Wise-guy attackers revise Sage ransomware

October 26, 2017

A evolved version of Sage ransomware has materialized that features a QR code containing the attacker's bitcoin wallet address, to enable easy payment.

Another recent addition is improved anti-analysis capabilities that allow the malicious code to detect and avoid commonly used malware research tools. "Earlier versions used variation in the delivery tools -- highly variable script applications -- to evade detection and frustrate analysis," said blog post author Brendan Griffin, in an interview with SC Media. "This new version focuses on the detection of virtualized environments, including malware sandboxes. It also added functionality to detect tools commonly used to derive information from malware at runtime."

Sage was first discovered in late 2016, and was soon observed spreading in campaigns by the same actors who also distribute Locky, Cerber and Spora ransomware. At the time, Sage was found to imitate Cerber in its use of an interactive user interface to support payment. According to a PhishMe, version 2.2 of Sage still contains this feature, distributing one version of its ransom note as an interactive Microsoft HTML application, thereby allowing the victim to navigate to the payment site.

"This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note," explains Griffin.

PhishMe reports that Sage v2.2's ransom note was observed asking for $499, which is a relative bargain when compared to other ransomwares like Locky. "One perspective is that the lower ransom demand by attackers is attempting to encourage a much higher rate of compliance among victims compared to other contemporary ransomware tools," the blog post explains.

The ransom note also includes the aforementioned QR code, which victims can scan to facilitate payment to the attacker's Bitcoin wallet address. "This step is likely intended to simplify the seemingly-complex Bitcoin transfer process required to pay the attackers' demanded ransom," Griffin writes.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Wise-guy attackers revise Sage ransomware

Related

DHS: US critical infrastructure facing malicious AI threat

Fake Red Cross blood drive info lures phishing victims

Bermuda system outages linked to Russian hackers

Related Events

Real-world Insights from a Sophos Threat Analyst: It’s Great You Have a Firewall, But Here’s Why You Shouldn’t Skip Over MDR

Revolutionizing the essentials: Friction-minimizing approaches to overcoming advanced account takeover (ATO)

Evening the Odds Against Overpowered Cyber Adversaries: A Business Impact Analysis

Get daily email updates