Virtualization Technology News and Information
Article
RSS
New Spora Variant Still No Match for Acronis Active Protection

Article Written by Jeff Grundy  

In This Post, We Will Cover:

  • What Spora Ransomware is
  • How Spora is Different From Other Strains
  • How Spora Infects Systems
  • How the New Variant of Spora Has Changed Since Its Initial Release
  • How to Protect Your Systems From Spora

spora-ransomware-help 

Back in January, BleepingComputer, Forbes, Panda Security, Security Intelligence, and other outlets reported on the release of the Spora Ransomware strain in Russia. At the time, IT and security industry professionals hailed Spora (which is Russian for "spore") as one of the most sophisticated strains of ransomware to date because of its iron clad encryption routines, its ability to work offline, and the advanced website it uses to receive payments from victims. Since its release in January, many security experts and researchers are calling Spora the next evolutionary step in ransomware. If that's not troublesome enough, more recent reports indicate that new Spora variants are even more dangerous.

Spora Distribution: Past and Present

When first released, Spora ransomware was spread primarily using two methods: spear phishing and watering hole attacks. Spear phishing is essentially an email spoofing attack that involves receiving an email message that appears to be from a person or business that you know but isn't. With watering hole attacks, hackers target legitimate websites and infect them with malware. Afterward, visitors to the sites unknowingly download the malware, which then infects the computer and attempts to spread to other machines.

According to reports, Spora's initial distribution methods were effective and successful. And, while many variants of the ransomware still employ spear phishing and watering hole attack distributions, the latest versions of Spora are using a newer, and potentially more dangerous, infection method.

Fake HoeflerText Font Pop-Ups

Around the last week of July, reports of a new variant of Spora started surfacing that indicated the ransomware had re-emerged and was employing a new distribution method that utilizes fake HoeflerText pop-ups from websites infected during EITest campaigns. Fake HoeflerText pop-ups starting showing up around the Web sometime in January and have become common in the last couple of months.

Two Types of Attacks

Essentially, HoeflerText pop-up attacks are carried out using one of two methods. The first type occurs when you visit a hacked website that uses JavaScript to scramble text on the site so that it is unreadable and subsequently displays a fake alert that states you need to update your browser with the "HoeflerText" font to view the site text properly.

The second type of attack is similar in that it displays a warning message stating that "the HoeflerText font was not found." However, with the second method, text on the hacked site is not scrambled or manipulated by JavaScript. If you click the "Update" button or link in the message, the message changes to display instructions on how to install the update. You can find images of the HoeflerText pop-ups, as well as more detailed information on how they work, on the BleepingComputer website.

Spora Installation and Self Protection

As mentioned above, there are several ways that Spora is distributed. Regardless of the method encountered, though, all of them require manual action by the user before the installation routine commences (i.e. opening an infected attachment or attempting to install the fake HoeflerText font.) Therefore, longstanding advice about not clicking any executables or attachments you are unsure of certainly applies in this case. However, once the installation starts, Spora takes steps to protect itself against detection by anti-malware and anti-virus applications.

Process Masking

Similar to some other ransomware variants, such the Cerber strain, Spora uses a fake Import Address Table and masks itself from anti-malware/anti-virus programs by launching several API processes in runtime. It does this as a form of passive self-protection. If you take a look at the graphics below, you'll see the processes as they progress.

spora-ransomware-image001

spora-ransomware-image003

spora-ransomware-image005

Installation

During Spora's initial installation processes, everything is about keeping the ransomware hidden from anti-malware applications. Therefore, the first processes are virtually silent an undetectable in many cases and Spora sets off to start encrypting files in the background. Once the initial phase of the installation completes, though, Spora is extremely overt and makes no attempt at all to remain hidden. Once the initial installation is complete, Spora will attempt to elevate its user privileges on a system by restarting itself with the following command:

"cmd.exe /c spora.exe /u"

Running this command usually results in the User Account Control (UAC) window being displayed in Windows:

spora-ransomware-image009

Spora does not use any type of UAC bypass code or mechanism. Instead, Spora will cause the UAC pop-up to appear continuously until the user gives up and clicks "Yes." After the user clicks "Yes," Spora runs the following command with elevated privileges:

"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"

The above command deletes all shadow copies of files on the system, which makes it impossible for users to access encrypted files using the versioning tools in Windows.

