SAGE 2.2 is a dangerous strain of ransomware that belongs to the crypto virus family, notorious for encrypting files and locking victims out of their own data. This malware is an updated version of the original Sage ransomware, with improvements designed to make it harder to decrypt files and demand ransom payments from victims.
Threat Summary
| Attribute | Details |
|---|---|
| Threat Name | SAGE 2.2 Ransomware |
| Threat Type | Ransomware, Crypto Virus, Files Locker |
| Encrypted File Extension | .sage |
| Ransom Note File Name | !HELP_SOS.hta |
| Ransom Note Content | Provides decryption instructions, with links to access personal decryption key |
| Associated Email Addresses | Not provided (links to websites used for communication) |
| Detection Names | Avast (Win32:Evo-gen [Trj]), Combo Cleaner (Gen:Variant.Ransom.Shade.27), ESET-NOD32 (A Variant Of Win32/Kryptik.FTVG), Kaspersky (Trojan-Ransom.Win32.SageCrypt.fqg), Microsoft (Trojan:Win32/Wacatac.B!ml) |
| Symptoms of Infection | Files can no longer be opened; extension changes to .sage; ransom note displayed on desktop |
| Damage | Encrypted files, potential installation of additional malware like trojans |
| Distribution Methods | Infected email attachments (macros), torrent websites, malicious ads |
| Danger Level | High – files are locked, and ransomware may continue to spread across networks if not removed promptly |
What is SAGE 2.2 Ransomware?
SAGE 2.2 is an advanced ransomware strain that encrypts files on an infected system. It appends the “.sage” extension to all encrypted files, effectively locking them away. In addition to encrypting files, SAGE 2.2 also changes the victim’s desktop wallpaper and displays a ransom note named !HELP_SOS.hta.
When a victim’s files are encrypted, they cannot be opened or accessed without the decryption key, which can only be provided by the cybercriminals behind the attack. The ransom note instructs victims to purchase the “SAGE Decrypter” software in order to restore their files to their original state. The attackers also warn against using any other decryption tools, stating that doing so could permanently damage or destroy the encrypted files.
How Does SAGE 2.2 Infect a Computer?
Ransomware like SAGE 2.2 is typically delivered through malicious email attachments or links. These emails may appear to be legitimate but contain infected files (such as Excel or Word documents with macros) that, when opened, install the ransomware on the victim’s system. Other common distribution methods include malicious ads on compromised websites, software vulnerabilities, and downloads from torrent websites or untrustworthy sources.
Once the ransomware is executed, it encrypts all files it can access on the system, changing their extensions to “.sage.” This makes it impossible for the user to open their files without the decryption key, which only the cybercriminals control.
The Ransom Note and Demands
After encrypting the files, SAGE 2.2 displays a ransom note both in a pop-up window and as a text file named !HELP_SOS.hta. The note explains the situation to the victim, informing them that their files are encrypted and that the only way to restore them is to obtain the SAGE Decrypter software and a personal decryption key.
The attackers also provide links to websites where the victim can purchase the decryption tool, instructing them to use the Tor Browser to access the pages if the links don’t work. This makes the ransom payment process more difficult to trace, adding another layer of anonymity for the criminals.
Important Note: The ransom note also emphasizes that using any other decryption tools may result in irreparable damage to the files.
Removal Guide: How to Remove SAGE 2.2?
If you’ve fallen victim to SAGE 2.2 ransomware, the first thing you need to do is stop its spread and prevent further damage. Removing the ransomware and attempting to decrypt your files should be done as soon as possible. Below is a step-by-step guide on how to remove SAGE 2.2 using SpyHunter, an advanced anti-malware tool.
Remove annoying malware threats like this one in seconds!
Scan Your Computer for Free with Spyhunter
Download Spyhunter now, and scan your computer for this and other cybersecurity threats for free now!
