{
	"id": "9f7b6b39-09fe-48e4-9270-12c4b4119add",
	"created_at": "2026-04-06T00:16:44.859117Z",
	"updated_at": "2026-04-10T13:12:09.979409Z",
	"deleted_at": null,
	"sha1_hash": "14c82bb7fff51f293d64f3921b690eead12cc503",
	"title": "Sage 2.0 Ransomware - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4877885,
	"plain_text": "Sage 2.0 Ransomware - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 19:04:08 UTC\r\nIntroduction\r\nOn Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber\r\nransomware.  That Friday it delivered ransomware I'd never seen before called \"Sage.\"  More specifically, it was\r\n\"Sage 2.0.\"\r\nShown above:  It's always fun to find ransomawre that's not Cerber or Locky.\r\nSage is yet another family of ransomware in an already crowded field.  It was noted on BleepingComputer forums\r\nback in December 2016 [1, 2], and Sage is a variant of CryLocker [3].  Unfortunately, I can't find an in-depth\r\nwrite-up on Sage that I like.  With that in mind, this diary examines Sage 2.0.\r\nThe malspam\r\nEmails from this particular campaign generally have no subject lines, and they always have no message text.  The\r\nonly content is a zip attachment containing a Word document with a malicious macro that downloads and installs\r\nransomware.  Sometimes, I'll see a .js file instead of a Word document, but it does the same thing.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 1 of 12\n\nShown above:  Data from a spreadsheet tracking the malspam (1 of 3).\r\nOften, the recipient's name is part of the attachment's file name.  I replace those names with [recipient] before I\r\nshare any info.  A more interesting fact is the attachments are often double-zipped.  They contain another zip\r\narchive before you get to the Word document or .js file.\r\nShown above:  Data from a spreadsheet tracking the malspam (2 of 3).\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 2 of 12\n\nShown above:  Example of a Word document with a malicious macro.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 3 of 12\n\nShown above:  Another example of the Word document with a malicious macro.\r\nThe Word document macros or .js files are designed to download and install ransomware.  In most cases on\r\nFriday, the ransomware was Sage 2.0.\r\nShown above:  Data from a spreadsheet tracking the malspam (3 of 3), mostly Sage 2.0.\r\nThe infected host\r\nUnder default settings, an infected Windows 7 host will present a UAC window before Sage continues any\r\nfurther.  It keeps appearing until you click yes.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 4 of 12\n\nShown above:  UAC pop-up caused by Sage.\r\nThe infected Windows host has an image of the decryption instructions as the desktop background.  There's also\r\nan HTML file with the same instructions dropped to the desktop.  The same HTML file is also dropped to any\r\ndirectory with encrypted files.  \".sage\" is the suffix for all encrypted files.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 5 of 12\n\nShown above:  Desktop of an infected Windows host.\r\nSage ransomware is kept persistent by a scheduled task, and it's stored as an executable in the user's\r\nAppData\\Roaming directory.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 6 of 12\n\nShown above:  Sage ransomware and it's scheduled task for persistence.\r\nFollowing the decryption instructions should take you to a Tor-based domain with a decryptor screen.  On Friday,\r\nthe cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin).\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 7 of 12\n\nShown above:  The Sage 2.0 decryptor.\r\nSage 2.0 traffic\r\nSage ransomware generates post-infection traffic.  In the image below, an initial HTTP GET request to\r\nsmoeroota.top was caused by a .js file retrieving the ransomware.  The remaining HTTP POST requests are\r\ncallback traffic generated by Sage 2.0 from the infected Windows host.\r\nShown above:  Screenshot of the infection traffic, filtered in Wireshark.