SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

New variants of Sage ransomware Spotted in the Wild. (Feb 17, 2017)


The SonicWall Threats Research team observed reports of a new variant family of Sage Ransomware [GAV: Suspicious#polycrypt.1_2 and Sage.B] actively spreading in the wild.

Sage 2.0 encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Malware uses the following icon:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%\Application Data\W3UoRbov.exe

The Trojan adds the following files to the Windows to ensure persistence upon reboot:

  • %Userprofile%\Start Menu\Programs\Startup\6OICFYbI

    • "%Userprofile%\Application Data\W3UoRbov.exe"

The Trojan adds the following keys to the Windows registry:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%\ Application Data\ folder and deletes its own executable file.

The Malware encrypts all personal documents and files it shows the following webpage:

It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.

Command and Control (C&C) Traffic

The Malware performs C&C communication over TCP and UDP ports. The malware sends your system UID to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Suspicious#polycrypt.1_2 (Trojan)

  • GAV: Sage.B (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 15.3 | S1MSW03