Symantec Security Response has recently discovered the Sage 2.0 ransomware (Ransom.Cry) being delivered by the Trojan.Pandex spambot, which we have previously seen sending JS downloaders with spambots, banking Trojans, and ransomware as payloads. We have also recently observed Sage 2.0 sharing similar routines with the Cerber ransomware (Ransom.Cerber), although no link between the two malware families could be fully established.
Sage 2.0 evolved from Crylocker (Ransom.Cry), which emerged in September 2016, and continues to be used today. Sage was previously delivered through the Rig exploit kit (EK), but is now mostly delivered through spam. We have also seen Sage 2.0 being downloaded by the Trik botnet, which uses the Trojan.Wortrik malware to compromise computers.