Sage File Virus Removal

How to Remove Sage Ransomware?

There’s a new ransomware program, plaguing users. It’s known as the Sage infection because of the file extension it appends to your data. It locks all your files by attaching the ‘sage’ extension at the end of each file. And, once that happens, it renders them useless. In the sense that you can no longer open them. You can try to move or rename them, but it won’t work. They’re encrypted. After the encryption process, the tool provides you with a seeming way out. It promises there’s a way you can rid yourself of its hold. You just have to apply the right decryption key. And, to get it, you have to pay a ransom. How simple, right? Well, wrong! That’s an entire minefield, which you must NOT go near to! Do NOT follow a single demand, which Sage lays out. It’s a dangerous cyber plague! Do NOT place your trust on it! You WILL get double-crossed! Do you honestly expect cyber criminals, who lock your files and extort you for money, to keep their word? Don’t be naive. Do NOT comply! The best course of action you can take is to say goodbye to your files. It does seem like a terrible solution, but it’s the best one you have. Have some perspective, and forsake your files. Your future self will thank you for that choice as it’s the right one.

How did I get infected with?

Like most ransomware tools, the Sage one duped you into installing it. Oh, yes. You agreed to install it. The tool has to ask you, the user, if you agree to allow it into your PC. And, it can enter after it gets your consent. It’s as simple as that. Well, still, don’t be too hard on yourself The infection did manage to find a loophole in that rule. Even though, it does technically ask for your permission, it does it sneakily. Instead of coming forward, and openly seek access, it does it in the most covert way it can. For example, it can hitch a ride with corrupted links or sites. Or, hide behind freeware or spam email attachments. Or, even pretend to be a system or program update. Like, Java or Adobe Flash Player. For example, you believe you’re installing updates, but you’re not. In reality, you’re permitting the installation of a dangerous cyber menace. The Sage infection preys on your carelessness. Without it, there’s no successful invasion. Why do you make it easier for such threats to slither into your PC? Don’t give into carelessness! Don’t give into gullibility and distraction. Don’t rush. Go the opposite direction. Be vigilant and thorough. Take your time and do your due diligence. That extra caution can save you a ton of future troubles. Remember that next time you’re installing a tool or an update.

Why is Sage dangerous?

The Sage infection sneaks into your system, and doesn’t waste much time. Pretty soon after invasion, it gets to work and takes over. The tool takes complete control over your files. Every single one you keep on your computer, gets locked. After it’s done spreading its clutches throughout, it leaves you a ransom note. It’s usually a TXT file. And, you find it in each folder with encrypted files, as well as on your Desktop. It contains pretty standard information. The note clues you into your predicament. That your computer harbors a ransomware, and it encrypted your data. And, also, leaves instructions on what you have to do, if you wish to remove it. Reports have come in about different ransom amounts. Sometimes the tool asks for payment of 0.7 Bitcoin. And, other times, it amounts to a mere 0.2 Bitcoin. It’s by no means a small fee, but it is significantly smaller than what other such infections demand. But understand this. Even if it requested a single dollar from you, you still must NOT pay that dollar! It’s not a question of money, it’s a matter of security. If you pay, you expose your personal and financial details to extortionists. That’s right. The cyber criminals behind Sage get a hold of your private life. And, they can use that information as they desire. Think about the repercussions that entails. So, don’t pay. As important as your files may be, they still can’t compare to your privacy. Make the right choice.

Sage Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Sage Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Sage encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Sage encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.