Decrypting the Configuration Spora Set

After deleting shadow copies of files from the system, Spora decrypts its configuration data using a hard-coded AES decryption key. The decrypted block of information includes several types of data, including:

  • A Base64-encoded HTA script that enables Spora to download and set up a Tor communication service;
  • A list of file extensions that the ransomware should encrypt;
  • A list of folders where files should not be encrypted;
  • A sample ID;
  • The name of the file that includes the ransom note or message;
  • The master RSA-1024 public key;
  • The format of the infection information to be stored in the file's footer;
  • A list of commands to run.

spora-ransomware-image015

spora-ransomware-image017

Starting the Tor Service

After starting, Spora executes an HTA (or HTML Application) file. An HTA file is a Windows program file that usually consists of HTML, Dynamic HTML or one or more scripting languages supported by Internet Explorer. When executed, HTA files essentially behave the same as EXE executable files and usually run as trusted applications in Windows, which means that they have a lot more privileges than standard HTML files.

Running the HTA file, Spora downloads and sets up a Tor service, which is used to communicate with the ransomware support server. The actual path and file used to create the service and initiate contact with the server are:

%Documents and Settings%\<USER>\Start Menu\Programs\Startup\SPORA_<Sample ID>.hta

spora-ransomware-image011

Image - Processes started by the Spora HTA scripts

Next, Spora creates a "flag file" in the Application Data folder. This file is zero(0) bytes in size and allows Spora to verify the machine has in fact already been infected. Once Spora verifies the system infection, it uses the HTA script to set the Polypro proxy service to work with the Tor service:

%Temp%\polypo.exe (MD5: 0780178e6001509c855f0149f8b97135)

spora-ransomware-image013 

Spora HTA scripting used to create Tor communication service

Top Notch "Evil" Encryption of Decryption Keys

Like other ransomware variants, the ultimate goal of Spora is to encrypt important user files on the hard drive(s) so the user can't access them unless they pay the ransom amount. And, according to malware and security industry experts such as Emsisoft and others, the encryption employed by Spora is top notch and virtually impossible to defeat or bypass. However, it's not just the files on your system that get encrypted by Spora. The actual keys used to encrypt your files are encrypted as well.

No Internet Connection Required to Encrypt Files

To the casual observer, the Spora encryption procedure may seem a bit convoluted and anything but straightforward. However, the encryption process essentially allows the ransomware to operate without a central command-and-control server during the infection process. What this means is that Spora can infect a machine without an Internet connection (once the infected file is downloaded of course.) This also enables Spora to avoid some of the weaknesses of other ransomware variants, such as DMA Locker 3, which require the developer's public key to encrypt per-file keys directly. With the DMA Locker 3 approach, a decryptor for one person would work for all other victims of the same campaign. Unfortunately, with Spora, though, there is no way to decrypt encrypted files without the ransomware without access to the developer's private key.

How Spora Key Encryption Works

As mentioned above, the process Spora uses to encrypt files on victims' computers is rather lengthy. Here is a breakdown of how Spora methodically goes about securing the keys used to encrypt files on a target machine:

Step 1 - The hard-coded AES-256 key embedded into the HTA file is used to decrypt a master RSA-1027 public key and the ransom message.

Step 2 - Spora creates a session key pair (RSA-1024 key type with flags: RSA1024BIT_KEY | CRYPT_EXPORTABLE), and then exports the new private key.

spora-ransomware-image019

spora-ransomware-image021

Step 3 - Spora exports the session public RSA-1021 key and then imports it again.

spora-ransomware-image023

Step 4 - Spora generates and exports a new session AES-256 key.

