> used in the initialization function:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17046\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha20_init.png\" alt=\"\" width=\"382\" height=\"199\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha20_init.png 382w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/chacha20_init-300x156.png 300w\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" \/><\/p>\n<p>The file is encrypted chunk by chunk (the maximal chunk size is 0x20000) with the help of ChaCha20:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17064\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/encrypt_file_content.png\" alt=\"\" width=\"530\" height=\"438\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/encrypt_file_content.png 530w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/encrypt_file_content-300x248.png 300w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/p>\n<p>At the end of the file, the first derived key (<em>key1<\/em>) and some additional data is appended:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17068\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/append_data.png\" alt=\"\" width=\"634\" height=\"45\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/append_data.png 634w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/append_data-300x21.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/append_data-600x43.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/append_data-630x45.png 630w\" sizes=\"auto, (max-width: 634px) 100vw, 634px\" \/><\/p>\n<p>Appended data is separated from the encrypted file&#8217;s content by two hard-coded markers: 0x5A9E<strong>DEAD<\/strong> and 0x5A9E<strong>BABE<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17061\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/writing_markers.png\" alt=\"\" width=\"540\" height=\"400\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/writing_markers.png 540w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/writing_markers-300x222.png 300w\" sizes=\"auto, (max-width: 540px) 100vw, 540px\" \/><\/p>\n<p>Markers at the end of the encrypted file:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17062\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_ending_markers.png\" alt=\"\" width=\"614\" height=\"176\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_ending_markers.png 614w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_ending_markers-300x86.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_ending_markers-600x172.png 600w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><\/p>\n<p>After the first marker Sage stores the following information: Victim ID, Key1, size of the original file.<\/p>\n<h4>Network communication<\/h4>\n<p>Sage does not need any data from the CnC in order to work. However, as mentioned before, it may generate some UDP traffic. It is because it has capabilities to send some data about the attacked system. Depending on the configuration, the data may be sent either via UDP or via HTTP POST request. The data is encrypted before being sent &#8211; also with the help of ChaCha20 algorithm. In the observed case, the ChaCha20 key was a buffer filled with 0 bytes.<\/p>\n<h4><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17129\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/post_or_udp.png\" alt=\"\" width=\"374\" height=\"150\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/post_or_udp.png 374w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/post_or_udp-300x120.png 300w\" sizes=\"auto, (max-width: 374px) 100vw, 374px\" \/><\/h4>\n<h5>Examples of the data sent to the CnC<\/h5>\n<p>Sage sends the generated keys to the CnC, i.e.:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17137\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_saved-1.png\" alt=\"\" width=\"645\" height=\"140\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_saved-1.png 645w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_saved-1-300x65.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/file_saved-1-600x130.png 600w\" sizes=\"auto, (max-width: 645px) 100vw, 645px\" \/><\/p>\n<p>Compare with the buffer before encryption:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17136\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/before_encrypt-1.png\" alt=\"\" width=\"543\" height=\"181\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/before_encrypt-1.png 543w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/before_encrypt-1-300x100.png 300w\" sizes=\"auto, (max-width: 543px) 100vw, 543px\" \/><\/p>\n<p>The same data is also formatted into a human-readable form, like shown below. However, so far we didn&#8217;t observed any use of this data. It may be some unfinished feature, that will be developed further in new versions of this product. Formatted equivalent of the above buffer:<\/p>\n<pre>[bin(33) 01CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, 4, {      \"v\": 1,      \"gpk\": bin(32) CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B,      \"pk\": bin(32) 2BB7BD5394B845629C90BB2B43D9655DC9C86347C4C695AB18150D7031B9E41F,    }]  <\/pre>\n<p>Other examples &#8211; collected information about the attacked machine:<\/p>\n<pre>[bin(33) 01CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, 3, {      \"s\": {        \"w\": {          \"v\": [            6,            1,            false,            false,            7601,            1,            0,          ],          \"u\": \"tester\",          \"p\": \"TESTMACHINE\",        },        \"c\": \"       Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz\",        \"m\": 232,        \"k\": [68486165, 4026598409, 4026991637],      },      \"i\": 12288,      \"w\": null,    }]  <\/pre>\n<h4>Adding icons<\/h4>\n<p>Interesting and uncommon feature deployed by Sage is the change of icons for the used datatypes. Padlock icon is added to the encrypted files with the <em>.sage<\/em> extension and the key icon is added to the files with <em>.hta<\/em> extensions (that are used for the ransom notes). Icon change is implemented via setting appropriate registry keys:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17047\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/add_sage_icons.png\" alt=\"\" width=\"838\" height=\"352\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/add_sage_icons.png 838w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/add_sage_icons-300x126.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/add_sage_icons-600x252.png 600w\" sizes=\"auto, (max-width: 838px) 100vw, 838px\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>Sage, similar to Spora, uses a complex way of deriving keys. So far, there is no solution that would allow recovering files without paying the ransom &#8211; that&#8217;s why we recommend focusing on prevention instead. <a href=\"https:\/\/www.malwarebytes.com\/premium\/\" target=\"_blank\">Malwarebytes 3.0 Premium<\/a> users are protected from Sage ransomware as long as it is installed prior to being infected.<\/p>\n<h3>Appendix<\/h3>\n<p><a href=\"https:\/\/blog.fortinet.com\/2017\/02\/02\/a-closer-look-at-sage-2-0-ransomware-along-with-wise-mitigations\" target=\"_blank\">https:\/\/blog.fortinet.com\/2017\/02\/02\/a-closer-look-at-sage-2-0-ransomware-along-with-wise-mitigations<\/a>\u00a0 &#8211; Fortinet about Sage 2.0<\/p>\n<hr \/>\n<p class=\"p1\"><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. <\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community. <\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\">hasherezade<\/a> and her personal blog: <a href=\"https:\/\/hshrzd.wordpress.com\/\"><span class=\"s3\">https:\/\/hshrzd.wordpress.com<\/span><\/a>.<\/span><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/explained-sage-ransomware\/\">Explained: Sage ransomware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/explained-sage-ransomware\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 29 Mar 2017 15:00:24 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/explained-sage-ransomware\/' title='Explained: Sage ransomware'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/photodune-5966048-hex-back-l-900x506.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing outbreak of version 2.2. of this product.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/encryption\/\" rel=\"tag\">encryption<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/hasherezade\/\" rel=\"tag\">hasherezade<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phish\/\" rel=\"tag\">phish<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sage-ransomware\/\" rel=\"tag\">Sage ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spora-ransomware\/\" rel=\"tag\">Spora Ransomware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/explained-sage-ransomware\/' title='Explained: Sage ransomware'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/explained-sage-ransomware\/\">Explained: Sage ransomware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10439,10492,3764,10511,3765,11788,11600,10494],"class_list":["post-7152","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-encryption","tag-hasherezade","tag-malware","tag-phish","tag-ransomware","tag-sage-ransomware","tag-spora-ransomware","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7152"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7152\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7152"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}