Spora, a new variant of ransomware recently identified by security researchers, is written with robustness and features making it more evolved than its counterparts. Similar to existing ransomware, Spora will encrypt a user’s files and hold then hostage until a payment has been made. However, Spora differs in numerous ways from other ransomware. For example, it can encrypt files offline, offers a tiered payment system, and utilizes a professional-looking payment portal, which includes a Chat tool.
Although Spora mainly targets Russian-speaking victims, it has begun spreading globally with reported infections in Saudi Arabia, Austria, the Netherlands, and a few other Western European countries.
Spora propagates via spam emails, a fake Chrome font pack, or the RIG-v exploit kit (EK). Most often it will use spam email to infect victims, disguised as an invoice from a Russian accounting software business 1C. The email contains one attachment, an HTA file. When double-clicked, the HTA file runs Jscript loader code and drops two files into the %TEMP% directory and executes both-
The first opens a text reader, such as Notepad or Word, but displays invalid data. This is believed to serve as a diversion. While the victim tries to figure out why they have a corrupt text document, the second file has already begun encrypting the user’s files.
Since all the key generation and encryption happens locally, it precludes the need for the malware to communicate with any C2. In other words, an internet connection is not needed to ensure a successful campaign. Also, since the encryption keys are specific to each victim (even specific to each victim’s files), there is no ‘master’ unlock key like some other ransomware.
Spora uses a mixture of static and generated RSA and AES keys to encrypt victim data. The steps are as follows:
- Step 1: The process begins with the malware using a hardcoded AES key to extract an embedded RSA public key from the malware.
- Step 2: The malware then generates a new RSA public/private key pair as well as a new AES key.
- Step 3: The new AES key is used to encrypt the newly generated RSA private key.
- Step 4: The new AES key is then encrypted using the malware’s initial, embedded public RSA key.
- Step 5: The victim’s files are encrypted using AES keys that are generated individually for each file.
- Step 6: These individual AES keys are encrypted with the RSA public key generated in Step 2 and are stored with the associated encrypted file.
One of the hallmarks of the Spora campaign is the high level of customer service provided to victims. If a victim decides to pay the ransom fee, they are instructed to connect to a payment portal that is well-organized with a customer-friendly UI. The portal includes a real-time chat tool for communicating with the threat actors. It is believed that this level of customer service and communication are provided to encourage payments from the victims.
In addition to file decryption, the portal offers additional services for purchase. For example, victims can pay to receive immunity from future infection, remove all Spora related files from their computer, or decrypt a single file.
Some variants of Spora can be detected using NetWitness for Logs and Packets (NWLP). To enable detection, verify that your installation has been configured with this content:
- Fingerprint_zip parser
- Hunting Pack
Screenshots for finding both of these pieces of content are shown here.
Once you have subscribed to and enabled this content in your environment, NWLP will detect Spora infections that use the HTA method referenced above. Shown below is the parser actively detecting a Spora Zip file attachment.
These IOCs have been added to the Live Third Party feed.
Thanks to Ray Carney, Kevin Stear, Bill Motley, and Steven Sipes for their contributions.