Step 5 - Next, Spora encrypts the new session AES-256 key with the master RSA-1024 public key.

spora-ransomware-image025

spora-ransomware-image027

Step 6 - Spora then uses the new session AES-256 key to encrypt the session RSA-1024 private key in the Base64 format and also attaches infection data at the end of the block. Infection data included in the block includes:

  1. Date
  2. Username
  3. Encryption information and statistics for six file categories based on their file extensions. These include: documents, PDFs, design files, databases, pictures, and archives (i.e. RAR, 7Z, and ZIP.)

Note that the new encrypted version does not store country information or a sample ID as part of the infection data.

spora-ransomware-image031

spora-ransomware-image033

Encryption of the infection data block.

Update - Unlike previous versions, the newest version of Spora no longer uses a .KEY file to store the encrypted keys. Instead, Spora now stores the two blocks with encrypted keys at the end of every encrypted file.

How Spora Locks Down Your Files

In the previous section, we mentioned that Spora encrypts six categories of files on the victim's computer: documents, PDFs, design files, databases, pictures, and archives. Spora looks for target files on local and removable hard drives, and then proceeds to encrypt all files with the following extensions:

.xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, and .backup

During the encryption process, Spora generates a new AES-256 key for each and every file. The ransomware also maps the files into memory and encrypts the first 27648 (6C00) bytes of each one. Unlike many other ransomware strains and variants, though, Spora does not change the names or extensions of the files it encrypts.

spora-ransomware-image035

When encrypting the contents of files, Spora also encrypts the AES-256 key for each one with the session RSA-1024 public key (128 bytes). Then, Spora adds the encrypted keys to 1122-byte encryption footers at the end of each file. Data stored inside an encryption footer includes:

 

Size in Bytes

Type of Data Stored

Calculated based on the size of each file

The file contents encrypted with an AES-256 file key

-

The original file content

864

The encryption block with the session AES-256 key that contains the session RSA-1024 private key and infection information details

128

The session AES-256 key encrypted with the master RSA public key

2

The size of the two previous blocks – 992 bytes

128

AES-256 file key encrypted with the session RSA-1024 public key

 

 Here's an example of an encryption footer generated by Spora:

spora-ransomware-image037

 

How Spora Calculates the Encrypted Block

Spora calculates the encrypted block for each file as follows:

Step 1 - First, Spora obtains the original file size.

Step 2 - Spora compares the obtained file size value to 2048 bytes. If the file size is smaller, Spora sets the file attribute to FILE_ATTRIBUTE_READONLY and does not encrypt it. However, if the file size is greater than 2048 bytes, Spora verifies that the file is smaller than one of the following values: 1Gb, 100Mb, 10Mb, 1 Mb, 100Kb, or 10Kb. Spora then applies the appropriate formula to calculate the size of the data to be encrypted.

spora-ransomware-image039

spora-ransomware-image041

spora-ransomware-image043

spora-ransomware-image045

Here's an illustration of how Spora calculates the size of data to be encrypted for a file with an original file size of 4946 bytes (which falls beneath the 10Kb threshold.)

spora-ransomware-image047

The formula used to calculate the size of the encrypted data is as follows:

S(enc) = ((((S(file) / 100) >> 2) * 18 + 512) >> 4) << 4

S(enc) = ((((4946 / 100) >> 2) * 18 + 512) >> 4 )<< 4 = 720 (2D0h)

The Ransom Note and Decryption Options

After encrypting the files on your computer, Spora starts the notification process (or the part of the process where you actually find out that your files have been encrypted and locked.) This begins by Spora starting the Tor service and passing along a few details regarding your machine's infection.

spora-ransomware-image049

Spora then creates the ransom note and stores a copy of it in each folder that contains encrypted files. The ransom note file uses the following naming convention:

