Ransomware Sage is actively developed and currently, we are facing outbreak of version 2.2.2 of this product. Most often, Sage is dropped by downloader scripts distributed via phishing e-mails (office documents with malicious macros or standalone JS files) It is deployed via WScript running the default Microsoft voice-to-speech service just like in the case of Cerber. In the end of the execution, the ransom note!HELP_SOS.hta opens automatically.”]
Source: https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/

