Spora ransomware, a new ransomware variant, has been discovered by Emisoft. This ransomware included a new tactic which involves victims having a wide range of their files encrypted as with other forms of file-encrypting malware before being offered the option of preventing more ransomware attacks if they pay up.
The hackers would not be able to stop attacks performed by other gangs – with other ransomware variants – although if the hackers can be believed, victims would only be hacked with Spora a single time if they opt to pay for ‘Spora immunity’ rather than just paying to unlock the encryption once.
Sadly, for the victims, that payment will be required to unlock the infection if a viable backup of data is not in place. Currently, there is no decryptor available for Spora.
Emisoft says that the encryption used is particularly durable and even if a decryptor was developed, it would only be effective for preventing a single user due to the complex method of encryption used – a combination of AES and RSA keys using the Windows CryptoAPI.
Unlike many ransomware variants that communicate using a command and control server, Spora ransomware is not issued any C&C instructions. This means that files can be encrypted even if the computer is offline.
The authors have not requested a fixed ransom amount, as this depend on the ‘value’ of the encrypted data. The ransom payment will be established based on who the user is and the files that have been encrypted. Prior to files being encrypted, a review is performed to see who has been infected. Encrypted files are sorted based on extension type and the data is combined into the .KEY file along with information about the user. The .key file must be given in the payment portal. An HTML file is also placed on the desktop with details of how payment can be completed.
The ransomware is being shared using spam email. Infection happens when an email recipient opens the infected attachment. The attached file seems to be an authentic PDF invoice, although it includes a double file extension which masks the fact it is really a .HTA file. Infection occurs via JScript and VBScript included in the file.
Cling on the file to open it launches a Wordpad file which displays an error message saying the file is invalid. When this is happening the ransomware will be encrypting data.
Emisofts says that the ransomware is slick and seems to be highly professional. Usually, the first versions of ransomware invariably include containmany flaws that allow decryptors to be developed. In this instance, there appear to be none. Spora ransomware also tracks infections via separate campaigns. The data will likely be used to determine the effectiveness of different campaigns and could be used to manage future attacks.
The slick design of the HTML ransom note and the payment portal show significant work has gone into the developing of this new ransomware. Emisoft suggests that Spora ransomware has been developed specifically for the ransomware-as-a-service market.
Prevention this the best option to avoid this malware. As Spora ransomware is shared using spam email, blocking malicious messages is the best defense against infection, while recovery will only be possible by paying the ransom demand or rescuing data from a backup.
