Sage ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

Sage ransomware fortifies its position in the online market

Sage virus reminds us of Cerber ransomware, which provides an explicit and well-structured payment websites for each affected user. The infection operates as a computer virus which infiltrates the computer system using illegal and fraudulent ways, and encrypts files with RSA 4096 public key[1], adding .sage file extension on its way. The private key is kept in criminals’ servers, and there is no way to reach it. The virus then changes desktop background with AVuKmu.bmp picture, which contains information about the ransomware attack. This desktop image commands the victim to download Tor Browser[2] and access secret payment website. To access this site, the victim needs to know his personal ID, which is stored in !Recovery_AVuKmu.txt and !Recovery_AVuKmu.html files. The personal payment site is called Sage User Area and has five sections – Home, Payment, Test Decryption, Instructions, and Support page.

The Home page informs the victim about the ransom price (0,73962 BTC, which is $545) and showcases a countdown clock, which urges the victim to pay up. According to the virus, the unique decryption key “will be destroyed” when the given period passes. In the Payment page, virus explains how to buy Bitcoins[3]. What is interesting is that frauds set up individual Bitcoin wallets for each victim, in other words, victims do not transfer the money to the same wallet, but to thousands of them. Criminals even provide the QR code of the wallet so that victims would transfer the ransom to the correct wallet. Just like Cerber or other advanced-level ransomware viruses, Sage malware offers decrypt-1-file service for free. This way, it gives the victim a proof that criminals actually can decrypt those encrypted files. Instructions page explains how to use the Sage Decryptor, and the Support page allows victims to communicate with malware authors.

Malware drops various files on the system, and inexperienced computer users might not be able to fetch all of them down. That is why we strongly recommend removing them with anti-malware programs like Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus. Before Sage removal, consider what anti-malware program you wish to use. If you already have one, make sure you update it when the computer is in a Safe Mode with Networking. If you do not have an anti-malware program, remove Sage virus using our recommended ones or any other reliable anti-malware program. You can find useful software reviews in the Software section on our site.

Other versions of Sage

Sage 2.0 ransomware virus. This variation did not only become a big headache for the virtual community but it also attracted scientific interest. Due to emerging new versions, the malware fortified the assumptions that the same menacing Cerber virus is in the shell of this new threat. It activates itself with the help of a VBScript. During the very hijack process, it deletes the initial executable file, and places its copy in %AppData%. The felons make a diversion by naming the executable files differently in each infected machine. In the ! Recovery_ .html instructions, victims find further information how to access a unique Sage 2.0 payment site. Speaking of which it, it greatly resembles another rapidly evolving threat – Spora ransomware. Sage 2.0 is also able to delete shadow volume copies leaving fewer data recovery options for the virtual community. In addition, it places its link in the Startup folder which enables the malware to continue the decryption process even if a computer is rebooted. Its distribution campaigns include phishing and spam emails. Do not rush to open the emails which are addressed personally, e.g. EMAIL_[random set of numbers]_recipient.zip. It contains JavaScippt, one of the key files responsible for the activation.

Sage 2.2 ransomware virus. This time the felons decided to improve the technical capabilities of the threat, but its veneer as well. The ransom text changed from red to green. Additionally, the name of the instructions file has been also altered. Now the necessary information about payment and data recovery is presented in !HELP_SOS.bmp file. It redirects to a specific website, where victims are required to pay a specific amount of money. It may vary from $99 to 2000 dollars. Intererstingly, that this version shows more Cerber’ s features. Sage 2.2 contains an audio file which alerts victims even more and encourages making the transactions. The ticking clock with the elapsing time becomes a nerve-wracking site as well. Speaking of the encryption, it appends the same .sage file extension. Regarding its payment site, it presents the residents of targeted 18 countries the ability to choose their language preference. Like in the case of Cerber, it also omits several countries such as Ukraine, Belarus, Kazakstan, Russia, Latvia. If you occasionally review the processes in the Task Manager, you might notice that the threat ends or limits several crucial processes in order for the encryption process to go smoothly. It seems that the malware does not target common system directories, but may paralyze your “League of Legends” game as well. Spam and phishing emails remain to be the main distribution method. Note that it might benefit from exploit kits as well. Therefore, arm up with proper security tools. 

