Sage 2.0 Ransomware (.sage) Support & Help Topic

Hy all..

Anybody help me!! Everything file in my computer infected ransomware. All extension my file change to ".sage"

Like this screenshot my computer after infected ransomware. And i don't know type from this ransomware.

I have message in notepad like this

 

............................ Not your language? Use https://translate.google.com .............................

 

==============================================================================================================

===                                                                                                        ===

=====                                              WARNING!                                              =====

=======   YOUR DOCUMENTS, DATABASES, PROJECT FILES, AUDIO AND VIDEO CONTENT AND OTHER CRITICAL FILES   =======

=====             HAVE BEEN ENCRYPTED WITH A PERSISTENT MILITARY-GRADE CRYPTO ALGORITHM                  =====

===                                                                                                        ===

==============================================================================================================

 

............................................ How did this happen? ............................................

 

=== Specially for your PC was generated personal 4096 bit RSA key, both public and private.

=== All your files have been encrypted with the public key.

=== Decrypting of your files is only possible with the help of the private key and de-crypt program.

 

................................................ What do I do? ...............................................

 

=== Don't wait for a miracle and the price doubled!

=== Start obtaining Bitcoin now and restore your data easy way!

 

==============================================================================================================

===                                                                                                        ===

=====                   If you HAVE REALLY VALUABLE DATA, you better NOT WASTE YOUR TIME,                =====

=======                         because there is NO OTHER WAY to get your files,                       =======

=====                                         EXCEPT MAKE A PAYMENT                                      =====

===                                                                                                        ===

==============================================================================================================

 

For specific instructions, please visit your personal home page,

there are a few different addresses pointing to your page below:

 

1 - http://wd7hdtrgrzunt3u2.onion.to/login/AXb6T9IYYP8P54rIr8D-0EUDSmo4d0eUxf8R0BWNISZvPC4sDM87_kLZZ3sgImFjY3VyYWN5IiA6IDI2LCAibG9jYXRpb24iIDogeyAibGF0IiA6IC03Ljk0OTY0NjI5OTk5OTk5OSwgImxuZyIgOiAxMTIuNjM3ODU0MSB9LCAic3RhdHVzIiA6ICJPSyIgfSA

2 - http://wd7hdtrgrzunt3u2.onion.cab/login/AXb6T9IYYP8P54rIr8D-0EUDSmo4d0eUxf8R0BWNISZvPC4sDM87_kLZZ3sgImFjY3VyYWN5IiA6IDI2LCAibG9jYXRpb24iIDogeyAibGF0IiA6IC03Ljk0OTY0NjI5OTk5OTk5OSwgImxuZyIgOiAxMTIuNjM3ODU0MSB9LCAic3RhdHVzIiA6ICJPSyIgfSA

3 - http://wd7hdtrgrzunt3u2.onion.city/login/AXb6T9IYYP8P54rIr8D-0EUDSmo4d0eUxf8R0BWNISZvPC4sDM87_kLZZ3sgImFjY3VyYWN5IiA6IDI2LCAibG9jYXRpb24iIDogeyAibGF0IiA6IC03Ljk0OTY0NjI5OTk5OTk5OSwgImxuZyIgOiAxMTIuNjM3ODU0MSB9LCAic3RhdHVzIiA6ICJPSyIgfSA

 

.................................. What should you do with these addresses? ..................................

 

  1.  Take a look at the first address (in this case it is

      http://wd7hdtrgrzunt3u2.onion.to);

 

  2.  Select it with the mouse cursor holding the left mouse button and

      moving the cursor to the right;

 

  3.  Release the left mouse button and press the right one;

 

  4.  Select "Copy" in the appeared menu;

 

  5.  Run your Internet browser (if you do not know what it is run the

      Internet Explorer);

 

  6.  Move the mouse cursor to the address bar of the browser (this is the

      place where the site address is written);

 

  7.  Click the right mouse button in the field where the site address

      is written;

 

  8.  Select the button "Insert" in the appeared menu;

 

  9.  Then you will see the address appeared there;

 

  10. Press ENTER;

 

  11. The site should be loaded; if it is not loaded repeat the same

      instructions with the second address and continue until the last

      address if falling.

 

If for some reason the site cannot be opened check the connection to the Internet.

 

Unfortunately these sites are short-term since the antivirus companies

are interested in you do not have a chance to restore your files but

continue to buy their products.

 

Unlike them we are ready to help you always.

