The ever evolving ransomware targets Windows users and does not infect computers using the Russian language. The malware encrypts files located in multiple locations including local and remote drives, removable drives, mapped drives, and un-mapped network shares.
The original version appends the ".sage" extension to encrypted files and demands $150 in bitcoins for the decryption key. An second version, Sage 2.0, demands $2,000. Sage 2.2 was discovered in February 2017 and downloads its main payload to %Temp% folder.
The ransomware is distributed via spam emails and uses a combination of RSA and AES encryption. The ransomware continues to evolve and has also been circulating as a fake Chrome font pack that is distributed via compromised websites.
The ransomware threatens to delete files every hour unless the victim pays the ransom. Victims are infected after being tricked into believing they are downloading fraudulent versions of various software. Variants of the malware also report the encrypted files will be sent to your Contacts if the ransom is not paid.