Menu
Professionally designed ransomware Spora might be the next big thing

Professionally designed ransomware Spora might be the next big thing

The new ransomware program features strong offline decryption and a new payment scheme

Security researchers have found a new ransomware program dubbed Spora that can perform strong offline file encryption and brings several innovations to the ransom payment model.

The malware has targeted Russian-speaking users so far, but its authors have also created an English version of their decryption portal, suggesting they will likely expand their attacks to other countries soon.

Spora stands out because it can encrypt files without having to contact a command-and-control (CnC) server and does so in a way still allows for every victim to have a unique decryption key.

Traditional ransomware programs generate an AES (Advanced Encryption Standard) key for every encrypted file and then encrypts these keys with an RSA public key generated by a CnC server.

Public key cryptography like RSA relies on key pairs made up of a public key and a private key. Whatever file is encrypted with one public key can only be decrypted with its corresponding private key.

Most ransomware programs contact a command-and-control server after they're installed on a computer and request the generation of an RSA key pair. The public key is downloaded to the computer, but the private key never leaves the server and remains in the attackers' possession. This is the key that victims pay to get access to.

The problem with reaching out to a server on the internet after installation of ransomware is that it creates a weak link for attackers. For example, if the server is known by security companies and is blocked by a firewall, the encryption process doesn't start.

Some ransomware programs can perform so-called offline encryption, but they use the same RSA public key that's hard-coded into the malware for all victims. The downside with this approach for attackers is that a decryptor tool given to one victim will work for all victims because they share the same private key as well.

The Spora creators have solved this problem, according to researchers from security firm Emsisoft who analyzed the program's encryption routine.

The malware does contain a hard-coded RSA public key, but this is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that's also locally generated and unique for every victim. Finally, the victim's public RSA key is used to encrypt the AES keys that are used to encrypt individual files.

In other words, the Spora creators have added a second round of AES and RSA encryption to what other ransomware programs have been doing until now.

When victims want to pay the ransom, they have to upload their encrypted AES keys to the attackers' payment website. The attackers will then use their master RSA private key to decrypt it and return it back to the victim -- likely bundled in a decryptor tool.

The decryptor will use this AES key to decrypt the victim's unique RSA private key that was generated locally and that key will then be used to decrypt the per-file AES keys needed to recover the files.

In this way, Spora can operate without the need of a command-and-control server and avoid releasing a master key that will work for all victims, the Emsisoft researchers said in a blog post. "Unfortunately, after evaluating the way Spora performs its encryption, there is no way to restore encrypted files without access to the malware author’s private key."

Other aspects of Spora also set it apart from other ransomware operations. For example, its creators have implemented a system that allows them to ask different ransoms for different types of victims.

The encrypted key files that victims have to upload on the payments website also contain identifying information collected by the malware about the infected computers, including unique campaign IDs.

This means that if the attackers launch a Spora distribution campaign specifically targeted at businesses, they will be able to tell when victims of that campaign will try to use their decryption service. This allows them to automatically adjust the ransom amount for consumers or organizations or even for victims in different regions of the world.

Furthermore, in addition to file decryption, the Spora gang offers other "services" that are priced separately, such as "immunity," which ensures that the malware will not infect a computer again, or "removal" which will also remove the program after decrypting the files. They also offer a full package, where the victim can buy all three for a lower price.

The payments website itself is well designed and looks professional. It has an integrated live chat feature and the possibility of getting discounts. From what the Emsisoft researchers observed, the attackers respond promptly to messages.

All this points to Spora being a professional and well-funded operation. The ransom values observed so far are lower than those asked by other gangs, which could indicate the group behind this threat wants to establish itself quickly.

So far, researchers have seen Spora distributed via rogue email attachments that pose as invoices from an accounting software program popular in Russia and other Russian-speaking countries. The attachments are in the form of .HTA (HTML Application) files that contain malicious JavaScript code.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments