UPDATED 23:02 EST / JANUARY 16 2017

INFRA

Spora ransomware brings a freemium model to hijacked data decryption

The creators of a recently discovered form of ransomware have devised a way to extort customers with hijacked files borrowed from the world of apps: a freemium model.

Called Spora after the Russian word for spore, the ransomware offers five levels of decryption to those unfortunate enough to be infected. An initial tier allows a victim to decrypt two files for free, escalating to a full restore for $120, with prices in between for options including the ability to restore a single file, remove the ransomware and gain “immunity” from it.

The ransomware is being distributed through a spam email campaign that disguises itself as a ZIP file that has an HTA file (a HTML application) inside it with an enticing name, according to Naked Security. Once opened, the file extracts a Jscript in the %TEMP% folder, which then further extracts an executable to the same folder and runs it. Upon installation, Spora encrypts files using the Windows CryptoAPI  in combination with RSA and AES keys, and delivers a HTML-based ransom note and a .KEY file.

While that sounds like standard form for this sort of infection, Spora differs itself to others forms of ransomware by being able to encrypt files without having to contact a command-and-control server. That is, it can encrypt files if a machine is offline, while still delivering to every victim a unique decryption key.

Spora is also highly aggressive in its implementation, limiting options for victims to respond. That includes deleting online backup copies of Windows as well as breaking shortcuts in the start menu to make it difficult to access the control panel and command prompt, limiting the victim’s ability to reboot the PC in recovery mode.

In the event you were to be infected by Spora, the bad news is that at this stage there is no cure other than to wipe a machine and restore it from a backup. Researchers at Emsisoft noted that they have yet to find any holes in Spora’s encryption routines.

“The best protection still remains a reliable and proven backup strategy, especially since the encryption used by Spora is secure and the only way to get the data back is through the help of the ransomware author,” the post notes.

Image courtesy of Emsisoft

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.