Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Powerful “Spora” Ransomware Lets Victims Pay for Immunity

A newly spotted piece of ransomware allows users not only pay to recover their encrypted files, but also for immunity from future attacks, Emsisoft security researchers warn.

A newly spotted piece of ransomware allows users not only pay to recover their encrypted files, but also for immunity from future attacks, Emsisoft security researchers warn.

Dubbed Spora, the new threat appears to be the work of professionals, courtesy of well-implemented encryption procedures, a well-designed payment site, and the availability of several “packages” that victims can pay for. Those hit by the malware can choose to recover files only or pay to remove the malware and gain immunity from future attacks.

For distribution, the ransomware uses spam emails that pretend to be invoices. These messages contain a ZIP attachment with an HTA (HTML Application) file inside, masquerading as a PDF or DOC. When run, the file extracts a JScript file in the %TEMP% folder, writes an encoded script into it, and then executes the file.

The ransomware leverages Windows CryptoAPI for encryption, and uses a mix of RSA and AES in the process, Emsisoft reveals. The malware uses a public RSA key embedded inside the executable, then creates a new 1024 bit RSA key pair, which consists of both a private and public key, and then will encrypt this using a newly generated 256 bit AES key. This key is then encrypted using the original public RSA key, and the encrypted keys along with some additional information are saved inside a .KEY file.

“To encrypt a document or file on the system, Spora will first generate a new 256 bit per-file AES key. This per-file key serves to encrypt up to the first 5 MB of the file. Once done, the malware will encrypt the per-file key using the victim’s public RSA key and the RSA-encrypted per-file key is appended to the encrypted file,” Emsisoft notes.

Because of this complex operation, the ransomware can perform the encryption without a command and control (C&C) server connection. Moreover, the malware’s encryption process is strong enough to ensure that a decryption tool developed for one victim won’t work for another. This also means that security researchers analyzing the threat can’t yet help victims restore their files for free, at least not as long as they don’t have access to the malware author’s private key.

In addition to using a well-designed encryption procedure, the ransomware also comes with a unique pricing model to determine how much a victim has to pay, the security researchers warn. The aforementioned .KEY file contains information such as the infection date, the username of the victim, and the locale of the infected system. A hard-coded identifier believed to be used as a campaign ID is also included in the file, which suggests that the threat is sold as a ransomware-as-a-service.

By creating statistics of the targets to encrypt and saving them to the .KEY file as part of a set of six numeric values, the malware can also determine the ransom amount. The tactic was previously associated with targeted attacks via RDP (Remote Desktop Protocol), but Spora fully automates it. The aforementioned statistics are also included in the user ID that the victim is asked to send to the attackers when accessing the payment portal.

Advertisement. Scroll to continue reading.

The ID usually contains five five-character blocks, separated by a hyphen. “If the last block doesn’t add up to 5 characters, it is padded with Y-characters. Based on this, it is possible to track the number of files encrypted by Spora based on the ID alone. We are currently working together with help platforms like ID Ransomware and No More Ransom in an attempt to gather statistics based on the identifiers contained in uploaded ransom notes,” the security researchers explain.

The ransomware encrypts both local files and network shares and doesn’t append an extension to them. What’s more, the threat skips files located in specific directories, so as to ensure that the infected machine continues to run. After encryption, the malware drops “a nicely designed HTML-based ransom note” and a .KEY file, which the victim is required to send to the attackers for decryption.

Related: FireCrypt Ransomware Packs DDoS Code

Related: Ransomware Campaign Targets HR Departments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.