A revised version of the Sage ransomware has hit the scene, earning style points with a bright user interface and interactive ransom note.
“In stark contrast to the drab payment sites used by many ransomware varieties, Sage presents users with a colorful, accessible and descriptive site,” said PhishMe researchers, in a blog. “The site explains the victim’s situation and provides instructions to regain access to their encrypted data.”
One interesting similarity between this edition and older ransomware is the reuse of a technique distinctive to the Cerber encryption ransomware: A Microsoft HTML application is presented to the victim as an interactive means of navigating to the payment site.
“This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note,” the researchers said.
They added that the new Sage is designed to make paying the Bitcoin ransom easier by presenting the victims with a QR code that contains the Bitcoin wallet address used to collect the ransom. In addition, Sage v.2.2 incorporates a simplistic analysis evasion tactic by detecting the presence of commonly used malware research tools.
Interestingly, Sage asks for a $499 ransom—in sharp contrast to the leading Locky ransomware, which asks for about $1600.
“The overarching ransomware trend is clearly one that will not subside anytime soon,” PhishMe researchers said. “The criminal business model for ransomware has proven itself viable and profitable in both high-profile crises as well as in everyday attacks. The newest iteration of development upon the Sage ransomware demonstrates another example of the viability and willingness for malware writers to produce new and innovative ransomware tools.”