Spora Ransomware
Posted: January 11, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 593 |
| First Seen: | January 11, 2017 |
|---|---|
| Last Seen: | February 27, 2023 |
| OS(es) Affected: | Windows |
The Spora Ransomware is a Trojan that encrypts your files and redirects you to a ransom-processing portal to buy them back. Although its Web infrastructure is notably in-depth, the Spora Ransomware uses the same e-mail distribution exploits seen by past file-encrypting Trojans in other campaigns. Since this threat is unlikely ever to be vulnerable to third-party decryption, keep backups to eliminate any damages and use anti-malware products for removing the Spora Ransomware safely.
The Most Well-Designed Spore You Ever Saw
Ironically, it's in many threat authors' best interests to make the final phases of their attacks as pleasant and streamlined as possible for their victims. Victims with reader-friendly instructions on transferring ransom money to 'fix' their PCs may be more inclined to do so than those who merely receive an e-mail address and no other information. For both its actual attacks and its website services, the Spora Ransomware (or 'Spore' Ransomware, when translated from Russian) is a particularly well-done example of Trojan design.
In keeping with the cliché of its industry, the Spora Ransomware disguises its installers as invoice documents by using secondary extensions, with its threat actors targeting new victims with appropriately-crafted spam e-mails. Opening the fake document (actually an HTA file) launches the Spora Ransomware, which distracts the victim by loading a corrupt Word document. It then proceeds with encrypting your local data, including anything accessible over local networks.
The encryption routine, itself, is notably intricate and occurs without any need for a network connection to a C&C server. Instead, the Spora Ransomware creates a KEY file that the victim uses later in the ransom payment process. 'Later' involves synchronizing the victim-specific KEY to a TOR gateway website that shows off the Spora Ransomware's Web panel, including features like:
- A live chat window lets victims speak with the threat actors for negotiation or help.
- A range of ransom-paying options, including ones for restoring individual files or, in theory, giving yourself immunity to future the Spora Ransomware attacks.
- A transaction database and various time-tracking elements.
Most unusually, the Spora Ransomware also embeds additional information in its '.KEY' file regarding the attack. This extra data lets the threat actors adjust the prices on display at their website dynamically, according to the financial circumstances of the victim (such as charging more for a business employee, and less for a home PC user).
Waving a Cloud of Spores out of Your Files
The Spora Ransomware encrypts only a small list of widely-used formats, including ones associated with the Microsoft Office, CD content, backups, pictures and ZIP archives. Unlike most of its competition, malware experts see no evidence of the Spora Ransomware including a filename-modifying feature, such as appending a new extension onto what it encrypts. The combination of AES and RSA encryption that the Spora Ransomware uses is one that malware experts rate as being unbreakable currently. The threat actors do have a history of honoring their ransom agreements with real decryption assistance, although you always should attempt alternatives other than paying extortionists.
Current samples of the Spora Ransomware attacks all derive from Russian targets. However, the Trojan does track geographical data that could assist its campaign with expanding to other nations. As with any threat whose payload inflicts damage on your local content, stopping the installation routine should take priority. Display all extensions by default, when possible, and use anti-malware products to verify the safety of any attachments before you open them.
The Spora Ransomware is clearly the work of a team with years of experience in UI design, social engineering, encryption methodology, and many of the other nuances of running a threat campaign. While it may be 'prettier' than the competition, it's also just as threatening as them, and, fortunately, containable by the same security protocols in use against old file-encrypting threats.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 177.07 KB (177077 bytes)
MD5: 69b0c8f0308dd268dfc22af86dea87f1
Detection count: 95
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 8, 2017
file.exe
File name: file.exeSize: 175.53 KB (175537 bytes)
MD5: 84396f618f3286277f1919d575ab4650
Detection count: 84
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 10, 2017
file.exe
File name: file.exeSize: 19.45 KB (19456 bytes)
MD5: 312445d2cca1cf82406af567596b9d8c
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 11, 2022
dir\name
File name: nameSize: 114.68 KB (114688 bytes)
MD5: 0817d2e6f614d618527acd25057e8819
Detection count: 8
Path: dir
Group: Malware file
Last Updated: January 18, 2017
file.exe
File name: file.exeSize: 131.58 KB (131584 bytes)
MD5: 0e8cb01c48f5fd141b1f8e83c60dd67e
Detection count: 6
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 10, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.