Skip to main content

Spora Ransomware Targeting Unsuspecting South Africans With its ‘User Friendly’ System

By 13th June 2017No Comments

Over the past year, ‘ransomware’ has entered the corporate lexicon, with cybercriminals effectively leveraging this approach to exploit vulnerable businesses and individuals.

Ransomware is a truly insidious type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. It has become the most common form of malware, with both amateur and professional cyber criminals devising new forms of it. The latest ransomware to emerge, called Spora, is undoubtedly the work of professionals – and presents a major threat to South African businesses and home users.

Notably, Spora is unlike any other ransomware in terms of how victims are forced to pay the ransom. Added to this, Spora has the ability to attack users when they are offline. There are other forms of ransomware that can do this – such as DMA Locker 3.0, Cerber, and some newer editions of Locky. Yet unlike these ransomware ‘cousins’, Spora has a set of unique features that make it particularly dangerous.

So how does it work?

Once your system has been infected, Spora will add a ransom note to your desktop and automatically open it. The note contains simple instructions and an infection ID, specific to each victim.

From there, you will be guided to access the Spora site. Once you have accessed it, you will need to enter your infection ID presented in the ransom note.

Worryingly, Spora’s decryption service is something that hasn’t been seen on any other ransomware decryption sites.

For example, before using this site, users have to “synchronize” their computer with the decryption portal by uploading the .KEY file. (the file that infected their PC in the first place).

By synchronizing the key file, unique information about the encryption of the computer is then uploaded to the payment site and associated with the victim’s unique ID. Victims can now use the rest of the options available on the site. Everything on this portal is neatly arranged as a website dashboard, complete with helpful tips that appear when hovering over certain options! It is a very modular and accessible layout.

Another differentiating aspect of this ransomware is the different purchases that can be made depending on the particular needs of the victim. These options, organized under a section named “My Purchases” allows users to:

  • Decrypt their files (currently $79)
  • Buy immunity from future Spora infections (currently $50)
  • Remove all Spora-related files after paying the ransom (currently $20)
  • Restore a file (currently $30)
  • Restore two files for free

This neat and accessible setup mirrors a traditional e-commerce site payment section, with the various payment options clearly displayed for each user. The site even has an SSL certificate (a certificate that verifies the security of the site)!

As always, both awareness and education are key elements in the fight against ransomware such as Spora…businesses and individuals should learn to identify the warning signs, and always remain vigilant when using their devices both at home and at work!

Leave a Reply