Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sage 2.0 Ransomware (.sage) Support & Help Topic


  • Please log in to reply
27 replies to this topic

#1 adhearie15

adhearie15

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 December 2016 - 01:38 PM

Hy all..

Anybody help me!! Everything file in my computer infected ransomware. All extension my file change to ".sage"

Like this screenshot my computer after infected ransomware. And i don't know type from this ransomware.

I have message in notepad like this

 

............................ Not your language? Use https://translate.google.com .............................

 
==============================================================================================================
===                                                                                                        ===
=====                                              WARNING!                                              =====
=======   YOUR DOCUMENTS, DATABASES, PROJECT FILES, AUDIO AND VIDEO CONTENT AND OTHER CRITICAL FILES   =======
=====             HAVE BEEN ENCRYPTED WITH A PERSISTENT MILITARY-GRADE CRYPTO ALGORITHM                  =====
===                                                                                                        ===
==============================================================================================================
 
............................................ How did this happen? ............................................
 
=== Specially for your PC was generated personal 4096 bit RSA key, both public and private.
=== All your files have been encrypted with the public key.
=== Decrypting of your files is only possible with the help of the private key and de-crypt program.
 
................................................ What do I do? ...............................................
 
=== Don't wait for a miracle and the price doubled!
=== Start obtaining Bitcoin now and restore your data easy way!
 
==============================================================================================================
===                                                                                                        ===
=====                   If you HAVE REALLY VALUABLE DATA, you better NOT WASTE YOUR TIME,                =====
=======                         because there is NO OTHER WAY to get your files,                       =======
=====                                         EXCEPT MAKE A PAYMENT                                      =====
===                                                                                                        ===
==============================================================================================================
 
For specific instructions, please visit your personal home page,
there are a few different addresses pointing to your page below:
 
 
.................................. What should you do with these addresses? ..................................
 
  1.  Take a look at the first address (in this case it is
 
  2.  Select it with the mouse cursor holding the left mouse button and
      moving the cursor to the right;
 
  3.  Release the left mouse button and press the right one;
 
  4.  Select "Copy" in the appeared menu;
 
  5.  Run your Internet browser (if you do not know what it is run the
      Internet Explorer);
 
  6.  Move the mouse cursor to the address bar of the browser (this is the
      place where the site address is written);
 
  7.  Click the right mouse button in the field where the site address
      is written;
 
  8.  Select the button "Insert" in the appeared menu;
 
  9.  Then you will see the address appeared there;
 
  10. Press ENTER;
 
  11. The site should be loaded; if it is not loaded repeat the same
      instructions with the second address and continue until the last
      address if falling.
 
If for some reason the site cannot be opened check the connection to the Internet.
 
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
 
Unlike them we are ready to help you always.
 
If you need our help but the temporary sites are not available:
 
  1.  Run your Internet browser (if you do not know what it is run the
      Internet Explorer);
 
  2.  Enter or copy the address
      address bar of your browser and press ENTER;
 
  3.  Wait for the site loading;
 
  4.  On the site you will be offered to download Tor Browser; download and
      run it, follow the installation instructions, wait until the
      installation is completed;
 
  5.  Run Tor Browser;
 
  6.  Connect with the button "Connect" (if you use the English version);
 
  7.  A normal Internet browser window will be opened after
      the initialization;
 
 
  9.  Press ENTER;
 
  10. The site should be loaded; if for some reason the site is not loading
      wait for a moment and try again
 
==============================================================================================================
===                                           !!! IMPORTANT !!!                                            ===
===                  Be sure to copy your instruction link to your notepad to not lose it.                 ===
==============================================================================================================

 



BC AdBot (Login to Remove)

 


m

#2 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:06:07 PM

Posted 13 December 2016 - 03:13 PM

Saw this on VirusTotal:

https://virustotal.com/en/file/24810111160a8b85698fdf55111145503ab02829f3e7d21ff0f914e172f23d4a/analysis/

If you look at the comments section, Karsten Hahn said it's a variant of CryLocker. Your ransom note seems to match, please see here. Demonslay335 will of course have more information. :)



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,910 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 13 December 2016 - 04:30 PM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Kafeine

Kafeine

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 14 December 2016 - 06:03 AM

Hello,

 

I saw that sample ITW (dropped by RIG).

