| Home - Virus Alerts|
Original Issue Date:March 30, 2017
Virus Type: Ransomware
The malware is capable of performing the following functions:
Files extensions targeted by the ransomware are as following:
- Encrypts the complete file system of the victim's machine.
- Deletes shadow volume copies and disables Windows error recovery and startup repair.
- It does not bypass User Account Control (UAC),.i.e. it requires user intervention to execute itself.
- Keeps stats of the number of files encrypted by the malware based on file categorization.
- Utilizes a professional-looking payment portal, which includes a Chat tool.
- Demands ransom based on the number of files encrypted.
- Having worm like functionalities and uses .lnk files for spreading
- It is written in C and is packed using the UPX executable packer.
- A unique ID is given to each victim, which is same as the file names of ".key", ".lst", , ".html" file created by the malware.
Spora Encryption Mechanism:
The ransom note shown to the user upon encryption is shown below:
Ransom payment page is shown below:
It provides victim a mechanism to select among the various ransom payment packages.
Indicators of compromise:
Upon encryption, 3 types of files are created on the victim's machine namely, ".key",".lst",".html". Each file has their own purpose which is mentioned below:
.html file: This file is used as the ransom note shown to the user upon encryption of the file system.
The file names for the files ".key", ".lst",".html" also uses the specific naming format. It is explained as below:
- .Key file: This file contains the RSA private key which can be used for decrypting the files encrypted by the ransomware. But this key file is encrypted with another pair of AES key which can be decrypted by the attacker only.
A count of the number of files encrypted is maintained in this file, based on which attacker demands the ransom amount of money from the victim. For counting, the files are categorized based on the categorization given below:
A specific format is used for storing these statistics/ count of file types, it is given below:
Format: "date|user name|locale|cat1|cat2|cat3|cat4|cat5|cat6,"
- In the above example, XXX is locale country code, "12971" specify the number of files of category 1 i.e. Office Document files. Similarly 6370 is category 2 (encrypted PDF), 8 is category 3 (encrypted CorelDraw/AutoCAD/Photoshop files), 9 is category 4 (encrypted database files), 16632 is category 5 (encrypted images) and 144 is category 6 (encrypted archives).
Note : category 1-6 is mentioned in the above table.
- .LST file: This file contains the list of all the encrypted file.The .LST file contents are encrypted using AES key F (256 bit) which is further encrypted by public RSA key A.
For example, consider the file name mentioned below:
The first two letters of the filename are the locale country code (XX), followed by five letters ("30215") which are the first characters of the MD5 hash for the contents of the .KEY file.
The counters start right after the MD5 substring at the 8th letter. They have to be decoded using the substitution table below:
That means the file name "XX302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY", translates to
File system Changes:
- XX as location,
- The characters "30215" for the beginning of the MD5 hash.
- "12971" encrypted office documents, 6370 encrypted PDF, 8 encrypted CorelDraw/AutoCAD/Photoshop files, 9 encrypted database files, 16632 encrypted images and 144 encrypted archives.
Deletes registry key "HKCR\lnkfile\isShortcut" which modifies the shortcut icon and hence don"t show the characteristic bent arrow in the lower left corner of the icon. This makes shortcut files look alike the file or folder.
MD5 hashes for Spora ransomware:
Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/ attacks:
Bitdefender Anti-Crypto Vaccine and Anti-Ransomware (discontinued)
Trendmicro Ransomware Screen Unlocker tool:
Microsoft Enhanced mitigation and experience toolkit(EMET)
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003