The ever evolving ransomware targets Windows users and does not infect computers using the Russian language. The malware encrypts files located in multiple locations including local and remote drives, removable drives, mapped drives, and un-mapped network shares.
After encrypting the victims files, Cerber plays an audio file demanding a ransom to unlock the data. Targets include Office 365 users. The ransomware is sold to distributors on underground Russian forums.
The original version appends the ".sage" extension to encrypted files and demands $150 in bitcoins for the decryption key. An second version, Sage 2.0, demands $2,000. Sage 2.2 was discovered in February 2017 and downloads its main payload to %Temp% folder.
The ransomware is distributed via spam emails and uses a combination of RSA and AES encryption. The ransomware continues to evolve and has also been circulating as a fake Chrome font pack that is distributed via compromised websites.
The polymorphic malicious software encrypts and infects files and informs the victim that pirated software has been detected. The ransomware was first spotted in 2014 and has made a surge in late 2016 and early 2017.
The ransomware threatens to delete files every hour unless the victim pays the ransom. Victims are infected after being tricked into believing they are downloading fraudulent versions of various software. Variants of the malware also report the encrypted files will be sent to your Contacts if the ransom is not paid.