VERY IMPORTANT

The Sage ransomware variant appears to have been out of circulation for a while in the malware scene. Since we published our article on Sage 2.0 last February, and the discovery of version 2.2 in March, the FortiGuard Labs team hasn’t seen significant activity with this malware for over six months. However, we just recently found new Sage samples that, while they appear to still be Sage 2.2, now have added tricks focused on anti-analysis and privilege escalation. In this article, we will share our findings of these recent updates.