This ransomware uses offline decryption and utilizes a new payment scheme.
Dubbed as the Spora ransomware, it can deliver a deadly punch by being able to perform strong offline file encryption and an ingenious ransom payment model.
As of this writing, they have been targeting Russian speaking users. However, they have provisioned and English version of their decryption portal which suggests that they are planning to expand their operations and attacks to other countries in the near future.
Most ransomware need a command-and-control (CnC) server which allows victims to have a unique decryption key.
This is where Spora is totally different, it can encrypt without a CnC server.
Ransomware programs normally generate AES (Advanced Encryption Standard) key for every encrypted files and RSA public keys generated by a CnC server.
They basically need a matching public and private keys before it can be unlocked.
Most ransomware programs contact a command-and-control server after they’re installed on a computer and request the generation of an RSA key pair. The public key is downloaded to the computer, but the private key never leaves the server and remains in the attackers’ possession. This is the key that victims pay to get access to.
This is the weak point for attackers since it can be blocked by a firewall if it has been flagged by security companies to be blocked and the encryption process does not start and the attack fails.
There are also some ransomware that have been designed to do offline encryption, however, they hard coded the public key into the malware. Eventually, a decryptor can be developed since the key that was hard-coded will be found. From there, they can make the decryption tool and it can work for all victims of the said ransomware.
Here is where the Spora developers have the upper hand. According to security firm Emsisoft, they have analyzed the program’s encryption routine, and they have found a way to solve the hard coded key issue.
Although they have a hard-coded RSA public key, they have used this to encrypt a unique AES key that is locally generated for every computer it infects. The AES key is then used to encrypt the private key from a public-private RSA key pair that is also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files.
In other words, the Spora creators have added a second round of AES and RSA encryption to what other ransomware programs have been doing until now.
Here is how the ransom gets paid. The victim needs to upload their encrypted AES keys to the attackers’ payment portal. From there, the attackers will then use their master RSA private key to decrypt everything and return it back to the victim and is most likely in the form of a personalized decryptor.
This is how Spora can operate without the need for a CnC server. It also avoids the release of a master decryption tool.
The Emsisoft researchers said in a blog post. “Unfortunately, after evaluating the way Spora performs its encryption, there is no way to restore encrypted files without access to the malware author’s private key.”
This is what sets them apart in terms of of ransom. They have implemented a system that allows them to ask different ransoms for different types of victims.
More information are actually actually found inside the encrypted files that victims have uploaded to the attackers payment portal website. They actually contain information collected by the malware about the computer they have infected and in the process, they include unique campaign IDs on which campaign attack they have launched.
What does this mean? To simply put it, they target different targets. For example, one campaign can be customized to attack businesses, one for home users and the list goes on. This way, they would be able to tell when the victims of that campaign will try to use the decryption service. It also allow them to adjust the ransom amount automatically by discerning if it is a consumer, organization, or by region where the attack was targeted.
Now, there is something that the Spora developers did. They offer “services” that are priced separately, such as “immunity”, which ensures that the malware will not infect a computer again, or “removal” which also removes the program after decryption, and last but not the least is they bundle it all up for a lower cost.
The payments website itself is well designed and looks professional. It has an integrated live chat feature and the possibility of getting discounts. From what the Emsisoft researchers observed, the attackers respond promptly to messages.
With all that being said about Spora, it is a very professional and well-funded operation. The ransom values observed so far are lower than those asked by other gangs, which could indicate the group behind this threat wants to establish itself quickly.