\n<\/strong>Spora is delivered to the victim via spam emails containing a malicious .ZIP file as an attachment. This .ZIP file contains an HTML Application (\u2018.HTA\u2019) file that pretends to be an invoice in .PDF or .DOC format, wearing double extensions to those files (e.g. <file_name>.pdf.HTA). As \u2018Hide extensions for known file types\u2019 option is marked checked by default in many systems, it increases the chances of getting trapped in opening an .HTA file by mistaking it for harmless file types.<\/p>\n
Infection Routine close.js file further drops and runs this executable file – \u2018%Temp%\\<Random_Alpha_Numeric_Characters>.exe\u2019 Spora was not found appending any extension to the encrypted files. When encryption is over, a ransom note is displayed (shown below), highlighting the uniquely generated \u2018Infection ID\u2019 and basic instructions.<\/p>\n A .KEY file is dropped on the desktop, containing information about \u2018encrypted-encryption keys\u2019 used to encrypt files. In order for the victim to get complete access to the payment portal, they need to upload .KEY file to the portal to synchronize the infected computer with the payment portal. To do so, the below panel is provided.<\/p>\n Once synchronized, the victim can choose from a number of purchase options available on a \u2018My Purchase\u2019 section of the portal.<\/p>\n FULL RESTORE<\/strong> – With this, the user can have all their encrypted data restored.<\/p>\n IMMUNITY<\/strong> – With this, the user can buy immunity against future Spora attacks.<\/p>\n REMOVAL –<\/strong> With this, the user can have the Spora malware completely removed from their computer.<\/p>\n FILE RESTORE –<\/strong> Offers two options; decrypt two files for free or decrypt a selection of files for $30.<\/p>\n As you can see, Spora offers the victim with a variety of options to take care of the situation. For instance, a victim might be less likely to pay the ransom because they know they have safely backed up their data. However, they would still want to have the malware removed from the system – which gives the \u2018Removal\u2019 option.<\/p>\n Quick Heal Detection \u2022 Quick Heal Email Protection<\/strong> successfully prevents download of the malicious .ZIP attachment which is the first stage of the infection.<\/p>\n As shown in the image above, the malicious .HTA file has been successfully detected as \u2018JS.Nemucod.BJF\u2019 and deleted thereafter.<\/p>\n \u2022 Quick Heal Anti-ransomware<\/strong> protection successfully detects potential file encryption activities and alerts the user<\/p>\n \u2022 Quick Heal Behavior Detection System<\/strong> successfully detects malicious activities and alerts the user<\/p>\n Conclusion A nicely designed decryptor portal dashboard, synchronization between the portal and infected system using a .KEY file, and multiple purchase option for decryption signify how attackers are using complex tactics in creating ransomware.<\/p>\n How to stay safe against such ransomware attacks<\/strong><\/p>\n
\n<\/strong>Spora has a multistage infection behavior. When a malicious .HTA file is executed, it drops and executes the below files into the system using VBScript program:<\/p>\n\n
\n\u2022 It is actually a file encryptor component that performs file encryption.
\n\u2022 doc_6d518e.docx is a corrupt file that is intentionally dropped and opened to keep the victim busy in viewing it while files are getting encrypted in the background.
\n<\/em><\/p>\n![\"spora1\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora1.jpg\")
Figure 1. Corrupt document to fool a victim<\/p>\n![\"spora2\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora2.jpg\")
Figure 2. Spora ransom note with an infection ID<\/p>\n![\"spora3\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora3.jpg\")
Figure 3. Key upload panel on Spora payment portal<\/p>\n![\"spora4\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora4.jpg\")
Figure 4. Decryptor purchase options<\/p>\n
\n<\/strong>Quick Heal antivirus successfully prevents Spora infections at multiple stages.<\/p>\n![\"spora5\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora5.jpg\")
Figure 5. Quick Heal Email Protection<\/p>\n![\"spora6\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora6.jpg\")
Figure 6. Quick Heal Anti-Ransomware alert<\/p>\n![\"spora7\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/02\/Spora7.jpg\")
Figure 7. Quick Heal Behavior Detection System alert<\/p>\n
\n<\/strong>It is not hard to guess that the creators of Spora have taken their time in developing this ransomware to make it effective, and professional at the same time.<\/p>\n\n
\n