Cofense - Security Awareness Training & Email Threat Detection

Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks

Share This Article


Threat actors have demonstrated that despite the past two years’ explosion in new ransomware varieties, ransomware developers still believe that the market has not reached the point of saturation. Examples of encryption ransomware like Sage have made notable appearances on the phishing threat landscape in the early days of 2017, continuing the ransomware trend from 2016.

The first Sage delivery emails used a sexually explicit email to tempt potential victims into opening an attachment named “”.  This led to a malware infection from the embedded exe of the same name.

The Sage ransom payment sites used in this campaign are based on TOR address 7gie6ffnkrjykggd[.com and rzunt3u2[.]com, were provided by the threat actor to facilitate access to the payment sites. The command and control host for this campaign was on the Tor address mbfce24rgn65bx3g[.]onion and also resolved using rzunt3u2[.]com and er29sl[.]com as gateways.

Following this early distribution, threat actors moved toward the mainstream in a major way. The phishing email subjects used random numbers to help elude some basic filters and leveraged business-related themes rather than explicit or racy narratives.  The body of these emails explained that a financial transaction had been rejected and claimed that details about the failure could be found an attached document.

Sage Ransomware - Infected System Screenshot
Figure 1 – Sage Email Lure January 25th

A second variant indicated a that the deposit of a refund had been failed after an order had been canceled.

Sage Ransomware - Encrypted Files Screenshot
Figure 2 – Sage Email Lure January 25th

In this more polished campaign, the .zip file (named “”) contained a JavaScript application which, when run, facilitated the download of a Windows executable representing the Sage Ransomware to be downloaded. In this case, the payload binary was retrieved from the domain affections[.]top, however the payment gateway’s Tor site, as well as the unusual Tor2Web gateway addresses on er29sl[.]com and rzunt3u2[.]com remained the same.

Beginning on January 26th, email narratives and metadata used in these emails began to evidence similarity to phishing campaigns used to deliver the still-persistent Locky ransomware, however the January 26th malware behavior was in every way identical to the previous day’s campaign.

Sage Ransomware - Ransom Note Screenshot
Figure 3 – PhishMe Intelligence view of Jan 26th Malware Artifacts
Sage Ransomware - Encrypted Files Screenshot
Figure 4 – PhishMe Intelligence Watch List items for Sage Jan 26th campaign

The most interesting finding was the reuse of affections[.]top as part of the delivery process for another ransomware. Locky, one of the flagships of the ransomware market, was delivered as a payload from this domain on Monday, January 30. This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter trojan—a trend discussed in Paul Burbage’s post from January 16. This also serves to counter some of the claims that have been made about Locky “missing” from the threat landscape by showing that some threat actors, who choose a different set of tactics, techniques, and procedures, are continuing to deliver this ransomware utility.

Phishing Email Body - Example Image
Figure 5 – Locky and Sage use similar phishing campaigns

This overlapping infrastructure is a curious link between these two ransomware varieties and serves as a reminder of how malware support and distribution infrastructure is frequently reused. The distribution of Locky and Sage from this singular location also indicates that threat actors are leveraging new ransomware varieties such as Sage while continuing to use the reliable standby tools like Locky. This also provides evidence of the commodity status for ransomware tools like these. The similarity in delivery attributes and infrastructure is ultimately used in the distribution of distinct malware varieties with equal effectiveness for both.

However, these attributes give researchers and security professionals with a few avenues for mitigating these threats. First, the shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties. Secondly, since the qualitative tactics, techniques, and procedures used in the distribution of these ransomware varieties are nearly identical and closely resemble classic phishing narratives easily recognizable to users prepared and empowered to identify and report phishing emails.

Emails based on the threats shown in this blog post are also available as templates in PhishMe Simulator.

Curious to learn more? Download our latest PhishMe Malware Report free today for additional ransomware and phishing research.

Indicators of Compromise:

Sage Ransomware – Threat ID 8072

Artifacts 6e3a603a2baea548a40082fe39ee1e23
doc_details_jOiqRJ.js 2cc382d13c71e1cfd2be4146fca124ea
tGwikyITAZ.js 94e137db2cae8f0b2c6ed0417c2a3f09
47542.exe 6dbd79df861dbe109d2e7db0f01c1fb3
!Recovery_D14.html fb0087c2b50c9d10061400c7809fca74


Sage payload URL hxxp://
Sage command and control URLs hxxp://
Sage payment sites

Sage Ransomware – Threat ID 8085


Delivery-Details.js 47c3bb3294d69bf6b896992896b15a67 bf121c0c70cf6fb959884b2c9c70bedf
46325.exe f8c1c5078fb5628ff7f62115d746b274
!Recovery_D14.html 30f121a7c45bf0260ffa2427ee1a45dc


Sage payload URL hxxp://
Sage command and control URLs hxxp://
Sage payment sites

Locky Ransomware – Threat ID 8115

 Artifacts d60fb8ddb7857a6554e2231ad968df4e
Delivery-Details.js 93e4523dc320167493bee01b11b6fc51
DolXRXWIz.js c42ca3058385df5555f0197939a24157
23152.exe 26f3b9b60aa40c8798767e8be429781b
OSIRIS-89e0.htm 67cc9f88c06539937c20d448797ece99


Locky payload URL hxxp://
Locky command and control URLs hxxp://
Locky payment site g46mbrrzpfszonuk.onion


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.