The ever evolving ransomware targets Windows users and does not infect computers using the Russian language. The malware encrypts files located in multiple locations including local and remote drives, removable drives, mapped drives, and un-mapped network shares.
The original version appends the ".sage" extension to encrypted files and demands $150 in bitcoins for the decryption key. An second version, Sage 2.0, demands $2,000. Sage 2.2 was discovered in February 2017 and downloads its main payload to %Temp% folder.
The ransomware is distributed via spam emails and uses a combination of RSA and AES encryption. The ransomware continues to evolve and has also been circulating as a fake Chrome font pack that is distributed via compromised websites.
The ransomware threatens to delete files every hour unless the victim pays the ransom. Victims are infected after being tricked into believing they are downloading fraudulent versions of various software. Variants of the malware also report the encrypted files will be sent to your Contacts if the ransom is not paid.
The ransomware was first spotted in early 2016 and continues to evolve to this day. The malware adds an identifier into the header of every encrypted file instead of appending a specific extension.
Alma Locker - Ransomware
Encrypted files are appended with a random 5 character extension and a unique 8 character vicitm ID which are derived from the serial number of the C:\ drive and the MAC address of the first network interface.