Robert Conley

Alerting on Spora ransomware.

Blog Post created by Robert Conley Employee on Mar 1, 2017

Spora, a new variant of ransomware recently identified by security researchers, is written with robustness and features making it more evolved than its counterparts.[1]  Similar to existing ransomware, Spora will encrypt a user’s files and hold then hostage until a payment has been made.  However, Spora differs in numerous ways from other ransomware.  For example, it can encrypt files offline, offers a tiered payment system, and utilizes a professional-looking payment portal, which includes a Chat tool.

 

Although Spora mainly targets Russian-speaking victims, it has begun spreading globally with reported infections in Saudi Arabia, Austria, the Netherlands, and a few other Western European countries.[2] 

 

Spora propagates via spam emails, a fake Chrome font pack, or the RIG-v exploit kit (EK).  Most often it will use spam email to infect victims, disguised as an invoice from a Russian accounting software business 1C.  The email contains one attachment, an HTA file.  When double-clicked, the HTA file runs Jscript loader code and drops two files into the %TEMP% directory and executes both-

 

  • doc_6d518e.docx
  • 81063163ded.exe

 

The first opens a text reader, such as Notepad or Word, but displays invalid data.  This is believed to serve as a diversion.  While the victim tries to figure out why they have a corrupt text document, the second file has already begun encrypting the user’s files.

 

Security researchers have also discovered Spora spreading by means of a fake Chrome browser font pack update.[3]  The RIG-v EK is being used to deliver JavaScript code which displays a pop-up window asking the user if they wish to download a Chrome Font Pack. If a user accepts, the Spora payload is delivered in the form of a single executable file named Update.exe. Running the .exe will begin the process of encrypting the user’s files.

 

Since all the key generation and encryption happens locally, it precludes the need for the malware to communicate with any C2.  In other words, an internet connection is not needed to ensure a successful campaign.  Also, since the encryption keys are specific to each victim (even specific to each victim’s files), there is no ‘master’ unlock key like some other ransomware[4].

 

Spora uses a mixture of static and generated RSA and AES keys to encrypt victim data.  The steps are as follows:

 

  • Step 1: The process begins with the malware using a hardcoded AES key to extract an embedded RSA public key from the malware.
  • Step 2: The malware then generates a new RSA public/private key pair as well as a new AES key.
  • Step 3: The new AES key is used to encrypt the newly generated RSA private key.
  • Step 4: The new AES key is then encrypted using the malware’s initial, embedded public RSA key.
  • Step 5: The victim’s files are encrypted using AES keys that are generated individually for each file.
  • Step 6: These individual AES keys are encrypted with the RSA public key generated in Step 2 and are stored with the associated encrypted file.

 

 

One of the hallmarks of the Spora campaign is the high level of customer service provided to victims.  If a victim decides to pay the ransom fee, they are instructed to connect to a payment portal that is well-organized with a customer-friendly UI.  The portal includes a real-time chat tool for communicating with the threat actors.  It is believed that this level of customer service and communication are provided to encourage payments from the victims.

 

In addition to file decryption, the portal offers additional services for purchase. For example, victims can pay to receive immunity from future infection, remove all Spora related files from their computer, or decrypt a single file. 

 

Detection:

Some variants of Spora can be detected using NetWitness for Logs and Packets (NWLP).  To enable detection, verify that your installation has been configured with this content:

 

  • Fingerprint_zip parser
  • Hunting Pack

 

Screenshots for finding both of these pieces of content are shown here.

Fingerprint_zip parser

 

Hunting Pack-

 

 

Once you have subscribed to and enabled this content in your environment, NWLP will detect Spora infections that use the HTA method referenced above.  Shown below is the parser actively detecting a Spora Zip file attachment.

 

 

These IOCs have been added to the Live Third Party feed.

186.2.161.51

52.85.184.201

52.85.184.216

spora.bz

spora.biz

 

 

Thanks to Ray Carney, Kevin Stear, Bill Motley, and Steven Sipes for their contributions.

 

References:

[1] http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

[2] http://virusguides.com/spora-ransomware-spreads-worldwide/

[3] http://virusguides.com/chrome-malware-campaign-drops-spora-ransomware/

[4] http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

 

Additional reading:

https://id-ransomware.malwarehunterteam.com/index.php

https://www.scmagazine.com/spora-ransomware-targets-russian-users-and-encrypts-offline/article/631056/

http://www.forbes.com/sites/leemathews/2017/01/12/spora-is-the-highly-sophisticated-future-of-ransomware/#13c88d5a608b

https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/

https://www.symantec.com/security_response/writeup.jsp?docid=2017-011107-2825-99

http://www.malware-traffic-analysis.net/2017/01/30/index3.html

Outcomes