Emsisoft researchers dissected a new ransomware strain that demands users not only pay to recover their encrypted files, but also for immunity from future attacks.
The threat is called Spora, and it’s the work of highly professional bad guys if you look at the well-implemented encryption procedures, no need of a C&C server, the user-friendly payment site, the choice of different “packages” that victims can choose, and the RaaS capability. If you get hit with this strain, you can opt to recover just your encrypted files, but also “gain immunity” from future attacks.
Spora uses social engineering to spread. They send email invoices that have a ZIP attachment with an HTA (HTML Application) file inside, masquerading as a PDF or DOC. When the user allows it to run, the file extracts a JScript file in the %TEMP% folder, writes an encoded script into it, and then executes the file.
Key generation and encryption
Emsisoft described how this strain leverages Windows CryptoAPI for encryption, and uses a mix of RSA and AES in the process. “To encrypt a document or file on the system, Spora will first generate a new 256 bit per-file AES key. This per-file key serves to encrypt up to the first 5 MB of the file. Once done, the malware will encrypt the per-file key using the victim’s public RSA key and the RSA-encrypted per-file key is appended to the encrypted file,” Emsisoft explains.
Because of this sophisticated setup, the ransomware can perform the encryption without a command and control (C&C) server connection. Worse, this encryption process is strong enough to ensure that a decryption tool developed for one victim won’t work for another: no free decryptors here.
The strain encrypts both local files and network shares and doesn’t append an extension to them. What’s more, the threat skips files located in specific directories, so as to ensure that the infected machine continues to run. After encryption, the malware drops “a nicely designed HTML-based ransom note” and a .KEY file, which the victim is required to send to the attackers for decryption.
I will decide how much your ransom will be
The strain also has a unique pricing model to determine how much a victim has to pay, Emsisoft warns. The .KEY file contains information such as the infection date, the username of the victim, and the location of the infected system. A hard-coded identifier believed to be used as a campaign ID is also included in the file, which suggests that the threat is sold as a ransomware-as-a-service.
By creating statistics of the targets to encrypt and saving them to the .KEY file as part of a set of six numeric values, the malware can also determine the ransom amount. The tactic was previously associated with targeted attacks via RDP (Remote Desktop Protocol), but Spora fully automates it. These stats are also included in the user ID that the victim is asked to send to the attackers when accessing the payment portal.
The ID usually contains five five-character blocks, separated by a hyphen. “If the last block doesn’t add up to 5 characters, it is padded with Y-characters. Based on this, it is possible to track the number of files encrypted by Spora based on the ID alone. We are currently working together with help platforms like ID Ransomware and No More Ransom in an attempt to gather statistics based on the identifiers contained in uploaded ransom notes,” the security researchers explain.