New variants of Sage ransomware Spotted in the Wild. (Feb 17, 2017)
The SonicWall Threats Research team observed reports of a new variant family of Sage Ransomware [GAV: Suspicious#polycrypt.1_2 and Sage.B] actively spreading in the wild.
Sage 2.0 encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.
Infection Cycle:
The Malware uses the following icon:
The Malware adds the following files to the system:
-
Malware.exe
-
%Userprofile%Application DataW3UoRbov.exe
-
The Trojan adds the following files to the Windows to ensure persistence upon reboot:
-
%Userprofile%Start MenuProgramsStartup6OICFYbI
-
“%Userprofile%Application DataW3UoRbov.exe”
-
The Trojan adds the following keys to the Windows registry:
Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data folder and deletes its own executable file.
The Malware encrypts all personal documents and files it shows the following webpage:
It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.
Command and Control (C&C) Traffic
The Malware performs C&C communication over TCP and UDP ports. The malware sends your system UID to its own C&C server via following format, here are some examples:
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Suspicious#polycrypt.1_2 (Trojan)
-
GAV: Sage.B (Trojan)
