<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>This one for Sage "2.0" ransomware performing its post-infection C&C. There are several samples circulating. I have seen references mentioning that Sage is a variant of CryLocker, but some of the samples generate the same UDP traffic observed from Cerber.
 The ransom notes also resembles that of Cerber.</p>
<p><br>
</p>
<p><span style="font-size: 9pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"
 / HTTP/1."; content:"Connection|3A 20|close|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,string,dec,relative; byte_test:3,<,170,0,string,dec,relative; content:!"User-Agent"; http_header; content:!"Accept";
 http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000824; rev:1;)</span><br>
</p>
<p><span><br>
</span></p>
<p><span>Thank you.</span></p>
<p><span>YM</span></p>
</div>
</body>
</html>