The malicious application Sage Ransomware has received this name, because it attaches the Sage file name extension to the files that they encrypted. Yes, just like at a number of other threats, which were classified in the category of Ransomware infections, the Sage of Ransomware encrypts files using RSA-4096-encryption (at least claimed by the ransom demand, which leaves it for the user,). It does so to a ransom demand, and innocent people pull money out of your pocket. There are quite a few users who are willing to pay the ransom in Exchange for the decryption tool. We blame these users because this threat really encrypted a number of different files, i.e. all data, the in the % USERPROFILE % directory and its subfolders as well as in the %HOMEDRIVE%. Although this Ransomware infection uses a strong encryption algorithm, and it is probably no longer possible without prejudice to the special key to pictures, documents and other important files, the researchers, who work at 2-delete-spyware.com, discourage sending money cybercriminals. They advise against it, because they know exactly what could happen – it would be possible that the key will be sent to the user not as promised.
User help that enters the Ransomware Sage into the computer. As it turns out, they run a malicious attachment, they find in a spam E-mail. Then stores this threat even in the % APPDATA % directory. Uses a random name, but without a doubt, this file has an .exe file name extension, such as nDhy8EZN.exe. Then she starts to encrypt personal data (such as slides, documents, videos and music) are stored on the computer. As soon as all the files the. Sage file name extension will receive, is she her own image as desktop wallpaper (this .bmp image located at %TEMP%) and sets the ransom (!) Recovery_QXes1s.txt and! Recovery_QXes1s.html) from three times in % temp %, %USERPROFILE%\Dokumente and on the desktop. It creates also a startup shortcut in %ALLUSERSPROFILE%\Startmenü\Programme\Startup for the ransom with the extension .html, so that it is automatically opened for a user, if the Windows operating system starts.
Users who are viewing one of the ransom demands, immediately find out what with your files is done, because it contains the following statement: “All your files, images, videos and databases where have been encrypted and no longer accessible by software known as Sage!” (“All your files, pictures, videos and databases were encrypted by a software, which is known as Sage, and it can no longer be accessed on it!”). It says also that a ransom of 93 USD (0,1237 Bitcoin) “for decryption” must be paid within a specified time period. If this time expires and the payment is not received by the cybercriminals, the ransom is doubled (186 USD). If the user does still nothing, the decryption key is blocked and is no longer available according to ransom. We know how much you need to recover your files, and that the ransom, which requires the Sage of Ransomware, is not very high, but we do still not advisable to pay the Cyberschurken. Of course, you have the last word in this case, but we think you should try out alternative methods of data recovery. For example you can easily restore the encrypted files from a backup copy (this is only possible if the backup copy before entering this Ransomware infection was created and was saved on an external storage device, such as a USB stick). A third-party recovery application can help you may also, i.e. that would be worth a try also. If you decide to send money the cybercriminals, you must be prepared, to lose your money, because it often happens that the developer sends the decryption tool not in Exchange for the payment of Ransomware infection, even though the ransom note, that this would be done right after the transfer of the money.
We want to now a few words about the dissemination of Ransomware Sagen Sage before we begin the deletion procedure. The investigation has shown clearly that this file scrambling threat differs at all from those Ransomware infections, were brought before some time in circulation, such as the CryptoWire Ransomware, NMoreira Ransomware and Kangaroo Ransomware, although it was introduced only recently in circulation: encrypted files, makes changes in the infected computer, and is spread in mainly through spam emails. It is obvious that she appears in these spam emails usually as a legitimate-looking attachment in appearance. Keep away from spam emails you get, if you want to have back some personal files encrypted. In addition, security experts recommend to install a security tool to prevent malware to sneak into the computer.
Since the Sage of Ransomware stores several files in the infected computer, it is not so easy to delete them manually. You probably read this article because you don’t know where you should start, which is why experts have prepared instructions for manual removal for you. You can find them under this article. If you still get it, scan your computer with an automatic malware remover, such as for example SpyHunter. It is these files of the Ransomware infection in a few seconds from the directories remove % APPDATA %, % temp %, %USERPROFILE%\Dokumente and %ALLUSERSPROFILE%\Startmenü\Programme\Startup. Keep in mind that the encrypted files remain unfortunately locked.
Delete the Sage of Ransomware
Warning, multiple anti-virus scanners have detected possible malware in Sage.
Anti-Virus Software | Version | Detection |
---|---|---|
McAfee | 5.600.0.1067 | Win32.Application.OptimizerPro.E |
McAfee-GW-Edition | 2013 | Win32.Application.OptimizerPro.E |
Baidu-International | 3.5.1.41473 | Trojan.Win32.Agent.peo |
VIPRE Antivirus | 22702 | Wajam (fs) |
Malwarebytes | v2013.10.29.10 | PUP.Optional.MalSign.Generic |
ESET-NOD32 | 8894 | Win32/Wajam.A |
K7 AntiVirus | 9.179.12403 | Unwanted-Program ( 00454f261 ) |
VIPRE Antivirus | 22224 | MalSign.Generic |
Qihoo-360 | 1.0.0.1015 | Win32/Virus.RiskTool.825 |
NANO AntiVirus | 0.26.0.55366 | Trojan.Win32.Searcher.bpjlwd |
Kingsoft AntiVirus | 2013.4.9.267 | Win32.Troj.Generic.a.(kcloud) |
Sage Behavior
- Sage Shows commercial adverts
- Integrates into the web browser via the Sage browser extension
- Changes user's homepage
- Sage Deactivates Installed Security Software.
- Slows internet connection
- Sage Connects to the internet without your permission
- Redirect your browser to infected pages.
- Common Sage behavior and some other text emplaining som info related to behavior
- Installs itself without permissions
- Modifies Desktop and Browser Settings.
- Steals or uses your Confidential Data
- Shows Fake Security Alerts, Pop-ups and Ads.
Sage effected Windows OS versions
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
- Windows XP
Sage Geography
Eliminate Sage from Windows
Delete Sage from Windows XP:
- Click on Start to open the menu.
- Select Control Panel and go to Add or Remove Programs.
- Choose and remove the unwanted program.
Remove Sage from your Windows 7 and Vista:
- Open Start menu and select Control Panel.
- Move to Uninstall a program
- Right-click on the unwanted app and pick Uninstall.
Erase Sage from Windows 8 and 8.1:
- Right-click on the lower-left corner and select Control Panel.
- Choose Uninstall a program and right-click on the unwanted app.
- Click Uninstall .
Delete Sage from Your Browsers
Sage Removal from Internet Explorer
- Click on the Gear icon and select Internet Options.
- Go to Advanced tab and click Reset.
- Check Delete personal settings and click Reset again.
- Click Close and select OK.
- Go back to the Gear icon, pick Manage add-ons → Toolbars and Extensions, and delete unwanted extensions.
- Go to Search Providers and choose a new default search engine
Erase Sage from Mozilla Firefox
- Enter „about:addons“ into the URL field.
- Go to Extensions and delete suspicious browser extensions
- Click on the menu, click the question mark and open Firefox Help. Click on the Refresh Firefox button and select Refresh Firefox to confirm.
Terminate Sage from Chrome
- Type in „chrome://extensions“ into the URL field and tap Enter.
- Terminate unreliable browser extensions
- Restart Google Chrome.
- Open Chrome menu, click Settings → Show advanced settings, select Reset browser settings, and click Reset (optional).