Spora is a relatively new ransomware, but there are signs which indicate that it could become a major player in the underground ransomware market, according to various reports.
There are currently hundreds of ransomware variants being used by cybercriminals, but only a handful are backed by major criminal syndicates that have the funding to write robust malicious code and the infrastructure to support global extortion efforts. These groups are behind some of the biggest names in ransomware like Locky, CryptoLocker and TeslaCrypt. Spora is not there yet, but it’s certainly on its way.
A strong build
The first thing that sets Spora apart from a large number of homegrown ransomware variants is its encryption capabilities. Spora utilizes offline encryption to avoid detection and is capable of performing the encryption using a unique key set without communicating with a command and control server. This is not a brand new technique. It’s been used successfully in the past by both Cerber and Locky. Spora differs in that it encrypts each file with a distinct key, then file keys are encrypted with an AES key unique to the victim.
Second, Spora has a very well designed website with a professional look and feel. It has an easy to use interface consisting of a clean dashboard with colorful icons, tool tips and a live support chat that delivers quick responses to inquiries, according to security researchers.
One very interesting feature of Spora is that it offers victims a menu of options for retrieving some or all of their files as well as protection services. They allow users to decrypt two files free as an act of good faith and to demonstrate their ability to decrypt the data. Other options include decrypting several files for $30, removing the ransomware for $20, protecting against further infections of Spora for $50, and a full restore for $120. However, it should be noted that these prices may change. Spora uses identifying information provided by victims when they connect to the payment website to dynamically generate prices. The cybercriminal behind Spore likely charge more for businesses or for those in different regions. Even with its dynamic prices, Spora is priced much lower than other ransomware, a strategy that was likely designed to build up their reputation.
Despite these strengths, Spora has some significant weaknesses. The ransomware does not yet have a way to bypass the UAC, a feature in Microsoft Windows that prevents programs from running with escalated privileges. A UAC warning message appears when Spora executes and victims must allow the program to run. Spora also launches a command prompt to delete volume shadow copies and the command prompt is displayed on the screen for the victim to see.
At the moment, Spora is limited to Russian-speaking countries. The attackers behind this ransomware appear to be organized and professional so it is likely that the next version of Spora will address its current deficiencies and target a much larger audience. Prepare yourself by backing up your data and by validating that your backups can be restored.