Ransomware has been a growing threat, with new families cropping up every week. Emsisoft researchers are often involved in the discovery and analysis of new threats, and this ransomware is no different. Originally spotted on ID-Ransomware earlier today, it caught our attention due to a few unique features and the high level of professionalism in both implementation and presentation. We will not only go through the inner workings of Spora, but we will highlight its sophisticated commercial model and how you can keep yourself protected from this latest family of ransomware.
Meet Spora
Spora is written in C and is packed using the UPX executable packer. Unlike most ransomware families, Spora doesn’t rename files it encrypts, so there are no specific file extensions associated with it. When infecting a system, it drops a nicely designed HTML-based ransom note and a .KEY file. The base name of both files is identical to the user ID the ransomware assigns to each user. The ransom note is written in Russian:
How does a user get infected with Spora ransomware?
At present Spora is targeting mainly Russian users via emails pretending to be an invoice from 1C, a popular accounting software in Russia and many former USSR countries. The currently seen file name is “Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta” which would translate to “Scan-copy _ 10 Jan 2017. Written and signed by the chief accountant. Exported from 1C.a01e743_pdf.hta”. It uses a double extension in an attempt to trick the user into believing this would be just another PDF invoice, when in fact it is an HTA file.
HTA files are so-called HTML applications. The idea of an HTML application is to essentially allow anyone to write desktop applications in HTML and various scripting languages. Think of your browser, but without the security mechanisms that prevent a website from changing anything on your system. The two scripting languages supported by HTML applications on Windows are JScript and VBScript, both of which are used in Spora.
When the user double-clicks the HTA file, it will create a new file in %TEMP% called close.js, then writes an encoded script into said file. Last, but not least, the JScript file is executed:
Spora key generation and encryption
Spora uses a mix of RSA and AES to encrypt the victim’s data. To facilitate encryption on a system, the Windows CryptoAPI is used. When Spora arrives on a system, it will first find and decrypt the malware author’s public RSA key embedded inside the malware executable using a hard-coded AES key. Once the malware author’s public RSA key has been successfully imported, the malware continues by creating a new 1024 bit RSA key pair, which we will call the victim’s RSA key pair, consisting of both a private and public key. It will also generate a new 256 bit AES key to encrypt the victim’s private RSA key with. Once the victim’s private RSA key is encrypted, the AES key used is then encrypted using the malware author’s public RSA key. The encrypted key material together with some additional information is then saved inside the .KEY file.
To encrypt a document or file on the system, Spora will first generate a new 256 bit per-file AES key. This per-file key serves to encrypt up to the first 5 MB of the file. Once done, the malware will encrypt the per-file key using the victim’s public RSA key and the RSA-encrypted per-file key is appended to the encrypted file.
This procedure may look convoluted at first but essentially allows the malware author to operate without the need of a command and control server that the malware would have to talk to during infection and that could be taken down. This means that Spora can encrypt without an internet connection. It also works around weaknesses in other ransomware families like DMA Locker 3, where the malware author’s public key was used to encrypt the per-file keys directly, resulting in the decrypter for one person to work for all other victims of the same campaign.
Unfortunately, after evaluating the way Spora performs its encryption, there is no way to restore encrypted files without access to the malware author’s private key.
Hashes:
MD5:37477dec05d8ae50aa5204559c81bde3
No comments:
Post a Comment