Message ended in : B2stwOd0.html

 

upload.png

 

2016-12-14_10h55_15.png

 

upload.png

 

Sample sent to vt : https://www.virustotal.com/file/51c1b4814a7f7948ec33ac018467312307e1f4ab9cfc9ed2350e4abdb9701361/analysis/1481713265/

 

and available here: 

 

https://files.dontneedcoffee.com/index.php/s/NNrchFga0Jldm8G (password is malware)


Edited by Kafeine, 14 December 2016 - 06:05 AM.


#5 adhearie15

adhearie15
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 December 2016 - 07:01 AM

Saw this on VirusTotal:

https://virustotal.com/en/file/24810111160a8b85698fdf55111145503ab02829f3e7d21ff0f914e172f23d4a/analysis/

If you look at the comments section, Karsten Hahn said it's a variant of CryLocker. Your ransom note seems to match, please see here. Demonslay335 will of course have more information. :)

I just check, but i cannot success fix my file



#6 adhearie15

adhearie15
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 December 2016 - 07:03 AM

Hello,

 

I saw that sample ITW (dropped by RIG).

Message ended in : B2stwOd0.html

 

upload.png

 

2016-12-14_10h55_15.png

 

upload.png

 

Sample sent to vt : https://www.virustotal.com/file/51c1b4814a7f7948ec33ac018467312307e1f4ab9cfc9ed2350e4abdb9701361/analysis/1481713265/

 

and available here: 

 

https://files.dontneedcoffee.com/index.php/s/NNrchFga0Jldm8G (password is malware)

I'm sorry, i dont know what you mean. MAybe you can learn how to fix my problem?thank you



#7 Kafeine

Kafeine

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 14 December 2016 - 07:05 AM

Sorry. My reply was not meant to help you fix your files directly. It's not something i can do.

 

It was aimed at other researcher working on ransomware to get a fresh sample and be able to study it.

If some skilled guys look at it and figure a weakness in the encryption, that might in the end help you.


Edited by Kafeine, 14 December 2016 - 07:05 AM.


#8 adhearie15

adhearie15
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 December 2016 - 07:06 AM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

I finish to submit my encripted files to id ransomware. But cannot identifying my files



#9 adhearie15

adhearie15
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 December 2016 - 07:09 AM

Sorry. My reply was not meant to help you fix your files directly. It's not something i can do.

 

It was aimed at other researcher working on ransomware to get a fresh sample and be able to study it.

If some skilled guys look at it and figure a weakness in the encryption, that might in the end help you.

okay. I know, thank's for your answer and solutions. i will try your solution. thank you



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,910 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 14 December 2016 - 07:27 AM

I finish to submit my encripted files to id ransomware. But cannot identifying my files

As I said, if ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 adhearie15

adhearie15
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 December 2016 - 12:13 PM

Hello,

My computer after infected ransomware. All data in my computer change to .sage extension. I just clean all ransomware in my computer. But all data in my computer still have extension .sage and cannot open. 

Maybe somebody can help me to open my data or back my data before infected ransomware?

Or maybe somebody have info about decrypted this ransomware?

thank you



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,910 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 14 December 2016 - 01:28 PM

@ adhearie15

I merged your topic with the existing one we already have. It is easier for victims and helpers to utilize one topic plus helps to avoid confusion.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 adhearie15

adhearie15
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 December 2016 - 08:31 PM

@ adhearie15

I merged your topic with the existing one we already have. It is easier for victims and helpers to utilize one topic plus helps to avoid confusion.

Thank you very much @quietman7. I hope can find decryptor can be opened all file after infected ransomware



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,910 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 14 December 2016 - 08:36 PM

You're welcome.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 konilio

konilio

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 14 March 2017 - 08:25 AM

Hello, all of my files have been encrypted by Sage 2.2 Ransomware!

 

Any help would be appreciated






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users