The ever evolving ransomware targets Windows users and does not infect computers using the Russian language. The malware encrypts files located in multiple locations including local and remote drives, removable drives, mapped drives, and un-mapped network shares.
The original version appends the ".sage" extension to encrypted files and demands $150 in bitcoins for the decryption key. An second version, Sage 2.0, demands $2,000. Sage 2.2 was discovered in February 2017 and downloads its main payload to %Temp% folder.
The ransomware is distributed via spam emails and uses a combination of RSA and AES encryption. The ransomware continues to evolve and has also been circulating as a fake Chrome font pack that is distributed via compromised websites.
The ransomware uses exploits leaked by the Shadow Brokers and has infected a large number of computers including those in the government, telecom, and educational sectors. Files are encrypted denoted by the .WNCRYT extension. The bounty for WannaCry ranges from $300 to $600 but payments may not be uniquely associated with a system. The initial variants of WannaCry no longer encrypts if the sample can resolve an external DNS which is held by security researchers.
The ransomware encrypts the MBR (Master Boot Record) as well as files on the infected system. The malicious software has crippled computers worldwide including government facilities, electrical grids, banks, and public transportation systems.
The ransomware threatens to delete files every hour unless the victim pays the ransom. Victims are infected after being tricked into believing they are downloading fraudulent versions of various software. Variants of the malware also report the encrypted files will be sent to your Contacts if the ransom is not paid.
The ransomware pretends to be a shipping notification and claims to destroy the decryption key if the ransom is not paid within 78 hours. The malicious software continues to evolve and redirects victims to a fake Office web page.