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 8 of 12\n\nShown above:  TCP stream of an HTTP request for the post-infection traffic.\r\nWhen the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000\r\nIP addresses.  I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or\r\nencrypted.  BleepingComputer's September 2016 write-up on CryLocker shows the same type of UDP post-infection traffic, but CryLocker's traffic was not encrypted [4].\r\nShown above:  An HTTP request for the Sage 2.0 binary, followed by callback domains not resolving in DNS.\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 9 of 12\n\nShown above:  UDP traffic caused by Sage 2.0 when callback domains were unavailable.\r\nShown above:  Examining one of the UDP packets.\r\nIndicators of Compromise (IOCs)\r\nBelow are IOCs for Sage 2.0 from Friday 2017-01-20:\r\nRansomware downloads caused by Word document macros or .js files:\r\n54.165.109.229 port 80 - smoeroota.top - GET /read.php?f=0.dat\r\n54.165.109.229 port 80 - newfoodas.top - GET /read.php?f=0.dat\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 10 of 12\n\n84.200.34.99 port 80 - fortycooola.top - GET /user.php?f=0.dat\r\nPost-infection traffic:\r\n54.146.39.22 port 80 - mbfce24rgn65bx3g.er29sl.in - POST /\r\n66.23.246.239 port 80 - mbfce24rgn65bx3g.er29sl.in - POST /\r\nmbfce24rgn65bx3g.rzunt3u2.com (DNS queries did not resolve)\r\nVarious IP addresses, UDP port 13655 - possible P2P traffic\r\nTor-based domains to view the decryption instructions:\r\n7gie6ffnkrjykggd.rzunt3u2.com\r\n7gie6ffnkrjykggd.er29sl.in\r\n7gie6ffnkrjykggd.onion\r\nSHA256 hashes for the Sage 2.0 ransomware samples:\r\n0ecf3617c1d3313fdb41729c95215c4d2575b4b11666c1e9341f149d02405c05   (352,328 bytes)\r\n362baeb80b854c201c4e7a1cfd3332fd58201e845f6aebe7def05ff0e00bf339   (352,328 bytes)\r\n3b4e0460d4a5d876e7e64bb706f7fdbbc6934e2dea7fa06e34ce01de8b78934c   (352,328 bytes)\r\n8a0a191d055b4b4dd15c66bfb9df223b384abb75d4bb438594231788fb556bc2   (352,328 bytes)\r\nccd6a495dfb2c5e26cd65e34c9569615428801e01fd89ead8d5ce1e70c680850   (352,328 bytes)\r\nExamples of locations on the infected Windows host where Sage 2.0 was made persistent:\r\nC:\\Users\\[username]\\AppData\\Roaming\\gNwO5YoE.exe\r\nC:\\Users\\[username]\\AppData\\Roaming\\wiqpNWm7.exe\r\nNOTE: File names appear to consists 8 random alphabetic characters with an .exe suffix.\r\nFinal words\r\nAn important note:  URLs for the ransomware download will send Cerber one day, but the same URLs can send\r\nsomething like Sage ransomware the next.\r\nI'm not sure how widely-distributed Sage ransomware is.  I've only seen it from this one malspam campaign, and\r\nI've only seen it one day so far.  I'm also not sure how effective this particular campaign is.  It seems these emails\r\ncan easily be blocked, so few end users may have actually seen Sage 2.0.\r\nStill, Sage is another name in the wide variety of existing ransomware families.  This illustrates how profitable\r\nransomware remains for cyber criminals.\r\nPcaps, emails, malware, and artifacts for this diary are available here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nReferences:\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 11 of 12\n\n[1] https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/\r\n[2] https://www.bleepingcomputer.com/forums/t/634747/sage-ransomware-sage-support-help-topic/\r\n[3] https://www.pcrisk.com/removal-guides/10732-sage-ransomware\r\n[4] https://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/\r\nSource: https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nhttps://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/"
	],
	"report_names": [
		"21959"
	],
	"threat_actors": [],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14c82bb7fff51f293d64f3921b690eead12cc503.pdf",
		"text": "https://archive.orkl.eu/14c82bb7fff51f293d64f3921b690eead12cc503.txt",
		"img": "https://archive.orkl.eu/14c82bb7fff51f293d64f3921b690eead12cc503.jpg"
	}
}