Security experts from Emsisoft spotted a new strain of ransomware dubbed Spora that implements a singular extortion mechanism, it allows potential victims to pay for immunity from future attacks.

According to the experts, the Spora ransomware appears well-written, it has a professional website for payment and offers several options to the victims that can pay to recover files, to remove the malware, and to gain immunity from future attacks.

The Spora ransomware implements a unique pricing model to determine how much a victim has to pay.

The attack vector is the email, victims receive messages with fake invoices as attachments. The attachments are ZIP archives with an HTA (HTML Application) file inside, masquerading as a PDF or DOC. When victims run the file, it extracts a JScript file in the %TEMP% folder, writes an encoded script into it, and then executes the file.

The malware encrypts file stored on both local files and network shares and doesn’t append an extension to them. The Spora ransomware doesn’t encrypt files located in specific directories to avoid compromise the machine operation.

According to Emsisoft, the ransomware leverages Windows CryptoAPI for encryption, it uses both RSA and AES to encrypt the files.

The encryption key management is quite complex as explained in the post published by the security firm.

“When Spora arrives on a system, it will first find and decrypt the malware author’s public RSA key embedded inside the malware executable using a hard-coded AES key. Once the malware author’s public RSA key has been successfully imported, the malware continues by creating a new 1024 bit RSA key pair, which we will call the victim’s RSA key pair, consisting of both a private and public key. It will also generate a new 256 bit AES key to encrypt the victim’s private RSA key with. Once the victim’s private RSA key is encrypted, the AES key used is then encrypted using the malware author’s public RSA key. The encrypted key material together with some additional information is then saved inside the .KEY file.” states the analysis published by Emsisoft.

“To encrypt a document or file on the system, Spora will first generate a new 256 bit per-file AES key. This per-file key serves to encrypt up to the first 5 MB of the file. Once done, the malware will encrypt the per-file key using the victim’s public RSA key and the RSA-encrypted per-file key is appended to the encrypted file.”

One of the most interesting abilities of the malware is that it is able to encrypt files without a command and control (C&C) server connection. Even if a security firm is able to analyze a decryption tool developed for one victim, they will not able to decrypt files of other users.

Experts believe the Spora ransomware is sold as a ransomware-as-a-service because instance of malware they analyzed have an hardcoded identify that is likely used to identify a specific campaign.

The aforementioned .KEY file contains multiple information such as the infection date, the username of the victim, and the locale of the infected system. These information are used by the author of the Spora ransomware to determine the ransom amount.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Spora ransomware, malware)