Discovered on January 10, 2017, Spora is a type of ransomware that first encrypts a victim’s files and then demands money to decrypt those files. This ransomware has infected several computers within a short time due to a huge spam campaign. Spora has a unique feature of working “offline.” Spora ransomware mostly spreads through phishing emails containing malicious attachments or via drive-by downloading. Drive-by downloading happens when a user mistakenly visits an infected website, after which, malware gets downloaded and installed without the user’s knowledge.
Spread of Spora Ransomware Variants in 2017
In August 2017, malware researchers identified new variants of Spora. The initial reports about ransomware updates appeared on August 4. The latest variant spreads as an obfuscated radF14DE.exe file. Though it does not affix any extension to the targeted files, the Spora ransomware continues to corrupt them and demands the victim to pay a specific amount for data recovery. Furthermore, the ransom note indicates that the ransom amount will increase if users fail to pay within the next four days.
An update on the second variant of the Spora ransomware was reported on August 7. This variant was distributed as an obfuscated PE/HTA bundle in ZIP archives attached to phishing emails. On August 14, researchers reported the third variant, which targets only Russian computers. This variant spreads through malicious spam emails that include ZIP files. One unique feature about this variant is that it does not rename targeted files and does not affix any extensions.
How Spora Ransomware Infects Your PC
- As discussed above, Spora ransomware spreads through malicious attachments that get delivered in emails, wherein each rogue email comprises of an HTA file.
- After this file gets executed, it extracts a Javascript file (“closed.js”) and places it in the system “%Temp%” folder.
- This Javascript file extracts an executable with a random name and then runs it.
- The executable uses RSA cryptography to begin the encryption of the files.
- The HTA file extracts a DOCX file that is also corrupted, and an error will be displayed once opened.
- Victims eventually get tricked into believing that the email attachments failed to download. After successful encryption,the Spora ransomware will produce a .html and .KEY files and will place them in all folders containing encrypted files.
The HTML file holds a ransom-demand message in Russian. This message details the encryption and motivates victims to follow instructions provided on Spora’s website. In order to restore files, the victims will have to pay a ransom based on each individual situation and the victim’s requirements. For instance, victims can choose only to remove files, restore them, or receive immunity. Sometimes, victims are allowed to decrypt two files without making any payments. Victims will have to pay the ransom in Bitcoin, and they also have a limited timeframe to make this payment. Failing to pay within this period will result in permanent deletion of the decryption keys. Details get displayed on Spora’s website, which is considered to be more advanced when compared to other virus varieties. Each victim is provided with an account containing a Bitcoin wallet. This website also features transactions, contacting developers, decryption, etc.
How to Remove Spora Ransomware
To prevent Spora ransomware, you will have to be careful when opening files received from doubtful email addresses and when downloading applications/files from unofficial sources. The best solution to prevent and remove Spora ransomware is to use genuine antivirus software and to execute regular updates. If you do not have a reliable antivirus software or if you want to go in for a new one, then we at Comodo offer you our antivirus software, capable of detecting, removing, and preventing trojan horses, viruses, worms, spyware, ransomware, backdoors, adware, rootkits, and other malware infections.
Comodo Antivirus is the best virus removal software that can protect your PC from Spora ransomware and other virus and malware attacks. The following features will further establish the effectiveness of using this virus removal software on your PC:
- Default Deny Protection
This feature by default prevents all files from entering the computer until they establish themselves to be harmless. - VirusScope
This PC analysis feature allows users to undo malicious-looking changes that PC(s) might have recorded due to malicious actors. - Containment
This technology supports the default deny approach by “restraining” or “containing” files. These files are then run in an individual environment until they prove themselves to be harmless. - Cloud-Based Behavior Analysis — Valkyrie
The increasing number of zero-day malware attacks has resulted in the need for a cloud-based behavior analysis system that has the potential to keep up with the latest malware. - Efficient Whitelisting
Through this feature, the Comodo Antivirus Software will be able to mark specific files as reliable and give them default access. - Host Intrusion Prevention System (HIPS)
This security feature helps in comprehensively monitoring your PC and preventing the entry of malicious attacks. This is done by employing a set of behavior analyzers.
Install Comodo Antivirus Software to easily remove Spora ransomware.