Check out our video libray AppCheck defending aginst newest ransomware

Sage 2.2 Ransomware (.<Original Extension>... → .sage / MS Word + Explorer.exe Version)

  • Distribution Method : Mail attachment (.doc)
  • MD5 : 34014804c5f4ec9ca0540dcf55496e32
  • Major Detection Name : Win-Trojan/Sagecrypt.Gen (AhnLab V3), Ransom:Win32/Milicry!rfn (Microsoft)
  • Encrypted File Pattern : .<Original Extension>... → .sage
  • Malicious File Creation Location :
         - C:\Users\%UserName%\AppData\Local\Temp\<Number>.exe
         - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<Random>.lnk
         - C:\Windows\System32\Tasks\<Random>
  • Payment Instruction File : !HELP_SOS.hta
  • Major Characteristics :
         - Offline Encryption
         - CryLocker Ransomware series
         - File encryption using explorer.exe (Windows Explorer) Clean file
         - Change the default values of the registry entry "HKEY_CLASSES_ROOT\mscfile\shell\open\command" and a ransomware execution using Event Viewer (eventvwr.exe)
         - Automatically run a Disk Cleanup (REM \system32\cleanmgr.exe /autoclean /d <Drive Letter>:)
         - Guide a payment instrucition in 17 languages including English and Korean
         - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\<Random>.bmp)

Go to List

Please upgrade your web browser for better website experience.