The original version appends the ".sage" extension to encrypted files and demands $150 in bitcoins for the decryption key. An second version, Sage 2.0, demands $2,000. Sage 2.2 was discovered in February 2017 and downloads its main payload to %Temp% folder.
The ransomware is distributed via spam emails and uses a combination of RSA and AES encryption. The ransomware continues to evolve and has also been circulating as a fake Chrome font pack that is distributed via compromised websites.
The ever evolving ransomware targets Windows users and does not infect computers using the Russian language. The malware encrypts files located in multiple locations including local and remote drives, removable drives, mapped drives, and un-mapped network shares.
The ransomware mainly targets South Korean victims and is distributed via the Magnitude exploit kit. The malicious software uses AES encryption and uses four domains for callback to the command and control servers.
The ransomware is programmed in .NET and demands 0.25 Bitcoin for the decryption key. The malicious software continues to evolve with many new variants appearing on the threat landscape on a monthly basis.
BTCWare - Ransomware
The ransomware demands 0.5 bitcoin for the decryption key and uses AES encryption. The malicious software was first discovered in early 2017 with new variants appearing on a consistent basis.