Spora is the latest ransomware trojan which is highly sophisticated in its attacks and well crafted. Security experts already believe that it will lead to next evolution of ransomware with freemium model of extortion and a sophisticated payment website in place.
Why is Spora dangerous in its attack?
1.Unlike many ransomware present, Spora works offline. It does not stop abruptly and also does not need to send traffic to online servers. Right now, it is most active in Russia but it won’t take long before it appears in the other parts of the world.
2.How does it gets into the system?
a.Clearly it is designed to be distributed by email where there is a ZIP file to look inside.
b.The ZIP file has an HTA file with an exciting name.
Multiple level of process is put in place because this approach is new to victims and can hence they can be duped easily.
3.Spora, unlike many other ransomware does not target a large number of files on the system. The encryption process targets a limited number of files with extensions:
.xls, .xlsx, .doc, .docx, .rtf, .odt, .pdf, .psd, .dwg, .zip, .rar, .cdr, .cd, .dbf, .sqlite, .accdb, .jpg,
.jpeg, .tiff, .mdb, .1cd, .7z, .backup
The ransomware does not append any files extensions other the mentioned above, it targets local files and network shared files. It does not harm the normal boot process thereby not making the device completely paralyzed and encryption simply makes the victim helpless and pay for decrypting the files.
4.The encryption is top-notch and does not have any visible loopholes. The experts believe that the encryption has not been done shoddily. It has done with lot of attention.
5. It has a very sophisticated payment mechanism. This totally makes Spora different. They’ll restore 2 files free of cost and $30 for specific files. It basically works on a freemium model. A full system restore would cost about $120. Another interesting proposition is the Spora virus can be removed with an additional $20.
The decryption process is again a clear set of instruction by which the victim has to upload a KEY on the decryption site and synchronize the system to obtain the unique status of attack. Now the victim can utilize the website to do whatever he wants using the above options.
What to do?
As always, the best way is to not to get affected by the Malware. Use strong cyber security and DLP measure to prevent paralysis by malwares and keep safeguard. We have to look for a much-sophisticated cyber security measures to be kept in place so that ransomware attacks are detected on a real-time basis and stopped before they could cause any real damage.