Sage Ransomware

What is Sage Ransomware?

Sage Ransomware sounds like something extremely smart, and users may feel intimidated by such an infection, especially if you consider the fact it encrypts user’s files, successfully blocking them from accessing their data. As you can clearly tell, this program is a ransomware infection, so the reason it is there in your computer is money. The program will try to push you into paying the ransom fee, making it look like it is the only way to restore your files. Needless to say, you should never pay these cyber criminals anything. Remove Sage Ransomware from your system at once, and then safeguard your computer against similar intruders in the future.

Where does Sage Ransomware come from?

The research specialists at anti-spyware-101.com say that Sage Ransomware spreads through malicious attachments. It means that the program employs spam email campaigns to gain access to your system. At the same time, it also means that users download and install this program willingly. Of course, you probably did not know that the file you downloaded was the program’s installer, but it is clear that the ransomware would not be able to enter the target system without user’s permission.

Therefore, to avoid similar infections, you should scan email attachment files before opening. Also, think carefully before you download such a file. Perhaps the online shop invoice or some credit card report did not come from reliable sources. After all, these days such documents seldom get delivered via attachment files because of potential exploitation and other vulnerabilities.

What does Sage Ransomware do?

The program seems to be well-developed. Upon the infection, it will drop a copy of itself in the %APPDATA% directory with a random string name. It will be an .exe file, but the filename will be different in each infected computer (hence “random”). For example, the filename could be nDhy8EZN.exe, or so. After that, the program will scan your system looking for the files it can encrypt.

According to our research, the program will encrypt files in the %USERPROFILE% directory, so if you keep some of your data someplace else, it might be possible to avoid the encryption. To lock up your files, Sage Ransomware supposedly employs the 4096-bit RSA encryption key, but our researchers could not confirm that independently.

After the encryption, all the affected files will have the .sage extension added to their filenames. The program will also change your desktop with the image that it will have placed in the %TEMP%. The image will ask you to purchase Bitcoins and pay the ransom fee. The program will ask you do pay the fee within four days, otherwise, “the unique decryption code for your files will be blocked and its recovery will be absolutely impossible,” or so the notification says.

The infection will drop three files total on your system. One you will find on your desktop, another will be placed in the %USERPROFILE%\My Documents, and the final one will be in the %TEMP% folder.

The cyber criminals will expect you to pay 0.12621 BTC (or around $95USD) for the decryption key. The program also boasts of an informative panel that will have all the information you might need. However, it would still not help you much because the bottom line is obvious: pay or else.

Needless to say, you should refrain from paying anything because that is not a good way out. Also, Sage Ransomware may not even issue the decryption key after the payment is complete. So what can be done about your files? After you remove this ransomware from your system, you have to delete the encrypted files and then transfer healthy copies of your data from a system backup. We believe that you will be able to retrieve your files either from some cloud storage or an external hard drive. Nevertheless, you should also be ready to come to terms with the fact that in some cases file loss is inevitable.

How do I remove Sage Ransomware?

In the instructions below, we will tell you how to get rid of this infection. However, automatic removal with a security application would be a lot more efficient because then you would definitely be sure all the unwanted files and dangerous entries are deleted for good. If you think you may need some help with that, please do not hesitate to leave us a comment.

Manual Sage Ransomware Removal

1. Remove the ransom note from your desktop.
2. Press Win+R and type %USERPROFILE%\My Documents. Click OK.
3. Delete the ransom notes from this directory. Press Win+R again.
4. Type %TEMP% and click OK. Delete the ransom notes from the directory.
5. Delete the most recently launched file and press Win+R.
6. Type %APPDATA% and click OK. Delete the random-name .exe file.
7. Press Win+R and type %ALLUSERSPROFILE%\Start Menu\Programs\Startup.
8. Delete a random-name shortcut from the folder.
9. Scan your computer with the SpyHunter free scanner.

Download Removal Tool100% FREE spyware scan and
tested removal of Sage Ransomware*