New Ransomware SPORA Encrypts Your Data Offline

New Ransomware SPORA Encrypts Your Data Offline

Security researchers found new Ransom family SPORA that can designed to encrypt your data offline. Spora does not renamed the encrypted files. Currently targets on Russian users and spread via mimic invoices and spam emails. It's first spotted by Bleeping Computer and Kaspersky forums.

Spora Ransomware contain .HTA (HTML Application) extension format such as Doc.HTA or PDF.HTA where the one of the extension file is hidden. When the victim click on HTA file it will extract a Javascript file named Close.js and save it into %temp folder.

HTA file also extract and execute a DOCX file. Where the file is corrupted and show an error.

Spora doesn't target a large number of files. The current version of Spora only goes after files with the following file extensions:

.xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup.

The encryption process targets local files and network shares, and does not append any extra file extension at the end of files, leaving file names intact.

Russian Version Note: All Your Work and personal files were encrypted (Translated Red Fonts)

To avoid damaging computers to the point where it prevents normal boot procedures and other operations, Spora skips files located in certain folders. By default, Spora will not encrypt files in folders that contain the following strings in their names:

• games
• program files (x86)
• program files
• windows

According to emsisoft, Spora is written in C and is packed using the UPX executable packer. Unlike most ransomware families, Spora doesn’t rename files it encrypts, so there are no specific file extensions associated with it. When infecting a system, it drops a nicely designed HTML-based ransom note and a .KEY file. The base name of both files is identical to the user ID the ransomware assigns to each user. The ransom note is written in Russian.

Screenshot of Spora Ransom to Pay 

As you can see above image here users can choice what they want to decrypt according to their need.
Ransomware are charging $79 to full decrypt. All payment process by Bitcoin.

How to protect?

• Do not open any suspicious file
• Do not click on any unknown source link.
• Always on Anti-Malware software