SAGE 2.2 Ransomware: A Persistent File-Locking Threat
Table of Contents
A Notorious Evolution in Ransomware
SAGE 2.2 Ransomware is an evolved version of the Sage ransomware strain, designed to encrypt files and hold them hostage until a ransom is paid. Like its predecessors, it modifies affected files by appending the ".sage" extension and delivers a ransom note labeled "!HELP_SOS.hta" to inform victims about the encryption. In addition to locking files, SAGE 2.2 alters the desktop wallpaper to reinforce its demand for payment.
The ransomware systematically renames files, for example, converting "document.pdf" into "document.pdf.sage" and so on. This makes it immediately clear to victims that their data has been compromised. The accompanying ransom note is presented in both text and audio formats. It is available in multiple languages, including English, German, Italian, Portuguese, Spanish, French, Korean, Dutch, Arabic, Persian, and Chinese.
The Ransom Note and Its Instructions
SAGE 2.2 informs victims that their files have been encrypted and that the only way to recover them is by obtaining the "SAGE Decrypter" tool along with a unique decryption key. The note warns against attempting to use alternative decryption tools, stating that doing so may permanently damage the files. To facilitate payment and communication, the attackers provide web links where victims can supposedly purchase the decryption software.
If the given links fail, victims are instructed to download and use the Tor Browser, a tool commonly associated with anonymous web browsing. The ransom note also includes detailed steps on how to access the dark web links, ensuring that even those unfamiliar with Tor can comply with the attackers' demands. Additionally, the instructions are reinforced by changing the desktop wallpaper, making it difficult for victims to ignore.
Here's what the ransom note says:
File recovery instructions
You probably noticed that you can not open your files and that some software stopped working correctly.This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key.
Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.
You can purchase "SAGE Decrypter" software and your decryption key at your personal page you can access by following links:
If none of these links work for you, click here to update the list.
Updating links...
Something went wrong while updating links, please wait some time and try again or use "Tor Browser" method below.
Links updated, if new ones still don't work, please wait some time and try again or use "Tor Browser" method below.
If you are asked for your personal key, copy it to the form on the site. This is your personal key:
-
You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your filesIf none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".
In order to do that you need to:
open Internet Explorer or any other internet browser;
copy the address hxxps://www.torproject.org/download/download-easy.html.en into address bar and press "Enter";
once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;
once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version);
Tor Browser will establish connection and open a normal browser window;
copy the address
-
into this browser address bar and press "Enter";
your personal page should be opened now; if it didn't then wait for a bit and try again.
If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on YouTube.You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files.
What Ransomware Like SAGE 2.2 Wants
Ransomware programs, including SAGE 2.2, exist primarily to extort money from victims. By encrypting crucial files and restricting access, attackers put victims in a desperate position where they may feel forced to comply. However, cybersecurity experts warn against paying the ransom, as there is no certainty that the attackers will provide a working decryption tool. In many cases, victims who pay do not receive their files back and may even be targeted again.
Since SAGE 2.2 can remain active and continue encrypting new files or spread across a local network, immediate action is necessary to prevent further damage. Without a valid backup or third-party decryption tools, recovering files is often impossible.
How Ransomware Infects Systems
Ransomware like SAGE 2.2 typically infiltrates systems through deceptive methods. One of the most common infection vectors is fraudulent emails containing malicious attachments or links. When users interact with these elements, they unknowingly download and execute the ransomware on their devices.
Another method involves compromised websites or software vulnerabilities. Cybercriminals exploit security gaps in outdated operating systems or applications to deploy ransomware automatically. Additionally, using unreliable software sources—such as peer-to-peer (P2P) networks, third-party downloaders, or pirated software—can expose users to hidden ransomware threats.
Precautionary Measures Against Ransomware
Preventing ransomware infections requires proactive cybersecurity habits. Users should be cautious when handling emails from unfamiliar senders and avoid clicking on unexpected attachments or links. Verifying the legitimacy of a message before opening its contents can prevent accidental infections.
Downloading software only from official sources, such as developers' websites or trusted app stores, minimizes the risk of encountering malicious downloads. Avoiding pirated software, cracking tools, and keygens is also essential, as these are common ransomware distribution channels. Keeping operating systems and software updated helps close security vulnerabilities that attackers may exploit.
Final Thoughts
Ransomware remains one of the most disruptive threats in cybersecurity, with strains like SAGE 2.2 demonstrating its evolving nature. The financial and emotional distress caused by file encryption attacks highlights the importance of maintaining secure backups.
Users can mitigate the impact of ransomware incidents by storing backups on external drives or cloud services not connected to the primary system. A comprehensive cybersecurity strategy that includes vigilance, software updates, and secure backup practices can also reduce the likelihood of getting infection with such threats.
