Security researchers have discovered a new ransomware campaign that not only gives back the encrypted files after payment of ransom but also offers immunity from future ransomware attacks to the victim. It is being distributed through spam emails that appear as invoices and contain a ZIP file in which an HTML Application or HTA file is stored. The file pretends to be a .DOC or .PDF file. Therefore, the victim believes it as a simple document and opens it. Once opened, the file extracts a Jscript in the %TEMP% folder after which it inserts an encoded script into it and runs the file.
This new ransomware has been named as Spora and researchers noted that this is quite a sophisticated malware having well-implemented encryption features, very organized payment portal and numerous options for a ransom payment. Usually, ransomware offers just one package for a ransom payment, but Spora offers several packages such as victim can choose only to recover encrypted data or opt for recovering data and gain immunity from future ransomware attacks.
According to Emsisoft’s research team, It leverages encryption using the Windows CryptoAPI and the process of encryption is a combination of RSA and AES keys. The public RSA key is embedded within the executable file and its purpose is to create a fresh pair of 1024 bit RSA keys, one of which is private while the other is a public key. To encrypt it, another 256 bit AES key is generated, which aids encryption using the public RSA key along with information stored in a .KEY file.
As apparent, the encryption process is quite complex and that’s why researchers claim that Spora is a powerful ransomware. It is also worth noting that Spora carries out encryption without relying upon instructions from a command and control/c&C server link. Its encryption process is so strong that a decryption tool developed for a victim won’t help another victim of the same ransomware. That’s why at the moment security researchers are unable to assist victims through offering a particular remedy for files restoration without paying the ransom since no single mechanism can work for all.
The pricing procedure of Spora is also quite distinct. The ransomware determines how much the victim needs to pay and the .KEY file stores critical information about the victim and the machine such as the date of infection, username and location of the system. This file also includes a campaign ID in the form of a hard coded identifier. This depicts that Spora is being sold as ransomware-as-a-service.
Through storing the data in .KEY file as six numeric values, the malware manages to assess ransom amount and these values are also added in the user ID sent to the attackers by the victim for accessing the payment portal.
There are in total five 5-character blocks that are separated by a hyphen and if five characters aren’t added in the last block, then it is “padded with Y-characters,” explain the researchers. Through this tactic, it becomes possible to track the number of files that Spora has encrypted.
Never download files from an unknown email and never click on an unknown link.
“We are currently working together with help platforms like ID Ransomware and No More Ransom in an attempt to gather statistics based on the identifiers contained in uploaded ransom notes,” added Emsisoft’s research team.