Possible routes of Sage ransomware infection

Sage virus is distributed via advanced malware dissemination techniques[4]. In most cases, malware can be downloaded from malicious websites, compromised sites, deceptive email attachments, malware-laden ads, or exploit kits. In some cases, malware can be installed along legitimate programs, but only if you download them from suspicious websites. Sometimes it is easy to avoid malware attacks, but in the vast majority cases, malicious programs travel using Trojan horse techniques, which means that they are masked. For instance, they can pretend to be legitimate Flash Player or Java updates[5], free games, files, documents, and other records that do not seem dangerous at first sight. However, if you open such file or program without realizing that it is an infectious one, the computer gets contaminated rapidly. To avoid such situations, we strongly recommend you protect your PC with anti-malware software.

Sage 2 ransomware emerges in the beginning of 2017

The developers of this ransomware project seem to be serious about their goals, and therefore they have recently developed a new version of the infamous ransomware. Sage 2 virus is currently distributed via spam emails that have a .ZIP file added to them. This file is named as EMAIL_[random chars]_recipient.zip or just [random chars].zip. This archive might contain another .zip file with either JS or Word file inside of it. Once executed, JS file will download ransomware from an online server, whereas the Word file requires the victim to enable Macros function first. If the victim does that, it also downloads malware onto the PC. First of all, the ransomware stays idle for a while and then saves a copy of itself to computer’s \AppData\Roaming folder. This file automatically opens and triggers User Account Control table. The ransomware then encrypts all files described in its target list and saves !Recovery_[3 random chars].html as a ransom note on the desktop. The ransom note commands the victim to visit Sage 2.0 payment website. Here, the victim finds out how much money this virus demands – it wants to get $2000 in Bitcoins. If the victim fails to pay the ransom in 7 days, the ransom price doubles. Sadly, this virus cannot be decrypted using any free data recovery tools. For more information about Sage 2.0, we suggest reading this article.

Getting rid of Sage ransomware – mission possible?

Sage virus drops a variety of malicious files, including AVuKmu.bmp, 1.tmp, 1.tmp, hPBic1zL.tmp, VIxkxhFa.lnk, and more. The virus assigns itself to Startup programs to automatically run itself whenever the victim boots the PC. To remove Sage ransomware, we suggest you reboot your PC in a Safe Mode w/ Networking[6] (instructions on how to do it are already prepared and awaits for your attention – you can find them below!). Please do not start Sage removal without rebooting your PC as explained because the virus might simply disable your antivirus every time you attempt to run it. Although at the moment we cannot offer you any 100% efficient data decryption tools that could decrypt .sage file extension files, please take a look at data recovery options provided below.

do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Sage ransomware virus you agree to our privacy policy and agreement of use.
Reimage is recommended to uninstall Sage ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Sage ransomware virus (2017-04-04)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing Sage ransomware virus (2017-04-04)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Sage ransomware virus (2017-04-04)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing Sage ransomware virus (2017-04-04)
Sage ransomware virus snapshot
Sage virus payment page

Manual Sage virus Removal Guide:

Remove Sage using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

This method is specifically designed for dealing with severe threats. Some of them tend to lock the computer screen and turn off other crucial functions. In case Sage ransomware also deprives you of the complete control, restart the device in Safe Mode.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sage

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sage removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sage using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

You might benefit from System Restore as well. It should grant you the access in case the first option did not succeed.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sage. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Sage removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sage from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Sadly, the only way to recover all of your data is to have a backup. 

If your files are encrypted by Sage, you can use several methods to restore them:

Make use of Data Recovery Pro

This is one of the alternative data recovery programs. One of the key practical features is its ability to restore deleted files as well.

Try to find Windows Previous Versions

If you enabled System Restore function in the past, you can use this method to recover the most important files one by one. Follow these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer option

This programs works on the basis of shadow volume copies. Unfortunately, Sage malware deletes these copies beforehand. However, if you notice the first signs early, you might have a chance to save your data if you make a rush.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Sage Decrypter

Due to its exquisite structure, there is no released decryption tool yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sage and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages


  • Petrol

    Im glad I had a backup. Dont know what wouldve happened if I didnt…

  • Vega

    Finally eliminated this virus. I am not going to pay the ransom no matter what. Criminals have no right to take away my files and demand money. I am not giving them what they want!

    • denver

      Youre right, but I lost all my documents that I worked on for a long time..