How to remove (uninstall) Sage ransomware

Lately we’ve seen lots of new ransomware that showed us many new tricks and methods of penetration and distribution. New version of Petya/Misha ransomware locks the hard drive, and 99% of new ransomware use not only the usual e-mail method of distribution via Trojan or script, but also the new variant which is being performed via macro in Excel tab. The virus about which we’ll talk today is called Sage ransomware. It appends .sage extension to all encrypted files, and demands the ransom of 0.9 BTC for the decryption of files.

Sage ransomware use the easiest method of distribution: via e-mail spam. It is performed with help of usual deception: hackers send thousands of letters to the random users, and those letters are made to convince users that they’re sent from some business-partner, colleague, shipment company, online-store etc. The letter may say that user needs to obtain the recently arrived package from the nearest mail office, or that the use won the lottery prize, or that he needs to view the invoices, attached to the letter. There are many versions of such letters, but they all are aimed at one thing: to make user click on the attachment, and run the script. When the script is being executed, virus installs on the PC and starts its malicious activity.

First of all, virus saves its files to system folders in which it can try to gain full control over user’s hard drive. Virus searches for the files which are most often used to store the important information: .doc, .docx, .xlsx and .PDF. These files are encrypted in the first place, and then – the others. Few years ago user had a chance to avoid the encryption by ransomware with help of some exotic file extension, but now the list of affected extensions is very wide. After the encryption of the files, ransomware tries to perform another sort of encryption, but now the target is the Master File Table (MFT), and if this process will be successful – user will lose control over his hard drive, because the system won’t be able to operate with encrypted MFT.

So, if the virus isn’t discovered before it ends the encryption processes, it will keep user’s data as hostages as long as it wants. When the encryption is complete, virus displays the instructions on the payment procedure, with short info about the encryption algorithms and address of the payment website. If you are a victim of this ransomware, the last thing for you to do is to pay the ransom. First of all, you have no guarantees that scammers will really decrypt the data, and the second reason is that every coin, paid to hackers will be spent on the development of other ransomware. If you don’t want to contribute the Internet-criminals, the best thing to do is to delete the virus from your PC and keep the encrypted files until the decent decryption tool will be released.

The deletion of Sage ransomware isn’t a big deal for any user, but if you have no experience in such things – we have decent instructions for you. You can follow our instructions, or delete the ransomware with help of antiviral program which can be found by the link below this paragraph. Also we can give you few advices about file decryption, but we can’t guarantee that they will work. All useful information about file decryption can be found in out article, called How to decrypt files and restore information.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.