A evolved version of Sage ransomware has materialized that features a QR code containing the attacker's bitcoin wallet address, to enable easy payment.

Another recent addition is improved anti-analysis capabilities that allow the malicious code to detect and avoid commonly used malware research tools. "Earlier versions used variation in the delivery tools -- highly variable script applications -- to evade detection and frustrate analysis," said blog post author Brendan Griffin, in an interview with SC Media. "This new version focuses on the detection of virtualized environments, including malware sandboxes. It also added functionality to detect tools commonly used to derive information from malware at runtime."

Sage was first discovered in late 2016, and was soon observed spreading in campaigns by the same actors who also distribute Locky, Cerber and Spora ransomware. At the time, Sage was found to imitate Cerber in its use of an interactive user interface to support payment. According to a PhishMe, version 2.2 of Sage still contains this feature, distributing one version of its ransom note as an interactive Microsoft HTML application, thereby allowing the victim to navigate to the payment site.

"This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note," explains Griffin.

PhishMe reports that Sage v2.2's ransom note was observed asking for $499, which is a relative bargain when compared to other ransomwares like Locky. "One perspective is that the lower ransom demand by attackers is attempting to encourage a much higher rate of compliance among victims compared to other contemporary ransomware tools," the blog post explains.

The ransom note also includes the aforementioned QR code, which victims can scan to facilitate payment to the attacker's Bitcoin wallet address. "This step is likely intended to simplify the seemingly-complex Bitcoin transfer process required to pay the attackers' demanded ransom," Griffin writes.