Sage 2.0 ransomware wants to be just like Cerber when it grows up

Same parents or pure mimicry?

David bisson
David Bisson

Sage 2.0 ransomware wants to be just like Cerber when it grows up

The Sage 2.0 ransomware has adopted several techniques employed by the notorious Cerber malware, so much so that you can’t help but wonder if the two are somehow related.

Researchers at Symantec Sspotted the threat as part of an ongoing campaign involving the Pandex spambot.

The ransomware arrives in a user’s inbox via a phishing email that purports to contain sexually explicit images in an attached .ZIP file. The email, which comes with the blunt subject line "get laid tonight" explains the photos are connected to a party that’s already transpired.

Fig 1 pandex spam
An example of one of Pandex’s spam emails. (Source: Symantec)

Subject: get laid tonight
Attached file:

Message body:

I am Thinking Of You ! My photos after our party

Not surprisingly, the email isn’t at all what it appears to be.

Clicking on the .ZIP attachment reveals a .PDF file. But it’s not to be trusted. It’s just a disguise employed by the spam campaign’s payload: Sage 2.0.

Sign up to our free newsletter.
Security news, advice, and tips.

Historically, Sage 2.0 hasn’t seemed to mind sharing the spotlight with other crypto-malware families. We’ve seen the ransomware share a domain with Locky as part of criminals’ ongoing effort to prey on unsuspecting users.

Additionally, we’ve spotted Sage 2.0 get all buddy-buddy with Cerber, the ransomware with a lucrative affiliate scheme.

But this campaign reveals something more. Sage 2.0’s authors appear committed to learning from these more time-tested ransomware families. As a result, they’ve updated their creation accordingly.

Like Cerber, the ransomware now offers multi-language support in its ransom note. That file arrives as an .HTA file, a format employed by Cerber. (It used to be an .HTML document.)

Sage 2.0 also uses a process list that is found in the configuration for Cerber 4.0.

Speaking ransomwareIn addition, Sage 2.0 has borrowed one of Cerber’s most notable traits: its ability to “speak” the ransom note. As Symantec’s researchers explain in a blog post:

“The new Sage 2.0 variant drops a .VBS script that uses the SAPI SpVoice interface to inform the affected user of the ransomware infection. This new version also ends database-related processes, something we’ve seen Cerber do to better infect files that may have been locked by running database processes.”

Finally, the ransomware now sports some tactics that help prevent victims from recovering their files. No longer does it just rely on vssadmin to delete an infected machine’s shadow volume copies. Its routine also disables safe boot options and error recovery.

All of these techniques have Symantec wondering whether there’s some connection between Sage 2.0 and Cerber:

“There is no concrete evidence as to whether the attackers behind Cerber are the same ones behind Sage 2.0. The two threats do not share the same packer, although Sage 2.0 mirrors some of Cerber’s routines. This could be an indication that Sage 2.0 is gearing up for more infections and mimicking Cerber because of its previous success.”

While researchers continue to probe this relationship, users should protect themselves against a ransomware infection by keeping their systems up-to-date, installing an anti-virus solution, and following this guide to back up their data. If they should ever experience a ransomware infection, they can use these tips to try to recover their files.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.