Learn the details of Spora ransomware, a new generation threat using efficient infection channels, advanced crypto and a diversified ransom payment service.
What is Spora ransomware? (Apr. 2017)
When it seemed that the sophistication of ransomware attacks had reached its peak, the ill-minded developers of the new Spora ransomware proved the opposite. This strain was discovered in early January 2017. Researchers who analyzed the obtained samples started emphasizing right away that they’re dealing with an infection crafted by high-profile threat actors, possibly the group that’s behind such extortion monsters as Locky and Cerber. It shortly become obvious that the Spora propagation campaign is well-orchestrated and the code of the perpetrating program itself is professional to the bone. This ransomware encrypts victims’ files in what’s called the autopilot mode. It denotes a mechanism where the pest completes the entire contamination and crypto chain without producing any in- or outbound traffic. Such a technique is a big obstacle for detection with conventional antimalware software.
The Spora ransom Trojan originally targeted users in Russia and a number of other East European states where the Russian operating system localization is common. By January 24, though, the distribution began expanding to other parts of the globe, including the Netherlands, Austria, and more. A plausible explanation of this is that the ransomware authors had conducted some testing and fine-tuning of their baddie before hitting the more traditional locations for online extortion campaigns.
As part of the intrusion, Spora opens a DOCX (Microsoft Word) file that displays an error dialog about file format and extension mismatch. This is a way to distract the victim from what’s happening in the background. Meanwhile, the ransomware scans the local drives and network shares for about 20 types of files, including ones with the .doc, .docx, .xls, .xlsx, .pdf, .rtf, .jpg, .jpeg, .rar, .zip, .psd, and .sqlite extension. Items stored in Program Files, Windows and Games folders are ignored – that’s probably because the malefactors need the system running stable. It’s worth mentioning that the infection targets a fairly scarce range of data formats at this point, at least compared to the majority of file-encrypting Trojans in the wild.
Having found the victim’s most important data entries, Spora ransomware leverages a complex fusion of AES and RSA cryptosystems to lock those files down. It does not modify filenames along the way. Then, it displays an HTML ransom note whose name matches a unique 25-character ID assigned to the plagued system. It’s this ID that should be entered in the Personal Area authorization box in the ransom note. Once this is done, the victim will end up on the decryption service titled Client Page (located at spora.bz/spora.biz). To proceed, they are required to synchronize their machine with the malicious system by uploading the .KEY file that was created by the Trojan during the compromise. This synchronization is a completely new thing on the ransomware arena. Its purpose is to allow the service to rate a particular computer in terms of the value of encrypted data. The size of the ransom is a derivative of this routine, so it’s not going to be identical for different victims. The cost of full recovery may range from $79 to about $300, depending on the volume of hostage data and its importance. By the way, the Client Page section called My Purchasings includes alternative, cheaper features such as immunity, removal, file restore, and test recovery of two files.
If confronted with the Spora ransomware, users should commence the troubleshooting from some of the best practices of crypto virus removal and data restoration. The ransom is the last resort rather than the only option – keep that in mind.
Spora ransomware automated removal and data recovery
Owing to an up-to-date database of malware signatures and intelligent behavioral detection, the recommended software can quickly locate the infection, eradicate it and remediate all harmful changes. So go ahead and do the following:
1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Computer Scan button
2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Fix Threats to get the troubleshooting completed.
Data recovery toolkit to the rescue
Some strains of ransomware delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Data Recovery Pro by ParetoLogic features this type of capability therefore it can be applied in ransom attack scenarios to at least get the most important files back. So download and install the program, run a scan and let it do its job.
Spora ransomware manual removal and file recovery
Some ransomware strains terminate themselves after completing the encryption job on a computer, but some don’t. Furthermore, the Spora virus may prevent victims from using popular antimalware tools in order to stay on board for as long as possible. Under the circumstances, it may be necessary to utilize the Safe Mode with Networking or System Restore functionality.
- Restart the machine. When the system begins loading back up, keep pressing the F8 key with short intervals. The Windows Advanced Options Menu (Advanced Boot Options) screen will appear.
