A newly spotted piece of ransomware allows users not only pay to recover their encrypted files, but also for immunity from future attacks, Emsisoft security researchers warn.
Dubbed Spora, the new threat appears to be the work of professionals, courtesy of well-implemented encryption procedures, a well-designed payment site, and the availability of several “packages” that victims can pay for. Those hit by the malware can choose to recover files only or pay to remove the malware and gain immunity from future attacks.
For distribution, the ransomware uses spam emails that pretend to be invoices. These messages contain a ZIP attachment with an HTA (HTML Application) file inside, masquerading as a PDF or DOC. When run, the file extracts a JScript file in the %TEMP% folder, writes an encoded script into it, and then executes the file.
The ransomware leverages Windows CryptoAPI for encryption, and uses a mix of RSA and AES in the process, Emsisoft reveals. The malware uses a public RSA key embedded inside the executable, then creates a new 1024 bit RSA key pair, which consists of both a private and public key, and then will encrypt this using a newly generated 256 bit AES key. This key is then encrypted using the original public RSA key, and the encrypted keys along with some additional information are saved inside a .KEY file.
“To encrypt a document or file on the system, Spora will first generate a new 256 bit per-file AES key. This per-file key serves to encrypt up to the first 5 MB of the file. Once done, the malware will encrypt the per-file key using the victim’s public RSA key and the RSA-encrypted per-file key is appended to the encrypted file,” Emsisoft notes.
Because of this complex operation, the ransomware can perform the encryption without a command and control (C&C) server connection. Moreover, the malware’s encryption process is strong enough to ensure that a decryption tool developed for one victim won’t work for another. This also means that security researchers analyzing the threat can’t yet help victims restore their files for free, at least not as long as they don’t have access to the malware author’s private key.
In addition to using a well-designed encryption procedure, the ransomware also comes with a unique pricing model to determine how much a victim has to pay, the security researchers warn. The aforementioned .KEY file contains information such as the infection date, the username of the victim, and the locale of the infected system. A hard-coded identifier believed to be used as a campaign ID is also included in the file, which suggests that the threat is sold as a ransomware-as-a-service.
By creating statistics of the targets to encrypt and saving them to the .KEY file as part of a set of six numeric values, the malware can also determine the ransom amount. The tactic was previously associated with targeted attacks via RDP (Remote Desktop Protocol), but Spora fully automates it. The aforementioned statistics are also included in the user ID that the victim is asked to send to the attackers when accessing the payment portal.
The ID usually contains five five-character blocks, separated by a hyphen. “If the last block doesn’t add up to 5 characters, it is padded with Y-characters. Based on this, it is possible to track the number of files encrypted by Spora based on the ID alone. We are currently working together with help platforms like ID Ransomware and No More Ransom in an attempt to gather statistics based on the identifiers contained in uploaded ransom notes,” the security researchers explain.
The ransomware encrypts both local files and network shares and doesn’t append an extension to them. What’s more, the threat skips files located in specific directories, so as to ensure that the infected machine continues to run. After encryption, the malware drops “a nicely designed HTML-based ransom note” and a .KEY file, which the victim is required to send to the attackers for decryption.