How does it appear ?
Spora’s very first victims, in Russia early this year, found that this latest ransomware is highly sophisticated, in terms of both technology and marketing. It heralds the dawn of a new generation of ransomware. And because the website to which victims are directed, run by the cybercriminals behind Spora, is available in English, this suggests that an attack in Europe is imminent.
How does it spread?
Spora is currently spread via email, but it stands to reason that it will soon be infecting devices via websites and advertising banners too.
So far, Spora has been infecting victims through an email attachment purportedly sent from a known service provider.
The attachment, masquerading as a PDF file entitled “Scan_“Today’s date” 2017”, turns out to be an HTA file masked by a double extension.
In fact, the file is an HTML-based application.
In all likelihood, the virus will spread across Europe by usurping the identity of known suppliers such as telecoms operators, cable/satellite TV providers, or utility companies (water, electricity, etc.).
How does it work? A hidden ploy
When victims open the attachment, they unwittingly create a new file in the %TEMP% folder called close.js. This file executes an encrypted script within the file, which then executes the JScript file. The file is encrypted and obscured using algorithms and CryptoJS, so it is impossible to detect. The JScript injector then tries to open and execute both files before giving up.
The first document is a file containing invalid data that causes a Notepad or Word error whenever the victim tries to open it. This could simply be a ploy intended to convince the victim that the attachment was corrupted during transit and to divert attention from the virus itself, giving it enough time to encrypt all the files on the victim’s device.
Spora is programmed in C and compressed as an executable UPX file. Unlike previous ransomware, Spora does not rename any of the encrypted files and does not add an extension.
Once the system is corrupted, the ransom demand appears on screen in HTM format. The ransom demand is currently written in Russian. There is a large button showing the victim’s ID. Clicking on this takes the victim to the cybercriminals’ website.
A highly sophisticated virus
The first version of Spora uses cutting-edge encryption methods, suggesting that the virus is deliberately designed to be difficult to crack.
The ransomware is fully autonomous. It can encrypt the files on a device without a connection to a remote server or any other form of remote control (which could potentially fail or be shut down), meaning it works behind a firewall.
This also means that the cybercriminals’ public key cannot be used to decrypt the infected files, so victims who have paid the ransom cannot pass the codes onto other victims.
Clever marketing to optimise revenue
The interface is as well-designed as an e-commerce website. The initial ransom amount is relatively low, but this is simply a loss leader price intended to lure victims into the trap and force them to pay more for other “services”, such as restore their encrypted files, delete the ransomware from their PC, or remove their email address from future campaigns. There is a messaging system through which victims can communicate with their captors. They tend to respond quickly, suggesting that this is a highly organised criminal ring.
Ransom amounts that vary according to the target
Spora uses a unique pricing model to determine how much the victim should pay, based on the characteristics of the campaigns and the infected files. The ransom amount is calculated using the statistical database, which is available to members of the community who wish to spread the virus. The evidence points to Spora being a RAAS (“Ransomware as a service”), distributed along the same lines as affiliation platforms.
How can you protect yourself?
- Install a professional antivirus solution and make sure it is updated.
- Install ad-blocking software on business workstations.
- Perform full, regular back-ups of all your systems and data (workstations, servers and laptops) and retain at least three versions of each backed up document. Remember: external hard drives are not a reliable back-up method since they can be encrypted by ransomware. Instead, choose a professional back-up device.
What should you do if attacked?
- If you believe your workstation is infected (Notepad or Word error when you try to open an attachment, antivirus alert, sluggish system or unusual behaviour), immediately switch off your PC and disconnect it from the network.
- Perform a full restore of your workstation (system image and data), from a known good back-up (version prior to the virus infection date).
- Change your workstation’s password, choosing a password containing at least 8 characters (letters, numbers and special characters).
Notify the relevant authorities. Not only will this help to determine the scale of the damage caused, but it will also protect you from potential liability if you are prosecuted by a third party.
You should also report the matter to the police, ideally at the police station in the town or city where the crime was committed. This report will be used as evidence if you are subsequently pursued for damages.
> Have you suffered a cyberattack or are you unsure about the reliability of your back-up system?