Blog

Quick Heal Security Labs
Beware of Spora – a professionally designed ransomware
February 1, 2017

spora_ransomware_

Spora is a recent addition to the ransomware family that Quick Heal Lab has come across.  It is a file encryptor ransomware that encrypts a user’s files with strong encryption algorithm and demands a ransom. Spora is launched with a good infection routine, the capability to work offline, well-designed and managed payment portal dashboard, decryption key purchase options.

Infection Vector
Spora is delivered to the victim via spam emails containing a malicious .ZIP file as an attachment. This .ZIP file contains an HTML Application (‘.HTA’) file that pretends to be an invoice in .PDF or .DOC format, wearing double extensions to those files (e.g. <file_name>.pdf.HTA). As ‘Hide extensions for known file types’ option is marked checked by default in many systems, it increases the chances of getting trapped in opening an .HTA file by mistaking it for harmless file types.

Infection Routine
Spora has a multistage infection behavior. When a malicious .HTA file is executed, it drops and executes the below files into the system using VBScript program:

  • ‘%Temp%\close.js’
  • ‘%Temp%\doc_6d518e.docx’

close.js file further drops and runs this executable file – ‘%Temp%\<Random_Alpha_Numeric_Characters>.exe’
• It is actually a file encryptor component that performs file encryption.
• doc_6d518e.docx is a corrupt file that is intentionally dropped and opened to keep the victim busy in viewing it while files are getting encrypted in the background.

spora1Figure 1. Corrupt document to fool a victim

Spora was not found appending any extension to the encrypted files. When encryption is over, a ransom note is displayed (shown below), highlighting the uniquely generated ‘Infection ID’ and basic instructions.

spora2Figure 2. Spora ransom note with an infection ID

A .KEY file is dropped on the desktop, containing information about ‘encrypted-encryption keys’ used to encrypt files. In order for the victim to get complete access to the payment portal, they need to upload .KEY file to the portal to synchronize the infected computer with the payment portal. To do so, the below panel is provided.

spora3Figure 3. Key upload panel on Spora payment portal

Once synchronized, the victim can choose from a number of purchase options available on a ‘My Purchase’ section of the portal.

spora4Figure 4. Decryptor purchase options

FULL RESTORE – With this, the user can have all their encrypted data restored.

IMMUNITY – With this, the user can buy immunity against future Spora attacks.

REMOVAL – With this, the user can have the Spora malware completely removed from their computer.

FILE RESTORE – Offers two options; decrypt two files for free or decrypt a selection of files for $30.

As you can see, Spora offers the victim with a variety of options to take care of the situation. For instance, a victim might be less likely to pay the ransom because they know they have safely backed up their data. However, they would still want to have the malware removed from the system – which gives the ‘Removal’ option.

Quick Heal Detection
Quick Heal antivirus successfully prevents Spora infections at multiple stages.

Quick Heal Email Protection successfully prevents download of the malicious .ZIP attachment which is the first stage of the infection.

spora5Figure 5. Quick Heal Email Protection

As shown in the image above, the malicious .HTA file has been successfully detected as ‘JS.Nemucod.BJF’ and deleted thereafter.

Quick Heal Anti-ransomware protection successfully detects potential file encryption activities and alerts the user

spora6Figure 6. Quick Heal Anti-Ransomware alert

Quick Heal Behavior Detection System successfully detects malicious activities and alerts the user

spora7Figure 7. Quick Heal Behavior Detection System alert

Conclusion
It is not hard to guess that the creators of Spora have taken their time in developing this ransomware to make it effective, and professional at the same time.

A nicely designed decryptor portal dashboard, synchronization between the portal and infected system using a .KEY file, and multiple purchase option for decryption signify how attackers are using complex tactics in creating ransomware.

How to stay safe against such ransomware attacks

  • Never download attachments that arrive in emails from unknown or unexpected sources.
  • Take regular backups of your files. Remember to disconnect the Internet when you are backing up on a hard drive. Unplug the drive before you go online again.
  • Apply all recommended security updates (patches) to your Operating System, and programs like Adobe, Java, web browsers, etc.
  • Install an antivirus software that offers several layers of security. More importantly, keep the software up-to-date.

 

Acknowledgment

Subject Matter Expert –

Prashil Moon (Threat Research and Response Team)

SHARE THIS STORY

Ransomware, spora

Have something to add to this story? Share it in the comments.

Quick Heal Security Labs
About Quick Heal Security Labs
Quick Heal Security Labs is a leading source of threat research, threat intelligence, and cybersecurity. It analyzes data fetched from millions of Quick Heal...
Articles by Quick Heal Security Labs »

3 Comments

Your email address will not be published.

CAPTCHA Image

  1. Onil SonawaniFebruary 2, 2017 at 3:04 PM

    Hi ,
    Nice blog.
    Ransom note shown in blog is in Russian.
    Is any English version available for ransom note ?

    Reply
  2. CalvinPettawayFebruary 7, 2017 at 1:20 PM

    this site was helpful

    Reply
  3. thanks for sharing such nice information related to ransomware.
    Regards
    Rajiv Kadam.

    Reply