Spora and the Future of Ransomware

Note: This is blog 2 of 4 in our ransomware series.

The first article in this series, “What Is Ransomware?” took a look at this latest form of cyberattack that the FBI is warning could cost victims more than $1 billion this year.

Ransomware, already a serious problem, worsened with Spora. A highly sophisticated form of Russian ransomware—Spora—released in January 2017 and within weeks spread from former Soviet republics to the rest of the world. Here’s a look at Spora, why it’s considered such a threat, and who’s at risk from this new form of cyberattack.

What is Spora?

Named from the Russian word for “spore,” Spora is a new family of ransomware that typically spreads through email spam. It arrives in the form of an email resembling an invoice. The email includes a ZIP file attachment with an executable file containing an HTA extension. The extension appears as a double extension such as PDF.HTA or DOC.HTA. For users with file extensions hidden, this makes the attachment look like a normal file.

Clicking on the file extracts a Javascript file named close.js to the user’s %Temp% folder. The folder then extracts an executable file to the same folder and runs it. The executable file uses a randomly generated name and begins to encrypt certain file types on the affected device. The file also extracts and runs a corrupted DOCX file, which displays an error message, tricking users into thinking the file has been damaged during the email process. Spora does this offline, so it doesn’t alert the user with any detectable network traffic.

After finishing encryption, Spora runs a CLI command to delete shadow volume copies, which are normally used to help restore files. It also disables Windows Startup Repair and changes the BootStatusPolicy settings, both normally used for the file recovery process.

When finished, Spora places a .KEY file on the user’s desktop and in other folders and displays a ransom note. To decrypt their files, the user must go to Spora’s online payment portal. On the payment portal site, the user must first enter their infection ID code to log in. They must then upload their .KEY file to synchronize their device with Spora’s site. Victims can choose from a number of ransom options with different price points, ranging from a freeware option to restore two files for free to a full restore, which is the most expensive option.

Fees are scaled based on the types of files the device contains, so that the attacker can charge more for computers containing business files or design files. Payments are accepted only in bitcoin. A chat box allows the visitor to send up to five messages requesting technical assistance. After paying, the victim receives a decrypter they can use to unlock their files.

The threat posed by Spora

Spora is more sophisticated than previous ransomware. Its use of a hidden file extension to infiltrate the user’s system, along with its online operation make it harder to detect. It uses a top-notch encryption program. Its payment portal is more advanced than any experts have seen so far, indicating the level of sophistication of today’s top cybercriminals. Finally, Spora is now being distributed through exploit kits and spam campaign tracking ID options, indicating that its creators are renting it out as ransomware-as-a-service to other criminals—a disturbing sign of an emerging trend.

Who is especially at risk?

The most at-risk users are those who are careless about opening emails and email attachments from suspicious senders. Users also expose themselves to greater risk if they don’t stay current on the latest versions of their operating systems, applications, security patches and antivirus updates. Users who don’t back up their files are also at risk.

Spora represents a new level of threat as far as its attack entry method, encryption strength and payment portal. The release of Spora raises the need for ransomware security to a new level of urgency.

Look for part 3 in our ransomware series, Ransomware Prevention for Small Business Owners, next Tuesday. Until then, check out how Mozy by Dell can help you prevent a ransomware disaster. In addition, the following documents discuss how to protect your important data from ransomware:

   •     Ransomware: Frequently Asked Questions

   •     Preventing a Ransomware Disaster