[Virus/Malware Activity Report: Sage Ransomware]

In response to a breach believed to be in the form of Sage ransomware,
we would like to confirm the situation and provide a warning as follows.

Sage Ransomware

The ransomware is called Sage and appears to be changing all files with the extension .sage.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Deleting shadow copies

  It disables Windows' self-recovery function and deletes existing shadow copies to make recovery difficult.

  
  [Figure 3: Deleting a shadow copy]

• Create temporary commands

  The executed temporary command file checks the communication status, moves the location of the ransomware executable file to a temporary folder and executes it, and deletes the executed command.

  
  [Figure 4 Temporary folder]

  
  [Figure 5 Execution command]

  
  [Figure 6 Execution location of actual ransomware]

• Code obfuscation and data protection

  A defense mechanism against compression/unpacking is applied, and the script itself is also obfuscated.

Infection results

The information file is created in each folder with the name !Recovery_SB8.html, and when encryption is performed, the files are changed to <encrypted file name.sage>.

[Figure 7 Infection result 1]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware. It also detects the files of the ransomware that was initially executed.

[Figure 8 Block message]

[Figure 9 Blocking details]

Watch the Sage blocking video