 

If you need our help but the temporary sites are not available:

 

  1.  Run your Internet browser (if you do not know what it is run the

      Internet Explorer);

 

  2.  Enter or copy the address

      https://www.torproject.org/download/download-easy.html.en into the

      address bar of your browser and press ENTER;

 

  3.  Wait for the site loading;

 

  4.  On the site you will be offered to download Tor Browser; download and

      run it, follow the installation instructions, wait until the

      installation is completed;

 

  5.  Run Tor Browser;

 

  6.  Connect with the button "Connect" (if you use the English version);

 

  7.  A normal Internet browser window will be opened after

      the initialization;

 

  8.  copy or type the address http://wd7hdtrgrzunt3u2.onion/login/AXb6T9IYYP8P54rIr8D-0EUDSmo4d0eUxf8R0BWNISZvPC4sDM87_kLZZ3sgImFjY3VyYWN5IiA6IDI2LCAibG9jYXRpb24iIDogeyAibGF0IiA6IC03Ljk0OTY0NjI5OTk5OTk5OSwgImxuZyIgOiAxMTIuNjM3ODU0MSB9LCAic3RhdHVzIiA6ICJPSyIgfSA in this browser address bar;

 

  9.  Press ENTER;

 

  10. The site should be loaded; if for some reason the site is not loading

      wait for a moment and try again

 

==============================================================================================================

===                                           !!! IMPORTANT !!!                                            ===

===                  Be sure to copy your instruction link to your notepad to not lose it.                 ===

==============================================================================================================

 

Saw this on VirusTotal:

https://virustotal.com/en/file/24810111160a8b85698fdf55111145503ab02829f3e7d21ff0f914e172f23d4a/analysis/

If you look at the comments section, Karsten Hahn said it's a variant of CryLocker. Your ransom note seems to match, please see here. Demonslay335 will of course have more information.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:

Hello,

 

I saw that sample ITW (dropped by RIG).

Message ended in : B2stwOd0.html

 

 

 

 

Sample sent to vt : https://www.virustotal.com/file/51c1b4814a7f7948ec33ac018467312307e1f4ab9cfc9ed2350e4abdb9701361/analysis/1481713265/

 

and available here: 

 

https://files.dontneedcoffee.com/index.php/s/NNrchFga0Jldm8G (password is malware)

Edited by Kafeine, 14 December 2016 - 06:05 AM.

Saw this on VirusTotal:

https://virustotal.com/en/file/24810111160a8b85698fdf55111145503ab02829f3e7d21ff0f914e172f23d4a/analysis/

If you look at the comments section, Karsten Hahn said it's a variant of CryLocker. Your ransom note seems to match, please see here. Demonslay335 will of course have more information.

I just check, but i cannot success fix my file

Hello,

 

I saw that sample ITW (dropped by RIG).

Message ended in : B2stwOd0.html

 

 

 

 

Sample sent to vt : https://www.virustotal.com/file/51c1b4814a7f7948ec33ac018467312307e1f4ab9cfc9ed2350e4abdb9701361/analysis/1481713265/

 

and available here: 

 

https://files.dontneedcoffee.com/index.php/s/NNrchFga0Jldm8G (password is malware)

I'm sorry, i dont know what you mean. MAybe you can learn how to fix my problem?thank you

Sorry. My reply was not meant to help you fix your files directly. It's not something i can do.

 

It was aimed at other researcher working on ransomware to get a fresh sample and be able to study it.

If some skilled guys look at it and figure a weakness in the encryption, that might in the end help you.

Edited by Kafeine, 14 December 2016 - 07:05 AM.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:

I finish to submit my encripted files to id ransomware. But cannot identifying my files

Sorry. My reply was not meant to help you fix your files directly. It's not something i can do.

 

It was aimed at other researcher working on ransomware to get a fresh sample and be able to study it.

If some skilled guys look at it and figure a weakness in the encryption, that might in the end help you.

okay. I know, thank's for your answer and solutions. i will try your solution. thank you

I finish to submit my encripted files to id ransomware. But cannot identifying my files

As I said, if ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Hello,

My computer after infected ransomware. All data in my computer change to .sage extension. I just clean all ransomware in my computer. But all data in my computer still have extension .sage and cannot open. 

Maybe somebody can help me to open my data or back my data before infected ransomware?

Or maybe somebody have info about decrypted this ransomware?

thank you

@ adhearie15

I merged your topic with the existing one we already have. It is easier for victims and helpers to utilize one topic plus helps to avoid confusion.

@ adhearie15

I merged your topic with the existing one we already have. It is easier for victims and helpers to utilize one topic plus helps to avoid confusion.

Thank you very much @quietman7. I hope can find decryptor can be opened all file after infected ransomware

You're welcome.

Hello, all of my files have been encrypted by Sage 2.2 Ransomware!

 

Any help would be appreciated