Spora

Spora targets Windows OS and is distributed through spam email. It is written in the C programming language and packed using the UPX executable packer. As of January 10, 2017, Spora is only affecting Russian users and masquerading as an invoice from 1C, a Russian accounting software company. The file attempts to trick the user into believing it is a PDF file when it is actually an HTA file. If opened, the HTA file creates a new JavaScript file in the %TEMP% folder, writes encoded script into it, and then executes it. The JavaScript file is both encrypted and obfuscated to evade detection and hide the malware executable. Spora also drops two more files into the %TEMP% folder: doc_6d518e.docx and 81063163ded.exe. The first file, when opened, generates an error message for the victim, to divert attention away from the ransomware executable component. Spora uses both RSA and AES and does not append any extention to, or rename, encrypted files. It does drop an HTML-based ransom note and a .KEY file that are named with the User ID that the malware assigns to the victim. The ransom payment amount varies based on what choice the victim makes on the attacker’s website, designed to look like a standard ecommerce site. Choices include decrypting files, buying immunity from future Spora infections, removing all Spora-related files after paying the ransom, restoring a single file, or restoring two files for free. Payments are only accepted in Bitcoin and the price is adjusted by the attacker based on the type of victim infected and the types of files encrypted.

UPDATE 1/24/2017: Security researchers have discovered that the Spora campaign is no longer solely targeting Russians and is now targeting computer users worldwide. Also, in addition to spam emails, Spora is now being distributed by RIG-v exploit kits.

UPDATE 1/31/2017: Spora is now being distributed through a fake Chrome Font Update alert that displays on hacked websites hosting malicious JavaScript code. The alert leads victims to believe that they will be unable to view the website’s content unless they download the font update executable file, named Update.exe. It is important to note that merely downloading the file will not execute the ransomware. The victim must manually double-click on the file and install it to become infected. This attack is reportedly associated with the EITest malware campaign.

  • Emsisoft provides more information about Spora here.
  • Bleeping Computert provides additional IoCs from Spora here.
  • The NJCCIC is not currently aware of any free decryption tools available for Spora.