There is now a new and particularly dangerous ransomware threat to deal with. Spora ransomware could well be the new Locky.

Locky and Samas ransomware have proved to be major headaches for IT departments. Both forms of ransomware have a host of innovative features designed to avoid detection, increase infections, and inflict maximum damage, leaving businesses with little alternative but pay the ransom demand.

However, there is now a new ransomware threat to deal with, and it could well be even bigger than Locky and Samas. Fortunately, the ransomware authors only appear to be targeting Russian users, but that is likely to change. While a Russian version has been used in attacks so far, an English language version has now been developed. Spora ransomware attacks will soon be a global problem.

A considerable amount of time and effort has gone into producing this particularly dangerous new ransomware variant and a decryptor is unlikely to be developed due to the way that the ransomware encrypts data.

In contrast to many new ransomware threats that rely on a Command and Control server to receive instructions, Spora ransomware is capable of encrypting files even if the user is offline. Shutting down Internet access will not prevent an infection. It is also not possible to block access to the C&C server to stop infection.

Ransomware variants have previously been developed that can encrypt without C&C communication, although unique decryption keys are not required. That means one key will unlock all infections. Spora ransomware on the other hand requires all victims to use a unique key to unlock the encryption.  A hard-coded RSA public key is used to generate a unique AES key for every user. That process occurs locally. The AES key is then used to encrypt the private key from a public/private RSA key pair generated for each victim, without C&C communications. The RSA key also encrypts the unique AES keys for each user. Without the key supplied by the attackers, it will not be possible to unlock the encryption.

This complex encryption process is only part of what makes Spora ransomware unique. In contrast to many other ransomware variants, the attackers have not set the ransom amount. This gives the attackers a degree of flexibility and importantly this process occurs automatically. Security researchers believe the degree of automation will see the ransomware offered on an affiliate model.

The flexibility allows businesses to be charged a different amount to an individual. The ransom set based on the extent of the infection and types of files that have been encrypted. Since Spora ransomware collects data on the user, when contact is made to pay the ransom, amounts could easily be adjusted.

When victims visit the attacker’s payment portal to pay the ransom, they must supply the key file that is created by the ransomware. The key files contains a range of data on the user, including details of the campaign used. The attackers can therefore carefully monitor infections and campaigns. Those campaigns that are effective and result in more payments can then be repeated. Less effective campaigns can be dropped.

Currently there are multiple payment options, including something quite different. Victims can pay to unlock the encryption, or pay extra to prevent future attacks, essentially being granted immunity.

Emisoft researchers who have analyzed Spora ransomware say it is far from a run of the mill variant that has been quickly thrown together. It is the work of a highly professional gang. The encryption process contains no flaws – uncommon for a new ransomware variant – the design of the HTML ransom demand and the payment portal is highly professional, and the payment portal also contains a chat option to allow communication with the attackers. This degree of professionalism only comes from extensive investment and considerable work. This threat is unlikely to go away soon. In fact, it could prove to be one of the biggest threats in 2017 and beyond.

Infection currently occurs via spam email containing malicious attachments or links. Currently the attachments appear to be PDF invoices, although they are HTA files containing JavaScript code. Preventing emails from being delivered is the best form of defense. Since no decryptor is available for Spora, a backup will be required to recover for the infection or the ransom will need to be paid.