In early 2017, the Sage ransomware distinguished itself with a fresh take on the business model for criminal ransomware operations. Built with an engaging, intuitive user interface for requesting the ransom payment, it also reinforced the fact criminals are willing to invest in developing new versions of established ransomware tools. Sage has reasserted itself as a relevant player on the already-saturated ransomware threat landscape with version 2.2.
The overarching ransomware trend is clearly one that will not subside anytime soon. The criminal business model for ransomware has proven itself viable and profitable in both high-profile crises as well as in everyday attacks. The newest iteration of development upon the Sage ransomware demonstrates another example of the viability and willingness for malware writers to produce new and innovative ransomware tools.
This “revised” Sage ransomware continues to use a bright user interface with an interactive ransom note that shares user interface elements similar to those used by the successful Cerber ransomware. It is also designed to make paying the Bitcoin ransom easier by presenting the victims with a QR code that contains the Bitcoin wallet address used to collect the ransom. Finally, Sage has incorporated a simplistic analysis evasion tactic by detecting the presence of commonly used malware research tools.
In stark contrast to the drab payment sites used by many ransomware varieties, as shown in figure 1, Sage presents users with a colorful, accessible, and descriptive site. The site explains the victim’s situation and provides instructions to regain access to their encrypted data.
Figure 1 – Sage uses a descriptive and colorful payment interface
The $499 USD ransom amount also strikes a contrast to the marquee Locky ransomware. Locky recently made ransom demands equivalent to roughly $1600 USD. One perspective is that the lower ransom demand by attackers is attempting to encourage a much higher rate of compliance among victims compared to other contemporary ransomware tools.
One interesting similarity between this edition and older ransomware is the reuse of a technique distinctive to the successful Cerber encryption ransomware. One version of the ransom note, as shown in figure 2, is a Microsoft HTML application that is presented to the victim as an interactive means of navigating to the payment site. This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note.
Figure 2 – Sharing design elements with Cerber, Sage includes multi-lingual support
The threat actors also attempt to facilitate the ransom payment process by providing a QR code that victims can scan to obtain the Bitcoin wallet address. This step is likely intended to simplify the seemingly-complex Bitcoin transfer process required to pay the attackers’ demanded ransom.
Figure 3 – A QR code is used to help victims easily access the Bitcoin wallet address
As a rule, most ransomware varieties do few checks for virtualized or analysis environments. In many cases, criminals deploying ransomware for financial gain are willing to infect a wide variety of environments to maximize the likelihood that they will infect victims willing to comply with the ransom demands. The inclusion of a cursory check for common analysis tools implies that the creators of the Sage ransomware are actively pursuing evasion tactics to further frustrate the efforts of researchers and security professionals.
This malware does its best to encourage payments and facilitate the ease of complying with the ransom demands while simultaneously raising the bar for evading simplistic analysis processes.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
