A brand new ransomware family has been just found. It is called Spora, which is the Russian word for “spore”, and has very impressive features. Among them are the ability to work offline, the solid encryption routine, and a neat payment website which has never been seen before.
Spora ransomware was first noticed on the Kaspersky and Bleeping Computer forums, and the first analysis of the infection were made by the security experts Lawrence Abrams and Fabian Worsar.
Usually, the Spora ransomware is distributed via spam emails disguised as invoices. Victims receive the emails with attachments in the form of ZIP files containing HTA files.
The HTA (HTML Application) files use a double extension, as PDF.HTA or DOC.HTA. As on Windows computers the file extension is hidden, users will see only the first extension and might be manipulated to open the file. If they launch any of these file, the Spora ransomware process starts.
Once the user runs the HTA file, it will extract a Javascript file named close.js to the %Temp% folder, which then extracts an executable to the same folder and executes it. This executable uses a randomly generated name and encrypts the files on the computer.
The HTA file will also extract and execute a DOCX file. As this file is corrupted, it will show an error. Some other malware families use the same trick, opening corrupted files in order to trick users into thinking the file had been damaged during the email transfer or the download operation so as to not alert them of foul play. However, what is different about Spora ransomware is its ability to work offline without generating any network traffic to online servers.
Also, Spora doesn’t target a large number of files. The current version of Spora only goes after files with the following file extensions:
.xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup
The encryption process targets local files and network shares, and does not append any extra file extension at the end of files, leaving file names intact. Besides, the Spora ransomware skips files located in certain folders to avoid damaging computers to the point where it prevents normal boot procedures and other operations.
By default, Spora will not encrypt files in folders that contain the following strings in their names:
games
program files (x86)
program files
windows
The Emisoft security expert Fabian Wosar, claims that at this point Spora does not contain any weaknesses in its encryption routine. The entire encryption operation appears to be very complicated. The Spora ransomware follows the complicated routine for the creation of the .KEY file and for the creation of the encryption key used to lock each files.
According to Wosar, the routine for the creation of the .KEY file: “Generate RSA key, generate AES key, encrypt RSA key using AES key, encrypt AES key using public key embedded in executable, save both encrypted keys to [.KEY] file.”
For the user’s data files, the encryption routine is simpler and quicker. “Generate AES key, encrypt AES key with generated RSA key, encrypt file with AES key, save everything to file,” Wosar explained.
“To decrypt, you have to send them your .KEY file,” the expert added. “They can then use their private key, to decrypt the AES key used to encrypt the generated RSA key of your system and decrypt it. They probably embed the RSA key into their decrypter then, and send you back the decrypter. The decrypter can then use that RSA key to decrypt the embedded AES keys in the files and decrypt them with it.”
When the encryption process is complete, Spora runs a CLI command, which among other things deletes shadow volume copies, disables Windows Startup Repair, and changes BootStatusPolicy. As soon as the encryption process finishes, the ransomware will add a ransom note and the .KEY file to the user’s desktop and other folders. The note contains simple instructions and an infection ID, specific to each victim. This ID is also used for the ransom note filename in the form of [Infection-ID].HTML.
The infection ID is in the format of CCCXX-XXXXX-XXXXX-XXXXX-XXXXX or CCXXX-XXXXX-XXXXX-XXXXX-XXXXX, where CCC and CC are three and two-letter country codes, and X are alpha-numerical characters.
Presently, the Spora’s decryption portal is located at a publicly accessible front end domain of Spora.bz. In fact, this domain is a TOR gateway to a hidden TOR site that is not being publicly advertised.
Once the users access the website, they must enter the infection ID presented in their ransom note. This is their login ID for the Spora decryption service. Before using the site, users have to “synchronize” their computer with the decryption portal by uploading the .KEY file. By synchronizing the key file, unique information about the encryption of your computer is then uploaded to the payment site and associated with your unique id.
Now the victims can use the rest of the options available on the website. Everything on this portal is neatly arranged as a website dashboard, complete with helpful tooltips that appear when hovering over certain options.
Apart from the above-mentioned, among the unique features the ransomware has are the different purchases which can be made depending on the victims’ particular needs. These options are organized under the section named “MyPurchasings”, allowing users to:
Decrypt their files (currently $79)
Buy immunity from future Spora infections (currently $50)
Remove all Spora-related files after paying the ransom (currently $20)
Restore a file (currently $30)
Restore 2 files for free
