Security News Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet

[LASER_oneXM]

..some quotes from the article above...

A new ransomware family made its presence felt today, named Spora, the Russian word for "spore." This new ransomware's most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, which is the most sophisticated we've seen from ransomware authors as of yet.

Unlike most of today's ransomware families, Spora works offline and does not generate any network traffic to online servers.

Spora has top notch encryption
According to Fabian Wosar, CTO and malware researcher for Emisoft, Spora does not appear to contain any weaknesses in its encryption routine. The entire encryption operation appears to be very complicated.

From the different security researchers we spoken to, the new Spora appears to be a professional ransomware put together by a crew with previous experience in ransomware distribution.

Last year, in the months of January and February, the world was introduced to ransomware families such as Locky and Cerber, which plagued users all over the world during 2016, and which security firms had failed to break their encryption.

Spora seems to be a ransomware family as advanced and well-run as Cerber and Locky, and we may soon see its operators expand from Russia to other countries across the world.

Spora targeting only Russian users for now

According to MalwareHunterTeam, a security researcher who helps run ID-Ransomware, a service for identifying the type of ransomware that has infected computers, all Spora uploads to ID-Ransomware today came from users in Russia.

Further, the ransom note dropped on our test machine was also available only in Russian. Emails we found and tied to Spora spam campaigns were also all available in Russian alone.

Spora distributed via spam campaigns

Currently, the Spora ransomware is distributed via spam emails that pretend to be invoices. These emails come with attachments in the form of ZIP files that contain HTA files.

.....
.....
.....

These HTA (HTML Application) files use a double extension, as PDF.HTA or DOC.HTA. On Windows computers where the file extension is hidden, users will see only the first extension and might be tricked into opening the file. Launching any of these files starts the Spora ransomware process.

.....
....
....


When a user runs the HTA file, it will extract a Javascript file named close.js to the %Temp% folder, which further extracts an executable to the same folder and executes it. This executable uses a randomly generated name. On our test run it was "81063163ded.exe." This executable is the main encryptor and will begin to encrypt the files on the computer.

Additionally, the HTA file will also extract and execute a DOCX file. This file is corrupted and will show an error. Other malware families use this very same trick, opening corrupted files in order to trick users into thinking the file had been damaged during the email transfer or the download operation so as to not alert them of foul play.

 

[Solarquest]

Antivirus scan for 3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553 at 2017-01-11 00:31:20 UTC - VirusTotal

 

[Svoll]

Very interesting article! and their payment site is well thought out. Buying immunity from future infections. It seems the group thought no AV or security group will be able to break their encryption.

Also unique to the ransomware are different purchases that can be made depending on the particular needs of the victim. These options, organized under a section named "MyPurchasings" allows users to:

• Decrypt their files (currently $79)
• Buy immunity from future Spora infections (currently $50)
• Remove all Spora-related files after paying the ransom (currently $20)
• Restore a file (currently $30)
• Restore 2 files for free

 

[bunchuu]

Very interesting article! and their payment site is well thought out. Buying immunity from future infections. It seems the group thought no AV or security group will be able to break their encryption.

Also unique to the ransomware are different purchases that can be made depending on the particular needs of the victim. These options, organized under a section named "MyPurchasings" allows users to:

• Decrypt their files (currently $79)
• Buy immunity from future Spora infections (currently $50)
• Remove all Spora-related files after paying the ransom (currently $20)
• Restore a file (currently $30)
• Restore 2 files for free

immunity?
how they guarantee further infection?

GUI is clean and looking good

 

[cruelsister]

This is an interesting one. The person who sent me this ransomware noted that it was part of a widespread campaign in Russia,the point was to have as widespread distribution as possible before any AV vendor could react.

Just to give you some idea of the time involved, it was in the Wild a bit before he detected it, then eventually it was sent to me where it sat unopened in my inbox for about 6 hours. By the time I set up the video about it and got though with my morning phone calls still only Dr Web, not surprisingly a Russian vendor (what was surprising is that K still was oblivious to it), detected it.

The point here is that for a true zero day it should be assumed that traditional AV solutions will leave you vulnerable for an extended period of time. For me that is totally unacceptable.

 

[bunchuu]

This is an interesting one. The person who sent me this ransomware noted that it was part of a widespread campaign in Russia,the point was to have as widespread distribution as possible before any AV vendor could react.

Just to give you some idea of the time involved, it was in the Wild a bit before he detected it, then eventually it was sent to me where it sat unopened in my inbox for about 6 hours. By the time I set up the video about it and got though with my morning phone calls still only Dr Web, not surprisingly a Russian vendor (what was surprising is that K still was oblivious to it), detected it.

The point here is that for a true zero day it should be assumed that traditional AV solutions will leave you vulnerable for an extended period of time. For me that is totally unacceptable.

Can anti-exec, HIPS or BB block its executions before encryption begin?
I'm still new for this kind of extension (HTA)

 

[Azure]

Can anti-exec, HIPS or BB block its executions before encryption begin?
I'm still new for this kind of extension (HTA)

@Solarquest tested Emsisoft against it. The behavior blocker detected it.

I would also like to see if other antiviruses' proactive components can detect it without having to rely on signatures.

 

[DardiM]

I quickly looked at the sample posted on malware hub.

Even the obfuscated script-based close.js is OMG.

first:

vbscript​

then :

=> creates a js file "close.js"
=> writes inside
=> runs it

=> uses the same function 22 times (decoder) :

=> creates 21 decoded but obfuscated arguments for another anonymous function call (built in real time)
=> 1 string is for the future anonymous function that will decoded the 21 arguments.

=> this anonymous function, decodes another part that is then used as another anonymous function with loops, deobfuscation inside, etc,...

=> there is not a basic deobfuscated part that can be analyzed step by step after some deobfuscations.

=> modifications have to be done to the code
​

=> One of the most interesting obfuscation methods I have ever seen on a script (from the point of view of puzzle lover)

And I am only talking about the obfuscation part / script, so ... hahaha I know : malware are bad

Edited:
(I have begun to prepare some parts for a possible "future" analysis post, just have to find how I can present it )

​