Sage extortion virus bitcoin extortion data how to decrypt, recovery case analysis


About AET A kind of Copyright declaration A kind of Collection site A kind of Website map Welcome to Hefei's Mdt InfoTech Ltd website.
National 24 hour expert Hotline 400-668-9959
 Hefei data recovery

Are you looking for: Server hard disk recovery AIT data recovery Database recovery Notebook hard disk data recovery

Sage extortion virus bitcoin extortion data how to decrypt, recovery case analysis

Article provenance: AIT data recovery Editor: edited editor Popularity: - Publication time: 2017-04-28 14:39. large in Small ]

Since 2017, a new virus --Sage has been infected by computer users at home and abroad.



Sage extortion software is a new member of the extortion software family and a variant of extortion software CryLocker. From the current situation analysis, the initiator behind the Sage and the extortion software Cerber, Locky and Spora should be assigned the same door.

Next we will make a detailed analysis of the Sage virus.

Poisoning characteristics

After the computer infected with Sage virus, a large number of file suffixes were added with the suffix of ".Sage".


Some important folders will automatically generate one! HELP_ SOS.hta file 8.png The blackmail information left by hackers will appear after opening.


If your computer is poisoned and the situation I described above is the same, then unfortunately, your computer has been infected with the Sage virus.

Two. Sage virus analysis

1, Sage 2.0/2.2 Ransomware - how does it infect computers?

For the infection process, this version of Sage extortion software may use malicious e-mail spam containing fraudulent messages. Messages can be of various types and are designed to persuade potential victims to open the malicious.Zip file attachments of these e-mails. Examples of fraudulent topics that can be used to infect Sage 2.2 are:

"Your PayPal transaction has been completed.

"Your online banking account is suspicious. (bank name).

"Your invoice.

There may be many other e-mails that are infected with Sage blackmail software, and they may carry files as file attachments. Files can be named randomly, such as "6207_". " In the.Zip file, there are two types of files that cause infection:

A JavaScript.Js file will cause infection immediately after opening.

Microsoft Office document.Doc file. When you click the enable content button to enable macros, the file will cause infection. These macros have malicious scripts in it.

2, Sage 2.0/2.2 Ransomware - what happened after infection?

After the user PC is infected by Sage 2.2 virus, it can connect to the Internet criminal distribution station by using an unsafe port and download payloads on the infected computer.

The payload of Sage 2.2 extortion software includes multiple executable files and temporary files. It may contain a.Dll type module, which also includes the Wallapaper of Sage 2.2 extortion software and its "decryption command".

3, Sage 2.0/2.2 Ransomware - encryption analysis

About file encryption, Sage extortion software uses strong encryption algorithm. This password prevents files on infected computers from being opened. Virus attack


Once the Sage virus detects that this type of file is on the infected computer, it will immediately cause them to no longer be opened and add the extension of the.Sage file to the file. In addition to file encryption, Sage virus can also delete shadow copies of infected computers. This operation is performed to destroy any possibility of restoring them through administrative commands (called VSSAdmin).

Three, cracking recovery methods

At present, the domestic recovery methods for sage viruses fall into three categories.

1. pay ransom to hackers

This method is not recommended because it is not very safe. After the ransom was paid, the hacker could not contact, and the hacker only left the account to pay. After paying the ransom, it may not get the hack key sent by the hacker. There are several possibilities: the identity of a hacker is uncovered, the police are arrested, unable to send the key to solve the problem, the hacker basin is washed up, not engaged in the business, you have no money to contact you, the hacker account is sealed, the money you pay, the hacker can not know; the hacker's declassified server is in trouble, and it is impossible to crack the execution of the key. Even if the key of the hacker is finally obtained, it is possible that there is a shutdown in the initial encryption process, so the encryption program will appear bug, resulting in incomplete files being finally declassified.

Some data recovery companies use this way to charge customers high ransom and commission, so that customers are subjected to two extortion. We strongly condemn this act of discredit for the same industry.

2. brute force.

This method is very complex and time-consuming. In extortion software, Sage virus is a very special existence because it uses elliptic curve encryption algorithm to encrypt files.

The elliptic curve function used in encryption is "y^2 = x^3 + 486662x^x + X". The prime number range is "2^255 - 19" and the base variable x=9. The elliptic curve used by Sage is a famous Curve25519 curve. It is the most advanced technology in modern cryptography. Curve25519 is not only one of the fastest curves of ECC (Elliptic Curve Cryptography, elliptic curve cryptography), but also vulnerable to the influence of weak RNG (Random Number Generator, random number generator). The side channel attack is considered when designing, avoiding many potential implementation flaws, and it is very likely that there is no third party built-in backdoor.

It is understood that there are no successful cases in the industry and good news is expected.

3. repair data

Our company has many years of data recovery experience, through research and learning, has successfully solved a number of SAGE database for customer database cases.

Last week there was a client whose computer was infected with Sage virus, and the important database files were encrypted. Customers consulted many data recovery companies, told him to pay a huge ransom before he could get the key from the hacker, and to pay them a small commission. Later, through the Internet, our customers found us. We told the customers the insecurity and uncertainty of the ransom, and the possibility of repair. After the understanding of our customers, we appreciate our professional knowledge and frank attitude and confidently hand over the documents to us to try to repair them. After 1 days and 1 nights of hard work, our professional engineers finally brought good news to our customers. All database files before being repaired are encrypted and blackmailed, as shown below: comparison of files before and after repair.


After repair, the files are tested and can be used normally. The clients expressed satisfaction and recognition of our recovery results.

If you are unlucky enough to be infected with Sage virus, please contact us for consultation.



1., do not "rush into the doctor", avoid being again pit, break the network, do not have other unencrypted U disk, mobile hard disk and other storage medium, and contact us in time: 13305512885, we have many years of experience of professional declassified engineers to provide one to one quality service, will use the minimum cost to help you decrypt / restore data, and get the latest information.

2. protect the source files from being destroyed for two times, or log in to our website. Understand the latest information about bitcoin ransom virus.

Messages Online diagnosis Input the contact way, the professional customer service team will contact you in 15 minutes.

567彩票 下载 北斗棋牌全部版本 下载星云娱乐斗地主 中彩网投注为什么不花钱 双色球11进制定胆技巧 乐彩3d论坛手机17500 乐彩网17500双色球出球顺序 七乐彩7十1开奖结果 284彩票网址 3d172前后关系