Search 10,000+ fixes & guides ⌘K Write a guide
ACTIVE MALWARE WINDOWS

How to recover
Files Encrypted by Sage Ransomware
from Windows

Quickly recover files encrypted by Sage Ransomware on Windows 10 and 11. Expert-tested methods ensure no traces left behind, restoring your data safely.

Vera Simmons
Vera Simmons 14 Feb 2017 · 4 min read
How to Recover Files Encrypted by Sage Ransomware?
Quick Summary
Data at risk
Medium
Est. time
20 minutes
Offer Fortect PC Suite
Recover files →
Ad · we may earn a commission
0 Comments
01

What leads to How to Recover Files Encrypted by Sage Ransomware?

  • Files are encrypted by Sage ransomware
  • Sage virus appends .sage file extensions
  • Sage leaves recovery files on the desktop
  • Sage changes desktop wallpaper
  • Ransom is demanded for file recovery
Offer Fortect PC Suite

Repairs Windows system files, removes malware, and restores a clean OS state — without reinstalling.

Ad · we may earn a commission
Get Fortect PC Suite ↗

Hello, my files have been corrupted in some kind of way, and I can see that they all have .sage file extensions now. I believe my computer was hit by a virus named Sage. Can you help me to recover files encrypted by Sage ransomware, please?

Sage ransomware is an active threat nowadays, and its authors are taking all possible measures to distribute this malicious program efficiently. They have already created Sage 2.0 ransomware, too. Due to many complaints that Sage ransomware victims express on online forums, we assume that criminals’ efforts to spread this virus pay off. Just like you discovered, Sage virus appends .sage file extensions to files it encrypts and then leaves !Recovery_[6 chars]_ file on the desktop in two different formats - .txt and .html. The virus changes desktop wallpaper with a black image with some red text on it. This text says:

ATTENTION!
Sage encrypted your files!

After reading all information provided in these files, you probably realized what does this malicious program wants from you. It encrypted your data in order to blackmail you and keep your files locked until you pay an enormous ransom. You should not pay ransoms to cyber criminals - they tend to simply take victim’s money and make off with it. If you do not want to waste your money, better keep it for yourself. Now, we must say that unfortunately, malware analysts weren’t able to find flaws in Sage’s source code and therefore nobody managed to create Sage decryption tool. However, there is still hope to restore at least part of your files. We will list all possible data recovery options below, so do not give up and try all of them out.

Quick tip: Do not forget to remove Sage virus before you start data recovery procedure. You do not want the virus to interrupt this process! We recommend you to follow these Sage removal instructions and use a malware removal tool like [d1] to get rid of the virus.

How to Recover Files Encrypted by Sage Ransomware?

Technique 1. Use a Data Backup

The best, most efficient and 100% working method to recover files encrypted by Sage ransomware is based on data backups. If you have noticed warning from IT security experts a while ago and created a data backup, count yourself lucky. You can use it now and recreate at least the majority of data that Sage virus corrupted. You need to uninstall the virus first - do not rush to plug the device with data copies into the compromised computer; otherwise the malware might contaminate it as well and this way you could lose your backup! Once you are sure that the virus is gone for good, plug the device into the computer and transfer data copy onto the computer.

TIP: We do not recommend you to delete data that was encrypted. Consider transferring it to a particular folder or moving to an external data storage device. There were some cases when a “miracle” happened, and ransomware decryption keys were released/leaked publicly.

Technique 2. Use Volume Shadow Copies Service

If you didn’t know this yet, Microsoft bundles a special technology into Windows operating systems, which creates automatic or manual backups now and then. Volume Shadow Copies can be used to recreate files that have been deleted or modified in a particular way. It means that they can also be used when files become encrypted. Sometimes viruses delete Volume Shadow Copies, so in such case, you won’t be able to recover files using this method.

  1. Install ShadowExplorer. It is a program that will help you to detect Volume Shadow Copies. You can download ShadowExplorer from its official website.
  2. Open the program and click on a menu in the top left corner of its window. Here, select disk that stores encrypted files.
  3. Select folder that you wish to restore and choose “Export.”

Technique 3. Use Data Recovery Pro

  1. Data Recovery Pro is an advantageous tool that can help you to restore modified files easily. Although it might not be able to break Sage’s encryption, we still recommend you to try this tool.
  2. Download [rev id=”Data Recovery Pro”].
  3. Install it on your computer using directions provided by the installation wizard.
  4. Open the program and run a system scan to detect .sage file extension files.
  5. Restore your files.

Technique 4. Restore Files With a Help of a Restore Point

Created a restore point a while ago? Then we believe that you will be able to recover your files using this method.

  1. Right-click on a file that you wish to restore.
  2. A menu will appear. Choose “Properties” from the list. Then go to “Previous Versions” tab.
  3. In “Folder versions,” look for previous file versions, select the one you wish to restore, and hit “Restore” button.

Bottom line

To recover files encrypted by Sage ransomware, you can try using a data backup, restoring files from previous versions, or employing data recovery software. It is crucial to remove the Sage virus before attempting recovery. If none of these methods work, consider seeking professional data recovery services.

Frequently asked questions

Disconnect your device from the internet to prevent further damage, then assess the situation by checking for backup options before considering recovery tools.

Currently, no specific decryption tool has been confirmed for Sage ransomware, so your best option may be to restore files from a backup if available.

Ensure your operating system and security software are up to date, and regularly back up your important files to an external drive or cloud storage.

Did this fix work for you?
Vera Simmons

Written & verified by

Vera Simmons
Ransomware & Recovery Specialist
Ransomware identification and decryption Encrypted file recovery Backup verification Incident response Crypto-malware analysis

Vera Simmons specializes in ransomware incidents, helping victims identify the strain, locate available decryptors, and recover files where possible. She also covers preventive backup strategies to minimize damage from future attacks.

61 guides published All articles →
0 Comments

Be the first to comment

Log in to post your comment
Log in to comment

Still worried? Run a free check.

Paste any URL or domain — we'll scan it against 4.2M known threats in 10 seconds.

View full scanner → Add to your website →