Step 1: Disconnect from the Internet
The first thing you should do when you realize your computer has been infected is disconnect from the internet. This prevents the ransomware from spreading to other devices on your local network and stops any further communication between your system and the attackers.
Step 2: Install SpyHunter
If you don’t already have SpyHunter installed, you will need to download and install it. SpyHunter is a reputable anti-malware program that can detect and remove ransomware like SAGE 2.2, as well as other threats that may have been installed alongside it.
- Download SpyHunter.
- Install the program and follow the on-screen instructions.
- Launch SpyHunter and update it to ensure it has the latest virus definitions.
Step 3: Scan Your System
Once SpyHunter is installed and up-to-date, run a full system scan. The program will detect and quarantine any malicious files, including the SAGE 2.2 ransomware and any associated malware.
Step 4: Remove the Ransomware
After the scan is complete, SpyHunter will display a list of detected threats. Select SAGE 2.2 ransomware from the list and choose Remove to eliminate it from your system. Follow the prompts to ensure complete removal.
Step 5: Restore Your Files (if Possible)
Unfortunately, there is no free decryption tool available for SAGE 2.2. If you have backups of your files, now is the time to restore them. If not, you may need to consider professional data recovery services, though there is no guarantee that the files will be recoverable without the decryption key.
Preventive Methods to Avoid Future Infections
While removing SAGE 2.2 is crucial, it’s equally important to take steps to prevent future infections. Here are several preventive measures that can help protect your computer from ransomware:
- Use Reliable Security Software: Always have an updated antivirus or anti-malware tool like SpyHunter installed on your computer. Set it to run regular scans and keep its definitions up to date.
- Be Cautious with Email Attachments and Links: Never open email attachments or click on links from unknown or suspicious sources. Cybercriminals often use phishing emails to distribute ransomware.
- Update Your Software Regularly: Ensure that your operating system, antivirus software, and other programs are always up to date. Vulnerabilities in outdated software are common targets for ransomware.
- Backup Your Files: Regularly back up your important files to an external drive or cloud storage. This can be a lifesaver if you ever fall victim to a ransomware attack.
- Enable Network Protection: Use a firewall to block unauthorized access to your network and prevent ransomware from spreading.
- Educate Yourself and Others: Train yourself and others in your household or workplace about the dangers of ransomware and how to avoid falling victim to it.
Remove annoying malware threats like this one in seconds!
Scan Your Computer for Free with Spyhunter
Download Spyhunter now, and scan your computer for this and other cybersecurity threats for free now!
Text in the Ransom Note
File recovery instructions
You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by “SAGE 2.2 Ransomware”.
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting “SAGE Decrypter” software and your personal decryption key.
Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.
You can purchase “SAGE Decrypter” software and your decryption key at your personal page you can access by following links:
If none of these links work for you, click here to update the list.
Updating links…
Something went wrong while updating links, please wait some time and try again or use “Tor Browser” method below.
Links updated, if new ones still don’t work, please wait some time and try again or use “Tor Browser” method below.
If you are asked for your personal key, copy it to the form on the site. This is your personal key:
–
You will also be able to decrypt one file for free to make sure “SAGE Decrypter” software is able to recover your files
If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using “Tor Browser”.
In order to do that you need to:
open Internet Explorer or any other internet browser;
copy the address hxxps://www.torproject.org/download/download-easy.html.en into address bar and press “Enter”;
once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;
once installation is finished, open the newly installed Tor Browser and press the “Connect” button (button can be named differently if you installed non-English version);
Tor Browser will establish connection and open a normal browser window;
copy the address
–
into this browser address bar and press “Enter”;
your personal page should be opened now; if it didn’t then wait for a bit and try again.
If you can not perform this steps then check your internet connection and try again. If it still doesn’t work, try asking some computer guy for help in performing this steps for you or look for some video guides on YouTube.
You can find a copy of this instruction in files named “!HELP_SOS” stored next to your encrypted files.
