The Internet Storm center documents a new ransonware variant circulating in-the-wild

On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware.  That Friday it delivered ransomware I’d never seen before called “Sage.”  More specifically, it was “Sage 2.0.”  Sage is yet another family of ransomware in an already crowded field.  It was noted on BleepingComputer forums back in December 2016, and Sage is a variant of CryLocker. 

Emails from this particular campaign generally have no subject lines, and they always have no message text.  The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware.  Sometimes, I’ll see a .js file instead of a Word document, but it does the same thing. The Word document macros or .js files are designed to download and install ransomware

The infected Windows host has an image of the decryption instructions as the desktop background.  There’s also an HTML file with the same instructions dropped to the desktop.  The same HTML file is also dropped to any directory with encrypted files.  “.sage” is the suffix for all encrypted files.