Threat Management, Malware, Ransomware

Wise-guy attackers revise Sage ransomware

A evolved version of Sage ransomware has materialized that features a QR code containing the attacker's bitcoin wallet address, to enable easy payment.

Another recent addition is improved anti-analysis capabilities that allow the malicious code to detect and avoid commonly used malware research tools. "Earlier versions used variation in the delivery tools -- highly variable script applications -- to evade detection and frustrate analysis," said blog post author Brendan Griffin, in an interview with SC Media. "This new version focuses on the detection of virtualized environments, including malware sandboxes. It also added functionality to detect tools commonly used to derive information from malware at runtime."

Sage was first discovered in late 2016, and was soon observed spreading in campaigns by the same actors who also distribute Locky, Cerber and Spora ransomware. At the time, Sage was found to imitate Cerber in its use of an interactive user interface to support payment. According to a PhishMe, version 2.2 of Sage still contains this feature, distributing one version of its ransom note as an interactive Microsoft HTML application, thereby allowing the victim to navigate to the payment site.

"This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note," explains Griffin.

PhishMe reports that Sage v2.2's ransom note was observed asking for $499, which is a relative bargain when compared to other ransomwares like Locky. "One perspective is that the lower ransom demand by attackers is attempting to encourage a much higher rate of compliance among victims compared to other contemporary ransomware tools," the blog post explains.

The ransom note also includes the aforementioned QR code, which victims can scan to facilitate payment to the attacker's Bitcoin wallet address. "This step is likely intended to simplify the seemingly-complex Bitcoin transfer process required to pay the attackers' demanded ransom," Griffin writes.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.