I wrote this article to help you remove Spora Ransomware. This Spora Ransomware removal guide works for all Windows versions.
Spora ransomware is a win-locker of Russian origin. The malignant program was just discovered. Researchers managed to gather a lot of information on the win-locker within a short time span. The authors of Spora ransomware have named it after the Russian word for “spore”. This name can be interpreted as a description of the virus’ activity. Upon entering a system, Spora ransomware starts encrypting data. The sinister program locks certain files. The hit list of the win-locker includes 23 formats: .doc, .docx, .xls, .xlsx, .odt, .rtf, .mdb, .pdf, .cdr, .cd, .1cd, .dbf, .zip, .rar, .jpg, .jpeg, .tiff, .psd, .7z, .splite, .accdb, .dwg, .backup. When the encryption procedure has been completed, Spora ransomware reveals itself and states the demands of its creators. The cyber criminals want money.
Experts have found that Spora ransomware uses a complicated encryption algorithm. The insidious program generates two keys. The first is created using an RSA cipher, while the second is produced with AES technology. The win-locker encrypts the RSA public key using the AES private key. The virus then encrypts the AES with a public key which is stored in the executable. The public and the private key are saved to a .KEY file. The developers of Spora ransomware have exhibited extensive knowledge on cryptosystems. Experts reported that the algorithm does not have a weakness. It may take a while to break the code of the win-locker.
Spora ransomware creates a ransom note in .html format. It drops a copy of it on the desktop and in selected folders. A unique ID is assigned to every user. The ID is used as a title for the ransom note. Spora ransomware generates the number using the following formula: [country code][2 or 3 more characters]-[5 characters]-[5 characters]-[5 characters]-[5 characters]. The ID number comprises 25 characters. It is divided into five sections, separated by hyphens. The ID begins with a country code. Depending on the victim’s country of residence, an additional 2 or 3 characters are added to the first section. The remaining four consist of generated characters only. The ransom note explains what the purpose of the virus is and forwards the victim to the payment website. It also reveals that the cipher used is RSA-1024.
Spora ransomware is remarkable for having the most complicated payment website. The domain is hosted by the Tor browser. The uniqueness of this win-locker is that it gives victims several options. The reason seems to be of financial origin. If the victim cannot afford to pay for a full decryption, he can opt for a partial decryption. There are five alternatives, labeled as purchasings. The full restore would recover all infected files. The immunity option is not described. It is more expensive than the file restore, so it should unlock more objects. If you just want to have Spora ransomware uninstalled from your machine, you can choose the remove alternative. The final option is to select two files for free recovery. Examining separate cases, experts have discovered that the sums vary. The complete restore ranges from $79 USD to $280 USD.
The developers of Spora ransomware give victims a limited amount of time to complete a payment. The decryption key is scheduled to be deleted 5 days after the encryption. The hackers ask people to pay in bitcoins. This is a cryptocurrency. They have provided a guide on how to make a transaction. This payment method is the most secure, as it protects their identity. The Tor web browser where the payment website is hosted enhances the protection. It hides the geographic location of their devices. Until a custom decrypter is released, the only way to recover your data would be to pay the ransom. Note that collaborating is not advised. The cyber criminals have already deceived you when Spora ransomware was transferred to your machine. You still have an encrypted version of your files. It is best to wait for experts to crack the code of Spora ransomware.
The distribution campaigns Spora ransomware uses are also complex. The covert program travels in spam emails, hidden inside a zipped archive. The sender behind the bogus message makes it appear genuine by writing in formal style and citing the name of an entity. The bogus notifications we have observed talked about an account audit. The attachment had a double extension. The first was either .DOC or .PDF, while the second was .zip. This is a major red flag and also a revelation. Adding two extensions indicates a malicious file. There were two .hta files in the folder. According to the sender, they were documentation regarding an audit order. In reality, the files contained Spora ransomware. Opening the files would prompt the download and install of the secluded program. To avoid getting tricked by spam campaigns, you need to do a checkup of your emails. Proof the sender’s contacts.
Spora Ransomware Removal
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Spora Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Spora Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: