The Spora ransomware is a new and very dangerous virus which has been used in several large-scale attack campaigns, continue reading our article to learn more about the malware.
What Is The Spora Ransomware
The Spora ransomware is a dangerous new malware family of threats that has proven to be a popular tool in the hands of computer hackers worldwide. This ransomware is famous for showing a complex ransomware page which includes several different “packages” which can restore access to the files to a varying degree. The virus is very similar to other similar malware as it encrypts the most commonly used data and then extorts the victims for a ransomware payment.
The main difference between Spora and other ransomware is that it has several advanced features:
The encryption engine does not rename the affected files with a specific extension. As a consequence the victims cannot really tell exactly which files have been affected by the virus. This tactic is used to further pressure them into paying to restore the compromised data.
A different ransomware note is crafted based on the computer’s geographical location. Upon infection the virus scans the location settings set up by the computer user. A separate note is crafted for the victims located in the USA, Russia and France. Follow-up modifications of the virus may also present other country or region specific messages.
The Spora ransomware deletes all Shadow Volume Copies of the infected host. This prevents data recovery which can effectively be done only with specialized backup solutions.
The virus also disables the Windows Startup Repair function and prevents recovery options using the usual operating system options.
The malware engine has been identified to possess stealth detection techniques which can scan for installed security solutions.
Further Details About The Spora Ransomware
The Spora ransomware has been identified as being a dangerous malware after the security analysis was complete. The security experts uncovered that each infected client is associated with a unique infection ID. The virus creates a gateway address where the ransomware payment can be performed. The hackers behind Spora use the anonymous TOR network which it impossible to trace down the transactions to a specific person or organization.
Like all similar threats the virus is also able to extract sensitive system information which can further persuade the victims into paying money to the criminals. All of our readers should be warned that in the majority of the cases the ransomware operators do not remove the infection when the money has been paid. They can restore partially or fully the files but the virus itself may still be found on the computer. There are reported cases where it is activated once again and the victims are extorted once again to pay large sums of money to restore their files again. This is why we recommend that everyone use a specialized anti-spyware solutions. These professional-grade programs are easy to use and can both protect the computers from all types of malware threats and can easily remove active infections.
The criminals behind the malware offer several “packages” that can be purchased by the victims:
FULL RESTORE – Fully restores the affected files.
IMMUNITY – Guarantees immunity from malware.
REMOVAL – Removes the malicious payload from the system.
FILE RESTORE – Restores individual files.
A novel addition to the gateway page is that it’s designed in a way that resembles well-known corporate payment sites. The criminal operators have also implemented live chat functionality that can be used to communicate directly with the hackers.
How The Spora Ransomware Infects The Target Computers
The Spora ransomware is distributed via a variety of different campaigns. The first samples of the virus were identified in early January 2017 and the initiated attacks were made globally. The virus quickly started to grow in popularity and hackers have utilized a lot of different infection methods.
One of the peak infection causes was a major email spam campaign that used social engineering tactics to lure the targets into downloading and running a malicious file. The messages posed as originating from 1C which is a very popular accounting software used in the Russian Federation. The emails had a convincing body contents that urged the targets into downloading an “invoice” which was actually the virus payload. Other infection methods that are employed by the ransomware operators include the following:
All Forms of Malicious Redirects – Hackers can use malicious ad networks which can lead to redirection loops or dangerous download sites which can deliver the virus. Browser hijackers are another notorious threat as they change the settings of the installed browsers to lead to dangerous malware.
Software Bundles – Dangerous viruses such as the Spora ransomware are often bundled with pirate or counterfeit software and computer games downloaded from untrusted download sites or BitTorrent trackers.
Exploit Kits – Computer hackers can initiate various automated attacks that compromise the target computer via vulnerabilities in services that are running in the background. As a consequence they can install the Spora ransomware and other malware on the hacked computers.