- Use arrow keys to select Safe Mode with Networking and hit Enter. Log on with the user account infected by the ransomware.
- Click on the Search icon next to the Start menu button. Type msconfig in the search field and select the System Configuration option in the results. Go to the Boot tab in the upper part of the GUI.
- Under Boot options, select Safe boot and click the Apply button. A prompt will appear to reboot the computer so that the changes take effect. Select the Restart option and wait for the system to load into Safe Mode. Again, log on with the ransomware-stricken user account.
In Safe Mode, the ransom Trojan won’t keep security software from running or otherwise thwart troubleshooting. Open your preferred web browser, download and install an antimalware tool of choice and start a full system scan. Have all the detected ransomware components removed in a hassle-free way.
- Open Windows Advanced Options Menu as described in the previous section: hit F8 repeatedly when the PC is starting up. Use arrow keys to highlight the Safe Mode with Command Prompt entry. Hit Enter.
- In the Command Prompt window, type cd restore and hit Enter
- Type rstrui.exe in the new command line and press Enter
- When the System Restore screen pops up, click Next, select a restore point that predates the contamination, and use the application’s controls to roll back the system to this earlier state.
Be advised that even after the ransomware is removed, files will still be encrypted and inaccessible. The malicious code cleanup part, however, is important because it keeps a relapse of the infection from occurring further on and eliminates all opportunistic malware.
Checking one’s options regarding this workaround is doable in two ways: through the Properties menu of each file or by means of the remarkable open-source tool called Shadow Explorer. We recommend the software-based way because it’s automated, hence faster and easier. Just install the app and use its intuitive controls to get previous versions of the encrypted objects reinstated.
Alternatively, you can leverage the Previous Versions feature, which is native to Windows operating system. This method is more cumbersome that the use of ShadowExplorer, but it can help restore the most important individual files on condition that the ransomware failed to disable the Volume Snapshot Service on the computer. Right-click on a file of choice and select Properties. Then, go to the Previous Versions tab as illustrated below.
Go ahead and pick the file’s latest backup version on the list. Use the Copy or Restore buttons to reinstate this object to a new path or to its original folder, respectively.
- Toggle your email provider’s anti-spam settings to filter out all the potentially harmful incoming messages. Raising the bar beyond the default protection is an important countermeasure for ransom Trojans.
- Define specific file extension restrictions in your email system. Make sure that attachments with the following extensions are blacklisted: .js, .vbs, .docm, .hta, .exe, .cmd, .scr, and .bat. Also, treat ZIP archives in received messages with extreme caution.
- Rename the vssadmin.exe process so that ransomware is unable to obliterate all Shadow Volume Copies of your files in one shot.
- Keep your Firewall active at all times. It can prevent crypto ransomware from communicating with its C&C server. This way, the threat won’t be able to obtain cryptographic keys and lock your files.
- Back up your files regularly, at least the most important ones. This recommendation is self-explanatory. A ransomware attack isn’t an issue as long as you keep unaffected copies of your data in a safe place.
- Use an effective antimalware suite. There are security tools that identify ransomware-specific behavior and block the infection before it can do any harm.
These techniques are certainly not a cure-all, but they will add an extra layer of ransomware protection to your security setup.
Spora ransomware evolution
Spora, which is a transliterated Russian word for “spore”, denotes a new generation of crypto ransomware featuring high-profile propagation vectors combined with robust encryption practices. Judging by multiple sophisticated characteristics, this strain was cooked up by a professional online extortion group rather than newbies.
Once the malicious code injection has taken place, this hostile program deploys its complete attack chain without engaging network communication along the way. This capability allows it to fly under the radar of firewalls and security tools. Another adverse trait is its unique, well-orchestrated encryption routine involving several cipher layers.
The infection has gone through a number of distinct tweaks over time. The part below covers a retrospective background of the Spora ransomware as well as the current state of this rampant campaign.
In order to distract a victim from the bad things going on in the background, Spora fires up a .docx file whose content appears to be corrupted. An error dialog pops up to make this trick look more true-to-life.
Meanwhile, the ransomware traverses the hard drive and network repositories for data to be encrypted. The original variant of Spora only targeted files with the following extensions: .1cd, .7z, .accdb, .backup, .cd, .cdr, .dbf, .doc, .docx, .dwg, .jpg, .jpeg, .mdb, .odt, .pdf, .psd, .rar, .rtf, .sqlite, .tiff, .xls, .xlsx, and .zip. The pest would skip information stored under Program Files, Windows, and Games directories.
Then, Spora gets down to encryption proper. To this end, it generates RSA and AES key pair for every file, encodes the RSA key with the AES key, encrypts the latter with a separate public key and saves the entirety of this cryptographic information for all the victim’s data to a .KEY file. The perpetrating program adds this file along with the ransom note to the desktop. The name of the HTML recovery how-to matches a user-specific ID string. The contents of this file proper originally looked like this:
Again, the instructions provided in this window are in Russian as far as the first version of the ransomware is concerned. It serves as a login page leading to the Spora decryption service titled the Client Page. To authenticate, the victim is supposed to enter the above-mentioned personal ID in there. Then, they need to synchronize their computer with the linked-to decryption portal. To do this, they must upload their .KEY file that the ransomware had dropped on the desktop.
It was apparent from the very beginning that Spora definitely stood out from the rest due to its sleek and intuitive payment service page. Furthermore, no other ransomware out there employs a multi-layered encryption mechanism like this one does.
Aside from using spam, the crooks have started utilizing exploit kits to deposit the offending program onto computers. The ransom note created by the new variant is in English. Its name still sticks with the following pattern: [victim_ID].html. The unique identifier consists of four groups of hexadecimal characters separated by dashes, with five characters in each group. That’s different from the previous edition, which generated longer IDs composed of five such clusters.
Similarly to its predecessor, Spora version 2 does not blemish encrypted files with any extensions. It does not alter filenames either. The range of targeted data formats has been considerably expanded beyond the original set of only 23 types. The encryption process proper did not undergo any noteworthy changes – it’s still as complex, robust and uncrackable as before.
To add insult to injury, the infection has become yet more intelligent in terms of harvesting information and building victim profiles. It breaks one’s files down into six categories based on their potential value for the user. These statistics, along with all the cryptographic details for a specific victim, are included in the .KEY file mentioned above. When the plagued user ends up on the Client Page, they still get a “Synchronization Required” warning.
Once the [victim_ID].KEY file has been uploaded via this interface, Spora payment portal analyzes the volume and importance of the target’s locked data and automatically calculates the amount of Bitcoin that the user must pay to restore it. The section called “My Purchasings” reflects victim-specific prices for the following services: full restore, immunity, removal, and partial file restore. The immunity feature is interesting. If enabled, it supposedly prevents the same victim from being infected with Spora in the future. Again, the full decryption price varies from case to case. It’s going to be lower for a home user than for an organization whose entire IT network got hit. Overall, the amount may range from $79 to $300.
No matter how bizarre it may sound, the latest variant of this ransomware goes with quality customer support. The Tor-protected Client Page includes a “Public Communication” pane, where victims can submit their questions and reviews. In a move never seen before, Spora operators provide ransom discounts for those who give their decryption service a good feedback that will encourage others to pay up with confidence that their data will be restored. Also, some users have reportedly got the payment deadline disabled this way.
Clever segmentation of victims’ data, top-notch synchronization with plagued computers, rock-solid encryption in autopilot mode, and responsive customer service – these are all hallmark signs of the Spora ransomware in its current state. What’s next? As its evolution is underway, further changes are imminent. Stay tuned to learn what else to be prepared for.
Revise your security status
Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup.
- Petya ransomware removal and system recovery (upd. June 27)
- Sorebrect ransomware – fileless malware exploits PsExec utility
- Remove MOLE02 ransomware virus and decrypt .mole02 files (upd. June 15)
- Erebus ransomware infects Linux web servers in South Korea
- Decrypt .master ransomware files – BTCWare virus variant