Spora Ransomware : Works Offline & Equipped with Sophisticated Payment Portal


Spora Ransomware is an advanced encryption virus which shows that ransom developers performing attacks professionally. It includes an extensive ransom notification which support for multiple languages, free decryption of two files, double encryption and a victim-friendly payment website. Spora comes from the Russian word ‘Spore’, which relies on bogus invoice emails for its distribution. These emails bear ZIP files which contains HTA (HTML Application) files as an attachment.

However, users might not realize it. This is just because the HTA files uses double extensions such as ‘DOC.HTA’ and ‘PDF.HTA’, which means that users might only notice the first extension. Clicking on those HTA files launches Spora Ransomware. According to the malware researchers, when a user runs HTA files, then it will extract a malicious JavaScript file named ‘close.js’ onto the %Temp% folder, which then extract an executable file onto the same folder and executes it. The executable generally uses a random generated name. This executable file is the main encryptor and will begin to encode the files and data stored on the infected system.

Spora Ransomware

The Spora Ransomware’s encryption algorithm is more sophisticated than that of most other crypto-malware infections. In order to create an encryption key, the Spora Ransomware creates a ‘.KEY’ file by using RSA, AES and a public key embedded into the executable. The ‘.KEY’ file is quite essential for the victims who wish to decode their files encrypted by the nasty ransomware virus. While the malware encrypts the files with one of 22 different types of file extensions on both local system and the network shares. In addition, it extracts and executes a DOCX files which leads the computer users to believe that something went wrong when they’re attempted to open the attached file of email.

Spora Ransomware

Then after, Spora Ransomware will display a ransom notification containing an unique infection identifier and ‘.KEY’ file onto the users’ desktop. If the compromised PC users decides to decrypt their vital files by following the instructions shown on ransom note, then they will first need to enter their infection identifier into the login page for hidden TOR website. Once they successfully enter their ID, the victimized system users will then need to upload their ‘.KEY’ file in order to synchronize their systems’ infection with the payment portal. The hackers service needs that information to generate a dashboard that the victim can use to recover some or all of their encoded computer files, purchase the immunity to future Spora Ransomware infections, remove this ransomware virus from their machine and many more. Victims can even use the web portal to ask Spora’s operators up to 5 questions.

Spora Ransomware

At the time of writing this security article, the Spora Ransomware virus is targeting only the Russian computer users. However, it could be change in the near future. Due to this, PC users should protect themselves by avoid clicking on suspicious links, intrusive advertisements, visited hacked or infected sites and opening spam email attachments. Also, few other best prevention tips is to maintain an up-to-date anti-malware program onto their machine, regularly updating their system and installed apps with their latest versions. Most importantly, always make sure to back up stored data and files constantly, that will help you for file restoration after the ransomware attack.

Posted in Latest News. Tagged with , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *