A new ransomware variant – Spora ransomware – has been identified by Emisoft which features a new twist. Victims have a wide range of their files encrypted as with other forms of file-encrypting malware, but they are given the option of preventing future ransomware attacks if they pay up.
The attackers would not be able to prevent attacks performed by other gangs – with other ransomware variants – although if the attackers can be believed, victims would only be attacked with Spora once. That is, if they choose the more expensive option of ‘Spora immunity’ rather than just paying to unlock the encryption.
The bad news for the victims is that payment will be required to unlock the infection if a viable backup of data does not exist. At present, there is no decryptor for Spora.
Emisoft reports that the encryption used is particularly strong, and even if a decryptor was developed, it would only be effective against a single user due to the complex method of encryption used – a combination of AES and RSA keys using the Windows CryptoAPI.
In contrast to many ransomware variants that communicate with a command and control server, Spora ransomware does not receive any C&C instructions. This means that files can be encrypted even if the computer has no Internet connection.
The authors have also not set a fixed ransom amount, as this depend on the ‘value’ of the encrypted data. The ransom payment will be set based on who the user is and the files that have been encrypted. Before files are encrypted, a check is performed to see who has been infected. Encrypted files are sorted based on extension type and the information is combined into the .KEY file along with information about the user. The .key file must be supplied in the payment portal. An HTML file is also created on the desktop with details of how payment can be made.
The ransomware is being spread via spam email. Infection occurs when an email recipient opens the infected attachment. The attached file appears to be a genuine PDF invoice, although it includes a double file extension which masks the fact it is actually a .HTA file. Infection occurs via JScript and VBScript contained in the file.
Opening the file launches a Wordpad file which displays an error message saying the file is invalid. In the background, the ransomware will be encrypting data.
Emisoft reports that the ransomware is slick and appears highly professional. Typically, the first versions of ransomware invariably contain multiple flaws that allow decryptors to be developed. In this case, there appear to be none. Spora ransomware also tracks infections via different campaigns. The information will likely be used to determine the effectiveness of different campaigns and could be used to direct future attacks.
The slick design of the HTML ransom note and the payment portal show considerable work has gone into the creation of this new ransomware. Emisoft suggests that Spora ransomware has been developed specifically for the ransomware-as-a-service market.
Prevention remains the best defense. Since Spora ransomware is spread via spam email, blocking malicious messages is the best defense against infection, while recovery will only be possible by paying the ransom demand or restoring data from a backup.