Jump to content

NEED HELP WITH DECRYPTING SAGE FILE


NASS
 Share

Recommended Posts

 

THIS  MESSAGE SHOWED UP IS THERE ANY SOLUTION 

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: !HELP_SOS.hta
  • ransomnote_url: http://7gie6ffnkrjykggd.onion/
  • sample_extension: .sage
  • sample_bytes: [0xAC289 - 0xAC28D] 0xBEBA9E5A
Link to comment
Share on other sites

I assume that ID Ransomware said it was Sage 2.0? If so, then there is no known way to decrypt files that have been encrypted by Sage 2.0 without obtaining the private key, and since ransomware like this usually generates new keys for every computer it infects the only way to obtain the private key is from the criminals who made the ransomware.

Link to comment
Share on other sites

On 19/08/2017 at 05:11, GT500 said:

I assume that ID Ransomware said it was Sage 2.0? If so, then there is no known way to decrypt files that have been encrypted by Sage 2.0 without obtaining the private key, and since ransomware like this usually generates new keys for every computer it infects the only way to obtain the private key is from the criminals who made the ransomware.

Hi,so I have to pay them !!!!, IS THERE ANOTHER AY TO GET THE DECRYPTION KEY ,WHAT ABOUT USING WIRE SHARK SOFTWARE CAN IT HELP????

Link to comment
Share on other sites

On 8/23/2017 at 3:38 PM, NASS said:

WHAT ABOUT USING WIRE SHARK SOFTWARE CAN IT HELP????

That would only work if the private key was generated on your computer, and sent to the criminals using an insecure method. It would also only work if you ran Wireshark when the ransomware had originally infected your computer. They keys are generated once, stored, and then after that all the ransomware needs is the public key to do the encryption.

You can try ShadowExplorer and see if the ransomware failed to delete Volume Shadow Copies. If they were deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low to begin with.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...