Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spora Ransomware Support and Help Topic


  • Please log in to reply
58 replies to this topic

#1 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:19 PM

Posted 10 January 2017 - 07:29 AM

A new ransomware was discovered that encrypts files and does not add an extension to the filename. It drops a ransom note in the form of RU*-*-*-*-*-*-*-*/RU*-*-*-*-*-*-*/RU*-*-*-*-*-*.HTML (the RU will change depending on what country you are from) and a key file in the same format which is used identify you.

The ransom note:
aUruwNe.png

The website from the ransom note
dba2NZ4.png
 

More information can be found here


Edited by xXToffeeXx, 11 January 2017 - 04:37 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


BC AdBot (Login to Remove)

 


#2 al1963

al1963

  • Members
  • 745 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 10 January 2017 - 08:51 AM

https://www.virustotal.com/ru/file/3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553/analysis/1484050971/

 

https://www.hybrid-analysis.com/sample/3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553?environmentId=100

 

 

Risk Assessment
Ransomware Deletes volume snapshots (often used by Ransomware) Spyware Accesses potentially sensitive information from local browsers Persistence Disables startup repair
Spawns a lot of processes
Tries to suppress failures during boot (often used to hide system changes) Fingerprint Reads system information using Windows Management Instrumentation Commandline (WMIC)
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date Spreading Opens the MountPointManager (often used to detect additional infection locations) Network Behavior Contacts 2 domains and 3 hosts. View the network section for more details.

 

 


Edited by al1963, 10 January 2017 - 08:52 AM.


#3 al1963

al1963

  • Members
  • 745 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 10 January 2017 - 08:54 AM

encrypted files without changing the extension.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,758 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:19 PM

Posted 10 January 2017 - 09:41 AM

Thanks @al1963, we have the sample under the microscope now. Surprisingly under the radar on detection.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 thyrex

thyrex

  • Members
  • 363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:19 AM

Posted 10 January 2017 - 10:51 AM

First case https://forum.kasperskyclub.ru/index.php?showtopic=53854 


Microsoft MVP 2012, 2013, 2014, 2015, 2016 Consumer Security


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,758 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:19 PM

Posted 10 January 2017 - 11:45 AM

Fabian has deemed this one secure unfortunately. It basically uses an embedded public RSA-1024 key to secure the AES keys used per file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:19 AM

Posted 10 January 2017 - 03:21 PM

Spora Ransomware (description in Russian)

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#8 al1963

al1963

  • Members
  • 745 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 11 January 2017 - 10:10 PM

In general, encryption scheme, the use of encrypted KEY file that contains the private part of the victim's key technological private office with an automatic dispensing system and the key decoder in the BTC after payment recalls former VAULT project. Which by the way was closed December 30, 2016.



#9 Amigo-A

Amigo-A

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:19 AM

Posted 12 January 2017 - 02:22 AM

Spoiler

 

Yes. Spora from the Vault.


Edited by Amigo-A, 12 January 2017 - 02:26 AM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#10 Amigo-A

Amigo-A

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:19 AM

Posted 16 January 2017 - 06:27 AM

Published manual in Russian language
manual-1-5.gif

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#11 Lady-E

Lady-E

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 February 2017 - 01:56 AM

Please help. I was hit by Spora yesterday. My antivirus then deleted the malware but was unable to restore my files since all previous versions have been deleted. Since Spora is known for good customer service and being trustworthy (haha) I am considering buying the decryption code. But since the malware is deleted, how do I "get in contact"???  Please help!

 

Nvm- just had to go to https://spora.biz/


Edited by Lady-E, 07 February 2017 - 02:21 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,069 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 PM

Posted 07 February 2017 - 06:58 AM

Unfortunately, there is no known way to decrypt files encrypted by Spora without paying the ransom since there is no way to retrieve the malware developer's private key that can be used to decrypt your files. Emsisoft explains why in this news article.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 mikesmithibo

mikesmithibo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 09 February 2017 - 06:11 AM

I made a separate post but then noticed this topic so I figured I'd ask here...

 

I was infected with Spora Ransomware on my Hackintosh. Before I was infected I used Paragon software to be able to access my OS X partition from Windows (I'm currently unable to boot into OS X from my boot loader but I'm not too worried because I know my hard drive is fine, except for what I'm about to say).

 

Well the ransomware infected both drives. So because I cared more of what was on Windows more than OS X, I uninstalled Paragon so that partition isn't accessible to my Windows side anymore so I can clear Windows with a conscious mind and worry about the other later. For the record, I have no back up but I was able to gain access to all my files via Windows "previous versions". Basically I lost nothing. Another thing is the Spora ransonware only encrypted my .jpg files (and compressed .zip folders but I only had downloaded font files in those so I didn't care). Windows is clear and now protected and running fast back to normal. I manually deleted the ransomware in safe mode then ran Malwarebytes along with HitmanPro to rid of anything else. All is well.

 

Now I'm wondering about tackling my OS X partition. If I use Paragon to give Windows access to my OS X partition again with Windows now being clear, is it safe to do that? Meaning do you think the ransomware will just jump back over to Windows and re-encrypt my Windows files? I have everything backed up now, so I'd be okay, but what's the risk in this? Any insight would be great.

 

Also, I know for sure Windows is free and clear but the ransomware name in my Startup Items is still there, obviously I unchecked it (that was the first thing I did in safe mode), but is there in risk in that and if so, how do I rid of it being in my Startup Items? (through msconfig).

 

Thank you for any insight.



#14 injector

injector

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 February 2017 - 04:53 AM

Hi,

I paid and got decryptor. It decrypt all files besides XLS and DOC. Does anybody know what to do in this case?

Thanks



#15 Kabuto-san

Kabuto-san

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 14 February 2017 - 09:56 AM

Hi,
 
First of all sorry for my poor english, i'm french and not very good at it, though i'll do my best to be understood. I Just got infected myself by Spora and wanted to tell you about what i got because i noticed differences between what i got and what i've read about so it might be a kinda new version of Spora and i wanted you guys to know what happend so maybe it can help you to helps others some way.
First of all now it does not even drop a ransom note anymore, it just set up a "starting page" when you start your computer that auto-load the web page of their site with your "personnal ID" ad the "explication", the page is fully in english, no russian. So still no particular extensions on corrupted files but now, not even a ransom note to scan. 
More surprising : i didn't caught it from an e-mail but from a post on my boss' personnal blog. When i tried to read the article Chrome said i needed to instal a pack of plug-in, As it was my boss' blog i wasn't on guards and i clicked ok, sadly the said "plug-in" was containing Spora. It seems it also corrupt "restoration point files", because after i used malwarebyte + rogue killer + CCleaner in safemode to clear this bleeper up (and i hope i did, i feel so affraid right now), i tried to get back to my last restoration point from windows (i'm on Windows 7), and system said "restoration worked successfully" but my files were still encrypted.
 
I'm fighting from about 30 hours now and feel so bad about it. I hope i have really deleted this abomination for good, and i don't know how i will recover from this huge data loss, well now i'll have to be even more paranoid and that sucks :/.. even my boss or my loved one's links cannot be trusted anymore, this really sucks and an i hope someone like you guys will one day find a efficient solution against thoses criminals. For now sorry by advance for not providing screen or anything, i discovered your site after i cleared everything (even my files) and i have nothing else than testimony to share, i'm sorry. Next time i'll come sooner and post more usefull things (though i hope for my sake there won't be another time :x..).

Sincerely,

Edited by Grinler, 21 February 2017 - 10:07 AM.
Links to 3rd party removal guides removed as per forum policies.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users