Infected with Sage 2.2 Ransomware? Need to decrypt your files?

What is Sage 2.2 Ransomware

Sage 2.2 Ransomware is successor of Sage 2.0 Ransomware and Sage Ransomware based on CryLocker family. It was changed in terms of design of desktop background and payment pages. It also uses new filenames for instructions file and image file (!HELP_SOS.hta and !HELP_SOS.bmp). Virus still adds .sage file extension to encrypted files and uses Microsoft SAPI voice to read the message on your desktop aloud. This is done to create negative psychological effect. Latest version of this ransomware demands 0.17720 BTC or almost $1000 for decryption. To make decryption even more difficult Sage 2.2 removes Windows Shadow Copies, that can be used to recover files. Here is an example of message ransomware virus shows to the users.

You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by “SAGE 2.2 Ransomware”.
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting “SAGE Decrypter” software and your personal decryption key.

On October 13th, BlankSlate malicious spam campaign started giving boost in distribution of Sage 2.2 Ransomware. We prepared following instruction to help you remove Sage 2.2 Ransomware and decrypt .sage files for free.

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

sage 2.2 ransomware
sage 2.2 payment page

How Sage 2.2 Ransomware infected your PC

Sage 2.2 Ransomware uses spam e-mail attachments to infect users computers. All this malicious e-mails have a zip file attached to them. They have random names and subjects but often pretend to be sent from Central Security Treatment Organization. Zip archives contain .docx or .js file, that will download and run the virus. Once uses does it there is no way back because it will soon download small executable and will run it to encrypt files in user folders. Antiviruses have a small chance to catch Sage 2.2 Ransomware virus as it is constantly modified. The only way to protect your computer from such threats is use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

What to do if you are infected with Sage 2.2 Ransomware virus?

First of all don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Sage 2.2 Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to Sage 2.2 Ransomware – files, folders, registry keys.


Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of Sage 2.2 Ransomware:

Remove following registry entries:

no information

Remove following files:


How to decrypt files infected by Sage 2.2 Ransomware (.sage files)?

Use automated decryption tools

1. Sage decryption tool from Kaspersky

kaspersky rakhni decryptor for .sage files

There is ransomware decryptor from Kaspersky that can decrypt .sage files. It is free and may help you restore .sage files encrypted by Sage 2.2 Ransomware virus. Download it here:

Download Kaspersky RakhniDecryptor

1. Sage decryption tool from Trend Micro

trendmicro Sage 2.2 Ransomware decryptor

There is ransomware decryptor from Trend Micro that may decrypt .sage files. It is free and may help you restore files encrypted by Sage 2.2 Ransomware. Download it here:

Download Trend Micro Ransomware File Decryptor

There is currently no other automated decryption tool for Sage 2.2 Ransomware files, but that doesn’t mean that you need to pay the ransom. We track the topic and will add any new decryption tool available in this part of the article. Now you can try to use manual methods to restore and decrypt .sage files.

Decrypt .sage files manually

Restore the system using System Restore

system restore

Although, latest versions of Sage 2.2 Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – encrypted by Sage 2.2 Ransomware). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .sage files using shadow copies

shadow explorer gui

  1. Download and run Shadow Explorer.
  2. Select the drive and folder where your files are located and date that you want to restore them from.
  3. Right-click on folder you want to restore and select Export.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Information provided by: Alexey Abalmasov

Leave a Reply

Your email address will not be published. Required fields are marked *