SPORA_<Sample ID>.hta

The ransom note is also available on the Tor network at http://5pr6hirtlfan3j76.onion/

Note that presently the ransom note screen is displayed in Russian. However, this could change at any time.

spora-ransomware-image051

Here is the ransom note screen translated to English:

spora-ransomware-image053

As you can see from the English translation of the ransom note screen, the ransomware requests that you select an encrypted file from your computer to upload to start the decryption process. After you upload a file encrypted by Spora from your system, the service will display the ransom amount (again in Russian):

spora-ransomware-image055

Here's a rough translation of the second ransom note screen from Russian to English (translation from the Acronis Security team's blog).

English Translation:

Your files have been blocked

SPORA RANSOMWARE

To restore all the information, you need to pay 90 USD.

Why do you have to pay for something?

- You or your company has insufficient level of computer security

For you, a personal toolbox has been created, where you can:

- Receive your guarantee (test file recovery)

- Get advice and support in case of problems

- Chat with other users in the general chat

Your data were encrypted using the RSA cryptographic algorithm. It can not be hacked or guessed in the near foreseeable future.

For each user, a unique key is generated, which is suitable only for your files, which means that you will not be able to use the key of another user.

Thinking about getting help from somebody else, at best, they will buy the key from us and resell to you with a profit.

Payment term: 4 days. After that, the price will be increased
to: $ 121

When you pay, the system will automatically issue a key and a program for recovery.

spora-ransomware-image057

English Translation:

spora-ransomware-image059

Even After the Update, Spora is Still No Match for Acronis True Image

According to Virustotal, only 23 out of 63 leading anti-malware programs could detect and block the new strain of Spora. Many who follow security trends speculate that the reason for the dismal detection numbers is probably the fact that the new variant uses polymorphic encryption and creates new copies of itself automatically (to facilitate spreading and additional code obfuscation). Additionally, the new version of Spora also includes a slightly different payload than previous releases. Even with all the changes, though, Acronis True Image detects Spora (and other ransomware) and stops it in its tracks!

Acronis True Image is not only the best backup software for your computers and mobile devices, but it also provides some of the most effective ransomware protection available from any application or utility. With Acronis Active Protection, Acronis True Image detects and blocks Spora before it is able to encrypt your files or spread to other systems on your network. And, if by some small chance, Spora is able to access some of your files, Acronis Active Protection automatically restores them using the latest backup versions created with Acronis True Image and stores the modified copies with .ENCTYPTED file extensions for further evaluation if needed.

Take a look at how Acronis True Image defeats Spora ransomware with ease:

Step 1 - Acronis Active Protection detects Spora ransomware on your system.

spora-ransomware-image061

Step 2 - Next, Acronis Active Protection blocks the Spora ransomware.

spora-ransomware-image063

Step 3 - Acronis Active Protection recovers any affected files.

spora-ransomware-image065

spora-ransomware-image067

Note - If for some reason, you turn off Acronis Active Protection (not recommended) and are infected by Spora, Acronis True Image is still the alternative to paying expensive ransoms. With Acronis True Image, you can create complete system backups you can use to restore your system even if you lose all of your files to ransomware or another data disaster.

Summary

  • Spora's encryption and decryption schemes have changed somewhat. Spora no longer uses a .KEY file and now stores encrypted keys in the file footers of encrypted files.
  • It is still not possible to decrypt affected files without paying the ransom.
  • Decryption service was moved from the Spora.bz domain to the Tor network.
  • Spora uses an HTA script to install the Tor communication service and Polypro proxy used by the decryption application.
  • Country and sample ID data are no longer used to identify victims with the decryption service.
  • The latest variant targets only Russian-speaking users (so far.) Previous versions displayed the UI and ransom note screens in English.
  • Acronis True Image and Acronis Active Protection are still the best way to safeguard your valuable data against Spora and other ransomware variants.
Published Wednesday, August 16, 2017 7:28 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<August 2017>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
272829303112
3456789