Sign in to follow this  
NASS

NEED HELP WITH DECRYPTING SAGE FILE

Recommended Posts

 

THIS  MESSAGE SHOWED UP IS THERE ANY SOLUTION 

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: !HELP_SOS.hta
  • ransomnote_url: http://7gie6ffnkrjykggd.onion/
  • sample_extension: .sage
  • sample_bytes: [0xAC289 - 0xAC28D] 0xBEBA9E5A

Share this post


Link to post
Share on other sites

I assume that ID Ransomware said it was Sage 2.0? If so, then there is no known way to decrypt files that have been encrypted by Sage 2.0 without obtaining the private key, and since ransomware like this usually generates new keys for every computer it infects the only way to obtain the private key is from the criminals who made the ransomware.

Share this post


Link to post
Share on other sites
On 19/08/2017 at 05:11, GT500 said:

I assume that ID Ransomware said it was Sage 2.0? If so, then there is no known way to decrypt files that have been encrypted by Sage 2.0 without obtaining the private key, and since ransomware like this usually generates new keys for every computer it infects the only way to obtain the private key is from the criminals who made the ransomware.

Hi,so I have to pay them !!!!, IS THERE ANOTHER AY TO GET THE DECRYPTION KEY ,WHAT ABOUT USING WIRE SHARK SOFTWARE CAN IT HELP????

Share this post


Link to post
Share on other sites
On 8/23/2017 at 3:38 PM, NASS said:

WHAT ABOUT USING WIRE SHARK SOFTWARE CAN IT HELP????

That would only work if the private key was generated on your computer, and sent to the criminals using an insecure method. It would also only work if you ran Wireshark when the ransomware had originally infected your computer. They keys are generated once, stored, and then after that all the ransomware needs is the public key to do the encryption.

You can try ShadowExplorer and see if the ransomware failed to delete Volume Shadow Copies. If they were deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low to begin with.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.