Sage 2.0 ransomware now distributed along with Locky, Cerber
Sage 2.0 ransomware now distributed along with Locky, Cerber

The little known Sage ransomware may be starting to hit the big time as reports state an upgraded version, Sage 2.0, has been spotted being spread by the same actors that normally distribute Locky, Cerber and Spora.

Sage 2.0 was spotted by a researcher Brad Duncan. The original Sage, a variant of CryLocker, was first unearthed by BleepingComputer in December 2016. Duncan in an Internet Storm Center post noted that Sage 2.0 is distributed via spam that seems to have little social engineering support.

The email has no subject line, but contains .zip attachment that contains a Word document with a malicious macro or Javascript file that downloads and executes the ransomware. The attachment is often named “email,” contains a series of numbers and the targets name. Another odd maneuver is the .zip file is often double zipped. Why this is done was not explained.

Once infected a ransom of $2,000 is demanded.

“I'm not sure how widely-distributed Sage ransomware is.  I've only seen it from this one malspam campaign, and I've only seen it one day so far.  I'm also not sure how effective this particular campaign is.  It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0,” Duncan wrote.