- After my company was recently hit with the Spora Ransomware, I was motivated to develop an inoculation tool that makes a target workstation immune to future Spora attacks.
- Spora was written in Visual Studio in the C++ language. After unpacking, decompiling and analyzing the pseudo-source, I wrote the tool I'm presenting to you today.
- What does it do?
- The tool will identify the system drive where windows is installed then enumerate through the users profile directories. After building this list, the application will write a small file containing an encrypted string to the AppData/Roaming folder(s). Before Spora infects a workstation, it will search for the presence of this file containing the unique signature. If it comes across a workstation containing this file, it will not infect the workstation.
- What doesn't it do?
- This tool will not remove any pre-existing Spora infections, nor will it decrypt any previously encrypted files. The purpose of this tool is to prevent you from being targeted by this ransomware in the future.
- Virustotal Link
- Hybrid-Analysis Link
MD5: 4EF9DC824351B5B1936A6255E37DA4B8SHA256: 95499E75B12C2A183D7BA43E14C00F0DA1CB9F6C778E6D2F9BB41BB39C0C6E02SHA512: 5C2AB40DDA6CAC4C59E2C3EEE32F362DB4334CD2C453EE271CC597FD12C2603E76EE8AEE611772CA348C0C4C8C64B797FE6919020B46677489B3265D954A4F3ERIPEMD160: BBA3C2AAA64B41D91305D4102AF57903ECFE26ECTIGER: 824C576D698D974AB96E54A84816CFACCA78C5AE50D73054
Edited by Cykhet, 01 March 2017 - 11:28 AM.