Remove Sage 2.2 Ransomware

Posted on

The Sage 2.2 Ransomware is an updated version of the original legend of ransomware. This malicious program has the purpose to encrypt your files using an advanced encryption algorithm and then to require money for the decryption key. You should however remove it rather than to follow the demands of cybercriminals. These Ransomware may secretly infect your computer through email spam and then immediately begin to encrypt your files.

If these Ransomware infects a computer, it creates a copy of the main files and pushes it in % APPDATA %. Then, these Ransomware deletes the original files. The names of copied files are created on the basis of GUID, so that they are different in each case. The copied files include a .exe file and a .tmp file. These files are deleted but stored batch file % folder using one in the % TEMP, once encryption is completed. During encryption, the Sage 2.2 Ransomware creates a shortcut in the startup folder, continue with the encryption to be able if restarts the computer in the middle of the encryption. Once this Ransomware is started, it creates a victim ID (key) and stores them in the .tmp file. Then it executes the following files: “vssadmin.exe delete shadows / all / quiet”, “bcdedit.exe / set {default} recoveryenabled no” and “bcdedit.exe / set {default} bootstatuspolicy ignoreallfailures”.

The investigation has shown that this Ransomware is configured to encrypt many file extensions, such as.. doc, .docx, .mkv, .avi, .xls, and so on. The Ransomware stops many processes to access the files and encrypt them. She also has a list of directories that let her out. You encrypted, for example, no files in folders such as % APPDATA %, % temp %, programs (x 86), programs, System32, system volume information, and some others. Also, these Ransomware encrypted any files, if the default keymap is set to Belarusian, Kazakh, Ukrainian, Uzbek, Yakut, Russian, or Latvian.

We have discovered that the Sage 2.2 Ransomware use the encryption algorithms for elliptic curves and ChaCha20. ChaCha20 is used to encrypt the contents of every file, and ECC is used to protect the randomly generated key. Each key is restored by using of SystemFunction036. The encryption is complete, after three cycles have been completed, including the creation of a victims-IP in the first cycle. These Ransomware “.sage” depends on the encryption of files-file extension of the files to and replaces the file symbol. The Sage 2.2 Ransomware connects to the Internet and sending data over UDP or HTTP POST. The data is encrypted before sending by using ChaCha20. If there is no connection however, run yet, because it requires no permanent connection with the command and control server.

Once the encryption is complete, these Ransomware replaced the desktop background with a black background image that contains a text that acts as a ransom. Once the encryption is complete, a file is also called! HELP_SOS.HTA automatically open. It contains instructions in several languages, including English, Dutch, French, and so on. Furthermore, the Sage 2.2 Ransomware playing a spoken message, inform the victim about the infection. The message contains a link to the Web page for the victim. The communication contains a unique key of the victim, which encrypts and is encoded using Base64. This is sent to the command and control server. To access the URL that is specified in the ransom note, the user must register with the unique key of the victims. A list is then offered the victims of languages and the victim is then piped to a page, that it prompts to pay USD 99 or 93 euros, which is equivalent to about 0.09 Bitcoins because the developer expressly require you to pay the ransom in Bitcoins. The Sage 2.2 Ransomware offers their victims the ability to decrypt a few encrypted files that are less than 15 KB in size, to convince them that it is serious about these Ransomware, and to assure them that the files can be decrypted.

You should leave but not sure that these cybercriminals will decrypt your files. As you can see, the Sage 2.2 Ransomware is an extremely harmful computer infection, which was developed with the intention to pull money out of your pocket the victims. This Ransomware is particularly demanding and there is currently no free decryption tool. So, there is no free method to restore your files. We however discourage you to pay the ransom, and recommend you to remove their remaining junk files, by using the following instructions.

How to remove the Sage 2.2 Ransomware

Warning, multiple anti-virus scanners have detected possible malware in Sage 2.2 Ransomware.

