Sage Ransomware Removal Guide

Sage Ransomware was named according to the extension it appends to its damaged files. Luckily, it cannot harm all data on the system as it chooses particular locations. Accordingly, the amount of affected valuable files may vary for each user. The malware’s creators encourage you not to “wait for a miracle” and pay the ransom while it is not doubled, but if the enciphered files are not so valuable or you have other ways to recover it, we would recommend not to waste any money and ret rid of the threat as fast as possible. To eliminate it manually we could offer the instructions available below the text, although if you are an inexperienced user, it could be easier to erase Sage Ransomware with reliable antimalware software.

If you have no idea how the computer was infected with Sage Ransomware, you should remember if you downloaded any unreliable data received through Spam emails. That is because the malware is most likely distributed with infected attachments. It is possible that such files could look like Microsoft Word, PDF, and other documents. Some malware creators do so to trick users into thinking that the file is not a harmful one. Sadly, it is enough to launch an infected attachment and the threat might be able to install itself on the computer without the user even noticing it.

Furthermore, when Sage Ransomware is installed it should encrypt various files on the %USERPROFILE% and %HOMEDRIVE% folders. Both of these locations might have subfolders, but the malicious application encrypts them only in the %USERPROFILE% path. Meaning, it can only encipher separate files on the %HOMEDRIVE% directory. Plus, each encrypted file should be marked with .sage extension, so users can quickly identify the files that were damaged.

What’s more, after encrypting your data, the malware should announce its presence by placing ransom notes on your Desktop and a couple of other locations. According to our specialists, Sage Ransomware might even create a startup shortcut, so that the computer would launch the ransom note each time it is turned on. The message says users have to pay the ransom in approximately four days or else it could be doubled.

The note should also explain how to convert your money into Bitcoins and make the transfer to the malicious applications creator’s account. Thus, paying the ransom might seem like the same thing as purchasing something online. Sadly, it is much more complicated since you cannot completely trust the malware’s creators. Not to mention that there are no reassurances or refunds either. Naturally, our specialists advise against paying the ransom.

If you have no plans to pay the ransom, we recommend Sage Ransomware’s removal. For example, you could try to erase it while following the deletion instructions added at the end of the article, although we have to warn you that it might be not as easy as it could look like. The malware’s data you would have to locate and remove manually should have random titles, so it could be hard to identify it. If you do not completely trust your computer skills, there is another way to get rid of the infection. What we have in mind is a legitimate antimalware tool. It can track malicious data on the system and help you erase it automatically. Nonetheless, if you are having any difficulties, contact us by leaving a comment below or reaching us through social media and we will try to reply as soon as possible.

Eliminate Sage Ransomware

1. Find the directory (e.g. Downloads, Desktop, and so on) where the malicious file that you opened before the computer got infected was saved.
2. Select the malicious installer, right-click it and choose Delete.
3. Open the Explorer (Win+E).
4. Search for this location: %APPDATA%
5. Find the other randomly named malicious file, e.g. cGji7ESJ.exe, right-click and click Delete.
6. Go to this path: %ALLUSERSPROFILE%\Start Menu\Programs\Startup
7. Locate a randomly named shortcut, e.g. 92g8map6.lnk, then right-click it and select Delete.
8. Find the listed locations: Desktop, %USERPROFILE%\My Documents, %TEMP%
9. Search for the malware’s created files with the ransom note, e.g. !Recovery_WQea3s.txt, !Recovery_WQea3s.html, then right-click them separately and press Delete.
10. Right-click the Recycle Bin and empty it.