An upgraded version of the Sage ransomware hits with style

by Julie Splinters - -

The Sage ransomware is called ransomware with style because of its engaging user interface and international accessibility with an interactive ransom note. This ransomware offers its victims a simplistic payment method and does its best to encourage payments.

 the sage ransomware

The ransomware was discovered by security researchers at PhishMe. Brendan Griffin at their blog site indicated:[1]

In stark contrast to the drab payment sites used by many ransomware varieties, Sage presents users with a colorful, accessible and descriptive site. The site explains the victim’s situation and provides instructions to regain access to their encrypted data.

One of the similarities with this modern version of ransomware and the older one is the reuse of an original technique: both presents its victims a Microsoft HTML program as an interactive which navigates victims to the payment website.

In addition, “This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generations of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note.”

The most recent version of Sage ransomware is created to make paying a Bitcoin ransom easy and simple so victims wouldn’t have to deal with payment issues. The ransomware presents the QR code which contains the Bitcoin walled address in the compromised device in order to easily and simply collect the ransom.[2]

Most of other contemporary ransomware do several checks for virtualized or analysis environments because usually, attackers are willing to infect a variety of environments. It is worth mentioning that Sage v2.2 includes a simple analysis evasion tactic which uncovers the appearance of widely used malware research tools.

In comparison, the Sage ransomware asks its victims to pay $499 ransom, while the leading Locky ransomware asks for about $1,600. Researchers indicate that the attackers behind Sage can possibly attempt to receive a much higher rate of victims that pay the ransom offering them a smaller ransom demand compared to other existing ransomware tools that ask for way higher ransom demand.[3]

In addition, the security research B. Griffin noted,

The overarching ransomware trend is clearly one that will not subside anytime soon. The criminal business model for ransomware has proven itself viable and profitable in both high-profile crises as well as in everyday attacks. The newest iteration of development upon the Sage ransomware demonstrates another example of the viability and willingness of malware writers to produce new and innovative ransomware tools.

About the author

Julie Splinters
Julie Splinters - VPN service analyst

Julie Splinters is a VPN service analyst at, who specializes in VPN services and anti-spyware applications. Her major of English Philology and her passion for IT helped her choose the path of an IT writer.

Contact Julie Splinters
About the company Esolutions


now online
Like us on Facebook