How To Remove Sage 2.2 Ransomware Virus And Decrypt .sage Files

Sage 2.2 is the most recent version of Sage ransomware virus. The previous version was 2.0 but it was quickly updated. The virus targets your personal documents, images, databases, videos and other files. Sage is a very dangerous malware as it utilizes many different methods to infect your PC.

Once this ransomware enters your computer it launches immediately and starts encrypting files to make them unopenable. The encrypted files receive .sage extension and their icons usually start displaying a padlock.

The virus also places ransom notes across the system called !HELP_SOS.hta (which replaces the !Recovery file found in earlier versions), opens a gray “Decryption instructions” window and modifies the desktop wallpaper to show a green text with instructions on how to visit the ransomware website and pay the ransom in BitCoins. In addition to this, some Sage versions also play an audio message saying “Attention! This is not a test! All your documents, databases and other important files were encrypted…”.

We strongly discourage you from paying the ransom as there is no guarantee that the criminals will provide you with the decryption key or that they will not leave other backdoors to attack you in the future. Instead, we recommend completely removing the threat from your computer and then using our file recovery methods described below.

We have a recommended automatic removal tool which will also protect your PC in the future. We also have a manual removal tool dedicated to removing the source of this virus only. However, you will still need to secure your computer afterwards.


Recommended Method: Download Sage Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Sage ransomware virus?

This ransomware is quite new but has been updated at least two times already. It also displays version numbers in the ransom notes and website, although not very consistently (the website still displays Sage 2.0).

Just like many other successful ransomware viruses Sage 2.0 uses sophisticated encryption algorithms and makes your files impossible to be opened. It then asks for a ransom in BotCoin and redirects the victims to a payment site which can be accessed several links including one on TOR network (.onion).

There are many ways to get infected with this ransomware. Sometimes it comes in double-zipped .zip archives and has .js or .doc extension when extracted. In other cases it might use exploit kits, DLL file attacks, infected websites and other methods.

Sage targets several types of files including documents, photos, autio, video and databases. It starts encrypting them as soon as it infiltrates the computer. There is a chance of salvaging at least some targeted files by shutting down your computer if you see that the encryption process has just started. The more files you have the more resources it takes to encode them and the more time you have.

The ransom notes are called !HELP_SOS.hta and are placed in the folders where encrypted files can be found. The files not only receive .sage extension but their icons are also changed into a padlock. This is a less popular approach and is supposed to scare the victims even more. Finally, some versions of the ransomware even play an audio file which states that all files have been encrypted:

The virus displays the following text in a window called “Decryption instructions”:

File recovery instructions
You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by “Sage 2.2 Ransomware”.
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting “SAGE Decrypter” software and your personal decryption key.
Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.
You can purchase “SAGE Decrypter” software and your decryption key at your personal page you can access by following links.

The desktop background is also changed to the following text:

*** ATTENTION! ALL YOUR FILES WERE ENCRYPTED! ***
*** PLEASE READ THIS MESSAGE CAREFULLY! ***

The payment website is called “Sage 2.0 User Area” and displays instructions on how to make the required payment. It shows (both in BitCoins and dollars, usually $500) the total amount, amount remaining and the time remaining after which the price will increase. It also has detailed instructions, support section and allows to decrypt one file for free.

Despite the promises, we strongly discourage you from paying the ransom as you are not guaranteed to receive the decryption key. Also, the criminals might leave additional backdoors and attack you in the future since they will see you as a paying victim.

The best way to get rid of Sage ransomware is to remove the threat completely either by using our automatic removal and protection tool or following the manual guide. You will then need to secure the computer and will be able to use recovery methods listed below in order to recover the encrypted .sage files.

Here are some screenshots of Sage ransomware:

    


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since Sage is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause mroe damage.

Step 1:

Restart your Windows in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the Sage virus and terminate them. They are usually randomly named .exe files (e.g. Rj3FNWF3.exe) and only run during the process of encryption.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all processes.

You might not find any malicious process since the virus usually exits after completing the encryption process.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up Windows temporary files as there are usually several Sage ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 6:

Check for any recent changes in all the other important system files.

Sage usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus tends to copy its files to this directory so you might find randomly named .exe, .dll, .bat or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 7:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{41D55966-1192-454F-9C86-D0EB950D9984}

If you find any registry entries that could be associated with Sage (usually randomly named), copy their random names and then delete them by right-clicking on it and choosing Delete.

Then search for the random name you have just copied by pressing keyboard buttons CTRL + F and entering the copied value in the search field. Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then navigate to the following location and repeat the process:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Fd3KZfCq

Then repeat the search with the following text:

sage

Step 8:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) or Windows Explorer in order to find the following files and delete them. Some of the files might not exist since the virus has several variations.

!Recovery_
!HELP_SOS
__config
qucuh.exe
Tempequcuh.exe
Sage2Decrypter.exe

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Sage ransomware file decrypter here: List of currently available decrypters. Currently there is no official Sage 2.2 decryptor available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Sage ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.

11 comments on “How To Remove Sage 2.2 Ransomware Virus And Decrypt .sage Files

    1. Hello,

      we are sorry to hear that you still cannot access your files. Could you tell us how much time has passed since the infection happened? Maybe you remember the version of Sage virus which attacked your computer as well?

      Also, have you tried the professional file recovery program?
      http://virusremovalinstructions.com/how-to-recover-lost-files-using-recover-my-files-software/

      You can use the free version to make a list and see if any of the files can be recovered.

    1. Hello, here is a solution from https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-10-on-safe-mode-doesnt-accept-my-password/e5c53695-efb5-4cc5-86a0-8931fbcdc9d9 please try it and tell us how it went:

      1. Restart your PC. When you reach the sign-in screen, hold the Shift key and select the Power button, and then select Restart.
      2. After your PC restarts, select Troubleshoot > Advanced options >Startup settings > Restart. After your PC restarts, you should see a number of options. Press 5 or F5 for Safe Mode with networking.
      3. When you reach login screen, press Windows + U and select the On-Screen Keyboard from the Ease of Access list. or click on Ease of Access at bottom right and select On-Screen Keyboard from the list.
      4. Then use you cursor to type the password with On-Screen Keyboard.
      5. Before clicking the login, press the eye symbol (I.e. Reveal Password) option in the password field, to see the password is correct.

  1. Hi…
    I make Reset to my laptop and all program was delete and password….
    Good
    But i need to know how can i know that is the help_sos virus has deleted from my laptop??
    And all photos cant open.

  2. If you are going step by step like instruction tells – you do not have a seriously problems with remove SAGE 2.0/2.2. If that ways really not working for you – you can restore Windows and be happy with fresh install of Windows.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *