Remove Sage 2.0 ransomware virus and decrypt .sage files

Sage 2.0 wants its victims to transfer some incredible USD 2000 to its Bitcoin wallet. The sum is due in the crypto-currency and is to make available to the payer the decryption key.


Paying the ransom as demanded by the extortion virus does not ensure that you get your data back. Few users would value their data so high as to pay the amount claimed. The infection should rather target corporate users or otherwise be selective, or else it is unlikely to generate a reasonable to its holders. That is not the case, though. Observations clearly show the infection targets a bulk of the users.

IT security reported Sage 2.0 ransomware as a variant of CryLocker virus back at the end of 2016. The propagation was not quite significant and collected very few victims. A closer look at the viral application revealed the distributor of the Sage 2.0 encryption Trojan was the same actor that was detected behind such widely spread ransomware as Cerber, Locky, Spora. Needless to say, that suggests the one in question is likely to have its propagation enhanced dramatically.

The current propagation scheme for Sage 2.0 features a spamming with some interesting peculiarities. While its counterparts resort to misleading the recipient with all sorts of business and private messages, the infection under review just dispatches an empty letter. There is neither body nor topic to read. The only thing dispatched is the attachment. The attachment is a file which name consists of a random set of digits followed by “” Optionally, the user deals with a randomly named zip-file. The zipping is double. That is, the initial zip has another zip file inside. The latter, eventually, contains JS or MS Word file.

Those zipped items include a malicious script that drops the ransomware into a folder specified by the script, which is typically a random folder in the Temporary directory. The item so dropped is the ransomware installer. It lingers for a while, obviously to avoid suspicion and escape detection. Following its short nap, the ransom Trojan proceeds with its installation into the user’s account AppData folder. The installed instance of the malware scans the affected system for the extensions eligible for the attack. Frankly, very few file formats are subject to any exemptions. The victims have most of their files encrypted for good. The items affected are marked with .sage string added after their original extension.

Sage 2.0 comes up with its ransom note. That is available in any folder which files have been hit by the virus. The note is an introductory message that further sends the victims to the online payment page. Further communication requires the users concerned to download and run TOR browser. The payment page demands the amount of USD 2000. The amount is payable in bitcoins, adjustable so that the sum in fiat currency remains stable.

The encryption applied is strong, the ransom is high, the chances of failure to discharge the private key are essential. Given the above, proceed with the workarounds above to get rid of Sage 2.0 encryption on ransom-free conditions.

Automatic removal of Sage 2.0 ransomware

The benefits of using the automatic security suite to get rid of this infection are obvious: it scans the entire system and detects all potential fragments of the virus, so you are a few mouse clicks away from a complete fix.

  1. Download and install recommended malware security suite
  2. Select Start Computer Scan feature and wait until the utility comes up with the scan report. Proceed by clicking on the Fix Threats button, which will trigger a thorough removal process to address all the malware issues compromising your computer and your privacy.

Restore files locked by Sage 2.0 ransomware

Sage 2.0 represents a unique category of malicious software whose attack surface reaches beyond the operating system and its components, which is why removing the virus itself is a part of the fix only. As it has been mentioned, it encrypts one’s personal information, so the next phase of the overall remediation presupposes reinstating the files that will otherwise remain inaccessible.

  • Launch data recovery software

    Similarly to the rest of its fellow-infections, Sage 2.0 most likely follows an operational algorithm where it erases the original versions of the victim’s files and actually encrypts their copies. This peculiarity might make your day, because forensics-focused applications like Data Recovery Pro are capable of restoring the information that has been removed. As the virus further evolves, its modus operandi may be altered – in the meanwhile, go ahead and try this.

  • Take advantage of Volume Shadow Copy Service

    This technique is based on using the native backup functionality that’s shipped with Windows operating system. Also referred to as Volume Snapshot Service (VSS), this feature makes regular backups of the user’s files and keeps their most recent versions as long as System Restore is on. Sage 2.0 virus hasn’t been found to affect these copies therefore the restoration vector in question is strongly recommended. The two sub-sections below highlight the automatic and manual workflow.

  • a) Use Shadow Explorer

    Shadow Explorer is an applet that provides an easy way of retrieving previous versions of files and folders. Its pro’s include an intuitive interface where the computer’s entire file hierarchy is displayed within one window. Just pick the hard disk volume, select the object or directory to be restored, right-click on it and choose Export. Follow the app’s prompts to get the job done.Shadow Explorer

  • b) Use file properties

    Essentially, what the above-mentioned Shadow Explorer tool does is it automates the process that can otherwise be performed manually via the Properties dialog for individual files. This particular approach is more cumbrous but just as effective as its software-based counterpart, so you can proceed by right-clicking on a specific file, which has been encrypted by Sage 2.0 ransomware, and selecting Properties in the context menu. The tab named Previous Versions is the next thing to click – it displays available versions of the file by date of the snapshot creation. Pick the latest copy and complete the retrieval by following the prompts.Previous Versions

  • Data backups work wonders

    Ransomware like Sage 2.0 isn’t nearly as almighty and destructive in case you run regular file backups to the cloud or external data media. The virus itself can be completely removed in a matter of minutes, and the distorted information can then be just as easily recovered from the backup. Luckily, this is a growing trend, so ransom Trojans are hopefully going to become less subversive in the near future.

Verify thoroughness of the removal

Having carried out the instructions above, add a finishing touch to the security procedure by running an additional computer scan to check for residual malware activity

Leave a Reply


Stop-the-Pop-Up is an aggressive pop-up killer preventing all annoying pop-up windows from appearing as you surf the web. Read more >>

Surf Spy

Surf Spy is an invisible tool that monitors the Internet activity on your computer. It captures the link of every visited web site. Read more >>

Bluescreen Screensaver

Bluescreen Screensaver will simulate the Windows Blue Screen of Death for your operating system. Read more >>


Farsighter monitors a remote computer invisibly by streaming real-time video to a viewer on your computer. Read more >>