And So It Begins: Spora Ransomware Starts Spreading Worldwide

  • January 24, 2017
  • 04:40 AM
  • 0

And so it begins

According to data gathered via the ID-Ransomware service, what all of us had predicted is now happening; Spora Ransomware has started to spread to new territories outside former Soviet states.

Spora Ransomware appeared in the first week of the year, and its first version featured a ransom note only in Russian, meaning its distributors were only targeting territories with Russian-speaking users.

First Spora Ransomware wave targeted Russian-speaking users

This presumption was immediately reinforced by statistical data gathered via ID-Ransomware, a service that allows users to upload encrypted files and get a possible match for the ransomware that has infected their system.

For the first few days, the only ones that were uploading Spora-encrypted files were Russian users.

This trend continued in the week, along with sporadic infections in neighboring countries such as Kazakhstan, Belarus, and others, but not on the same level as the numbers of infections registered in the main Russian territory.

Spora ransomware goes global

Things appeared to have changed last week, according to multiple researchers, who have now spotted multiple Spora Ransomware distribution campaigns.

Shortly after, the ID-Ransomware service started registering uploads of Spora-encrypted files from users outside the former Soviet space. Countries like Saudi Arabia, Austria, or the Netherlands, became hotspots of Spora infections.

Map of Spora infections

This geo-targeting shift happened because Spora stopped being exclusively distributed via spam emails written in Russian.

Spora spread via exploit kits, new spam waves

Security researchers Brad Duncan and Malware Breakdown have spotted RIG-v exploit kits spreading Spora.

According to MalwareHunterTeam, a malware distribution server had been used to host multiple ransomware versions in the past few days, such as Cerber, Spora, Locky, and the newly launched Sage ransomware. This center had historically distributed proven threats like Cerber and Locky, and recently tested out Spora and Sage. Spora most likely because of its wide range of user payment options, and Sage because of its easy to use Ransomware-as-a-Service (RaaS) distribution package.

This server had been used together with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the aforementioned "malcenter."

It is currently unconfirmed if these are different actors but according to Emsisoft, the Spora ransomware includes support for a "campaign ID," a parameter often used to track both the effectiveness of different spam runs, but also different groups renting Spora from its creators.

While we still investigate if Spora has been made available as a Ransomware-as-a-Service offering, what's sure is that this malware has now become a global threat.

For those who need support or wish to discuss this ransomware, you can do so in our Spora Ransomware Help & Support Topic.

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Latest Downloads

Login

Remember Me
Sign in anonymously

Reporter

Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.

SUBMIT