Anti-Virus SoftwareVersionDetection
McAfee5.600.0.1067Win32.Application.OptimizerPro.E
Malwarebytesv2013.10.29.10PUP.Optional.MalSign.Generic
Baidu-International3.5.1.41473Trojan.Win32.Agent.peo
NANO AntiVirus0.26.0.55366Trojan.Win32.Searcher.bpjlwd
McAfee-GW-Edition2013Win32.Application.OptimizerPro.E
Kingsoft AntiVirus2013.4.9.267Win32.Troj.Generic.a.(kcloud)
Malwarebytes1.75.0.1PUP.Optional.Wajam.A
K7 AntiVirus9.179.12403Unwanted-Program ( 00454f261 )
Qihoo-3601.0.0.1015Win32/Virus.RiskTool.825
VIPRE Antivirus22224MalSign.Generic
Tencent1.0.0.1Win32.Trojan.Bprotector.Wlfh

Sage 2.2 Ransomware Behavior

  • Sage 2.2 Ransomware Connects to the internet without your permission
  • Integrates into the web browser via the Sage 2.2 Ransomware browser extension
  • Changes user's homepage
  • Slows internet connection
  • Installs itself without permissions
  • Redirect your browser to infected pages.
  • Common Sage 2.2 Ransomware behavior and some other text emplaining som info related to behavior
Download Removal Toolto remove Sage 2.2 Ransomware

Sage 2.2 Ransomware effected Windows OS versions

  • Windows 1025% 
  • Windows 833% 
  • Windows 721% 
  • Windows Vista4% 
  • Windows XP17% 

Sage 2.2 Ransomware Geography

Eliminate Sage 2.2 Ransomware from Windows

Delete Sage 2.2 Ransomware from Windows XP:

  1. Click on Start to open the menu.
  2. Select Control Panel and go to Add or Remove Programs. win-xp-control-panel Sage 2.2 Ransomware
  3. Choose and remove the unwanted program.

Remove Sage 2.2 Ransomware from your Windows 7 and Vista:

  1. Open Start menu and select Control Panel. win7-control-panel Sage 2.2 Ransomware
  2. Move to Uninstall a program
  3. Right-click on the unwanted app and pick Uninstall.

Erase Sage 2.2 Ransomware from Windows 8 and 8.1:

  1. Right-click on the lower-left corner and select Control Panel. win8-control-panel-search Sage 2.2 Ransomware
  2. Choose Uninstall a program and right-click on the unwanted app.
  3. Click Uninstall .

Delete Sage 2.2 Ransomware from Your Browsers

Sage 2.2 Ransomware Removal from Internet Explorer

  • Click on the Gear icon and select Internet Options.
  • Go to Advanced tab and click Reset.reset-ie Sage 2.2 Ransomware
  • Check Delete personal settings and click Reset again.
  • Click Close and select OK.
  • Go back to the Gear icon, pick Manage add-onsToolbars and Extensions, and delete unwanted extensions. ie-addons Sage 2.2 Ransomware
  • Go to Search Providers and choose a new default search engine

Erase Sage 2.2 Ransomware from Mozilla Firefox

  • Enter „about:addons“ into the URL field. firefox-extensions Sage 2.2 Ransomware
  • Go to Extensions and delete suspicious browser extensions
  • Click on the menu, click the question mark and open Firefox Help. Click on the Refresh Firefox button and select Refresh Firefox to confirm. firefox_reset Sage 2.2 Ransomware

Terminate Sage 2.2 Ransomware from Chrome

  • Type in „chrome://extensions“ into the URL field and tap Enter. extensions-chrome Sage 2.2 Ransomware
  • Terminate unreliable browser extensions
  • Restart Google Chrome. chrome-advanced Sage 2.2 Ransomware
  • Open Chrome menu, click SettingsShow advanced settings, select Reset browser settings, and click Reset (optional).
Download Removal Toolto remove Sage 2.2 Ransomware