FYI...

Sage 2.0 ransomeware
- https://isc.sans.edu/diary.html?storyid=21959
2017-01-21 - "On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware I'd never seen before called 'Sage'. More specifically, it was 'Sage 2.0'... Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2]...
1] https://www.bleepingcomputer.com/for...xtension-sage/

2] https://www.bleepingcomputer.com/for...rt-help-topic/

... Emails from this particular campaign generally have -no- subject lines, and they always have -no- message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I'll see a .js file instead of a Word document, but it does the same thing... attachments are often double-zipped. They contain -another- zip archive before you get to the Word document or .js file...
Example of a Word document with a malicious macro:
> https://isc.sans.edu/diaryimages/ima...y-image-05.jpg
Another example of the Word document with a malicious macro:
> https://isc.sans.edu/diaryimages/ima...y-image-06.jpg
The Word document macros or .js files are designed to download and install ransomware. In most cases on Friday, the ransomware was Sage 2.0... Under default settings, an infected Windows 7 host will present a UAC window before Sage continues any further. It keeps appearing until you click 'yes':
UAC pop-up caused by Sage: https://isc.sans.edu/diaryimages/ima...y-image-12.jpg
The infected Windows host has an image of the decryption instructions as the desktop background. There's also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ".sage" is the suffix for all encrypted files:
Desktop of an infected Windows host: https://isc.sans.edu/diaryimages/ima...y-image-13.jpg
... Following the decryption instructions should take you to a Tor-based domain with a decryptor screen. On Friday, the cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin):
The Sage 2.0 decryptor: https://isc.sans.edu/diaryimages/ima...y-image-15.jpg
... When the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses...
Below are IOCs for Sage 2.0 from Friday 2017-01-20:
Ransomware downloads caused by Word document macros or .js files:
54.165.109.229 port 80 - smoeroota .top - GET /read.php?f=0.dat
54.165.109.229 port 80 - newfoodas .top - GET /read.php?f=0.dat
84.200.34.99 port 80 - fortycooola .top - GET /user.php?f=0.dat
Post-infection traffic:
54.146.39.22 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
66.23.246.239 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
mbfce24rgn65bx3g .rzunt3u2 .com (DNS queries did not resolve)
Various IP addresses, UDP port 13655 - possible P2P traffic...
... not sure how widely-distributed Sage ransomware is. I've only seen it from this one malspam campaign, and I've only seen it one day so far. I'm also not sure how effective this particular campaign is. It seems these emails can easily be -blocked- so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals..."
(More detail at the isc URL at the top of this post.)