Spora Ransomware Offers Victims Unique Payment Options

Researchers are keeping close tabs on a new ransomware strain called Spora that offers victims unique payment options.

Researchers are keeping close tabs on a new ransomware strain called Spora that offers victims unique payment options and comes with top-notch encryption.

Spora was spotted last week by ransomware experts at BleepingComputer, who said after Spora encrypts files on your computer, it offers four tiered payment options: Full Restore ($79); Immunity ($50); Removal ($20); and File Restore ($30). Spora also offers a Free option that allows you to decrypt two random files in order to win confidence that encrypted files can be restored. Pricing varies based on the system infected.

“Spora’s decryption service is something that we haven’t seen in any other ransomware decryption site,” wrote BleepingComputer in a technical breakdown of the ransomware. It said Spora had “the most sophisticated (payment site) it has seen from ransomware authors as of yet.”

Payment options are straightforward with Immunity meaning immunity from future attacks. The Select File option allows victims to choose a limited group of files to restore, but not a full system decryption.

The unique payment options, researchers believe are inspired by cybercriminals seeking more options to provide victims who may be less inclined to pay a full ransom. For example, a victim might be less inclined to pay $79 to recover files they had safely backed up. But they might pay $20 to have the ransomware removed from their system.

Another distinguishing feature of Spora is the implementation of the encryption which researchers say is well thought through. The ransomware works offline, staying low profile and generating no network traffic to outside C2 servers.

“Spora has top notch encryption,” noted BleepingComputer. “Spora does not appear to contain any weaknesses in its encryption routine. The entire encryption operation appears to be very complicated,” according to its analysis.

Currently, the ransomware is targeting Russian-language users and is being delivered via a spam message. Emails contain what is meant to look like a PDF invoice, but it is actually a HTA file that contains a VBScript program or dropper. Launching the HTA files sets off a chain reaction, ultimately leading to the encryption of the computer.

The VBScript program creates and runs an embedded JavaScript file in the system’s %TEMP% directory called Close.js. That Close.js file extracts yet another executable (with a randomly generated name) within the same folder. And it’s that file that encrypts data, according to the BleepingComputer’s analysis.

Because Spora works entirely offline, the encryption process requires a number of different longwinded steps. In a nutshell, Spora uses a combination of RSA and AES to encrypt data and takes advantage of the Windows CryptoAPI to do it. The process leverages a public-private 1024 bit RSA key pair that is unique to the victim’s computer along with a random 256 bit AES key for each file encrypted.

“Unlike most of today’s ransomware families, Spora works offline and does not generate any network traffic to online servers,” BleepingComputer wrote. According to BleepingComputer, the encryption process targets local files and network shares, but does not append any extra file extension at the end of files, leaving file names intact.

Another interesting aspect of Spora is the .KEY file created by the ransomware which contains the victim’s RSA private key, and also statistical data such as infection date, the victim’s username and a hard-coded identifier of the Spora sample used in the campaign.

The way the decryption process works is it requires the infected machine to visit the Spora decryption portal via a Tor gateway on the domain Spora[.]bz. Users are then required to “synchronize” their computer with the decryption portal by uploading the .KEY file, according to BleepingComputer.

“By synchronizing the key file, unique information about the encryption of your computer is then uploaded to the payment site and associated with your unique id… Everything on this portal is neatly arranged as a website dashboard, complete with helpful tooltips that appear when hovering over certain options,” wrote BleepingComputer.

After the victim synchronizes it to the decryption portal, Spora determines how much the ransom should be, based on the amount and type of data encrypted. Ransom demands have ranged from $79 to $280 for the Full Restore option.

“Spora seems to be a ransomware family as advanced and well-run as Cerber and Locky, and we may soon see its operators expand from Russia to other countries across the world,” researchers note in the report.

Suggested articles


  • Anonymous on

    Hi, I picked it up as a fake font pack for chrome. Beware
    • Daniel on

      Same here man! On a website for a chinese restaurant!
    • BG on

      Did you pay? If so, did they fulfill their end of the deal?
  • Chris on

    I picked up Spora as a fake font pack for Chrome as well. If there exist no solutions for Spora, does anybody know if paying the ransom results in the actual restoration of my infected files?
  • Anonop on

    Impressive stuff. Very interesting.
  • S on

    I would like to know if paying actually restores my files. I got it from and architecture firm website claiming I needed a new font. Can any of the anti malware softwares help me?
  • M on

    I to picked it up from an infected font on chrome, looking at a local building site Web page. I have got rid of infection with spy hunter but I can not restore any of my files it's years and years worth of files. I feel sick. What do do?
  • m on

    i got rid of virus but doing so also got rid of my id code on their web page. i have tried everything i have 6 years of work on my computer. no back up, now i cant even pay to get it back. help

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.