New Year, New SPORA
2016 the Year of Ransomware
Generally the reason for someone to be a hacker is very much money motivated. Data such as bank numbers, medical records and valuable documentation within a business has a chargeable rate on the dark web market and furthermore can be encrypted by an attacker and held ransom until money has been transferred in exchange. 2016 was a year where ransomware was becoming more and more widespread. Now that 2017 has arrived, the fight against ransomware has never been more of a necessity with defence, detection and attack strategies forming and aligning.
The community of the dark web is growing along with new-found knowledge and methods of exploitation. With ransomware being one of the main focuses of 2017, Tech Security professionals all around must communicate and work together to protect and overcome weaknesses that can be targeted. To ensure critical systems within businesses continue to stay online at all times, you must have an understanding of the following:
- The mind-set of an attacker
- Variety of attacks
- Method of exploiting vulnerabilities
- Intention and purposes of particular attacks
- How to identify a weakness
- How to detect an attack
- Know how to isolate
- Know the necessary steps to remediation
2017 Ransomware Evolution
A new form of ransomware has been detected on the security radar. It is known as SPORA, and as devastating as it is, it has some notable developed features that are quite impressive.
Image 1: Ransom note shown by SPORA on a victim's machine
To start with, SPORA of course does all the typical ransomware work. It will compromise your machine, look for particular files, encrypt them, and display a message saying that your work has been encrypted.
However there are extra features that SPORA has that makes it interesting in the field of ransomware evolution. Here is a list of features that the new-found ransomware SPORA is capable of and what IT Security Personnel should be made aware of:
- At this current time SPORA’s usual means of penetration is via attachment to a spam email claiming to be related to invoices. It uses a double extension such as PDF.HTA that may trick users into opening the attachment as the double extension causes the real file extension to be hidden
- It has been reported that SPORA has an offline ability, allowing it to function normally and continue encrypting even if the infected machine is disconnected from the Internet. It does not generate traffic on the network to online servers
- It has built-in intelligence that enables it to identify which files should and/or shouldn’t be encrypted in a way that would be advantageous to monetary gain
- The creators of SPORA have taken a lot of care in developing their payment procedure by giving victims payment and restoration options such as the following:
- First of all, upon access of the payment site the victim has to “synchronize” their infected machine with the decryption portal by uploading the .KEY file
- Following successful “synchronization” the victim is allowed to restore two files free of charge
- A payment can be made to restore particular chosen files by the victim reported to cost around £25 per file
- To completely restore your encrypted machine, it is reported to cost around £60
- An additional option of removing the SPORA infection from the machine can cost around £15
- And finally, an option to ensure that you never get infected by SPORA again can cost you an extra £40
Image 2: SPORA homepage published on a front end domain called Spora.bz
Image 3: The synchronisation screen displayed by SPORA
Image 4: The purchasing screen shown by SPORA allowing a user to pick a method of restoration
In total, SPORA can charge you around £115 per infected machine to unencrypt files and ensure that you will not be hit by the infection again (The question is: Can you really trust them?).