Spora virus - How to remove?
January slowly rolled onto its other side like a giant bear in a deep sleep when security researchers detected one of the most complicated ransomware samples in 2017 so far. Spora crypto-virus is a vicious infection, clearly constructed by professionals that put their efforts and sweat into this project. It is distributed via malicious spam letter campaigns that mostly reach Russian-speaking users: they are the targeted victims to receive this sample. Even though it exploits the same strategy as many other preceding members of the ransomware category, the virus stands out with its complex encryption process and a cleverly designed payment/decryption website. Additionally, it is different from others since it does not scrape off old or append new extensions to the executables it encodes with algorithms. Every infected victim is marked with an ID number which has to be used in the Spora.bz website to log into it. Maybe the hackers assumed that constructing a more unconventional domain for payment/decryption would mean bigger chances in receiving the demanded sums of money. The ID number you type into the login field will automatically read details about your infection: most important thing is the number of files that get encrypted. For more information, continue on reading this article.
More useful details about Spora virus and its uniqueness
In our experience and long years of producing articles about cyber infections, we have faced many infections. Nowadays, any wannabe-hacker can construct an uncomplicated ransomware infection, using open source codes. However, every once in a while, committed programmers design masterpieces that are painful to look at due to their complexity. Spora ransomware is definitely one of those infections that come with a BANG, showing security researchers that they will have to address it efficiently in order to find a cure. This infection is spread in email letters, appended with executables that are going to begin processes of Spora after being launched. Surprisingly, the ransomware does not target many files, but sticks with the most popular types that are present in every computer. Indeed, why bother targeting hundreds of file types when popular oned are the most present in devices? Spora virus will attempt to affect Word documents, PDF files, photos, ZIP and RAR files and etc. The .KEY file implements extremely complex encryption process. We are not going to go into much detail. Nevertheless, we should mention that a combination of RSA and AES algorithms for encryption are exploited in this process to make sure that security researchers would have very little chance in creating a free decryptor. Spora virus also destroys all Shadow Volume copies to diminish the possibility of file-recovery even more.
It was discovered that the ransomware operates with three executables. At first, after being ran, it places close.js file in, presumably, Temp folder. After that, this file is joined by an additional executable, responsible for a successful encryption process. It does not have a specific title and can be created differently for every victim. The third file that can be assigned to Spora virus is a .docx type of excutable which will trigger a message, suggesting that “Word cannot open the file because the file format does not match the file extension.”.
We have already mentioned that the payment/decrytion website of Spora virus is a little different. Infected victims have to enter their ID numbers in order to access the full version of the website. This means that if you have not been compromised with Spora, you won’t be invited to its party-site. However, typing in the ID combination won’t be enough: you will also have to add the .KEY file into the website. Only then the website will be able to generate prices for decryption, depending on the number of files that have been encoded. In addition to offering file-decryption and full restoration of the system, hackers are definitely squeezing everything from this opportunity. People can buy immunity from other ransomware infections that are going to be created by these vile programmers. This indicates that they plan to generate additional ransomware viruses in the future. In the following photo, you can see an example of a malicious letter (in English).
Such a complicated strategy for encryption: is there any chance to beat Spora virus?
Knowing the way that Spora virus chooses to encrypt its victims’ files, it is pretty difficult to state whether a free file-recovery tool is going to be released very soon. Complicated samples like this might require more analysis if a decryptor is there to be released. We advise you to remain calm and rational: do not get tricked into paying the hackers for decryption. However, you should restore 2 files for free: this can help security researchers generate a free tool. Even though this virus targets mainly Russian-speakings users for the time being, we can see it quickly jumping into other streams when the time is right. If you fishing for advises, we can indicate two most helpful methods to become immune to ransomware: store your files in backup storages or keep them in other secure locations. If you get infected, you won’t have to worry about file-recovery since you will be able to retrieve them from another source.
Tactics that Spora virus can exploit to reach computer devices
Creators of Spora ransomware send email letters to random people with infectious attachments. You run the appended file, you will allow virus to begin its dirty work. For this reason, you should always keep your inboxes clean from spam. Nevertheless, sometimes it is extremely difficult to draw a line between a reliable message and a straight-up scam. We recommend never opening letters from unfamiliar sources. Open attachments only after you have made sure that it is safe to do so.
Since Spora virus deletes Shadow Volume copies and uses other tricks to complicate file-decryption, we have little to offer in this field. However, you should eliminate the ransomware as soon as possible. Reimage, Spyhunter or Malwarebytes can help you during this process.
Update of the 24 of January, 2017. Just as we predicted, it did not take too long for this ransomware infection to target people from different locations than their primary selection. At first, people from Russia were the main recipients of malicious spam letters. Now, people from various countries have potential of becoming victims of Spora virus. In addition to that, Spora has been noticed to be transmitted by a server that spreads such ransomware-giants like Cerber and Locky. This cannot end well: please be extremely cautious since it is yet unknown which countries are going to be added to the list of targets.
Update of the 6th of February, 2017. Security experts noticed that Spora virus incorporated a new strategy for its distribution. Now, it is spread via Google Chrome, when users are requested to update their browser. EITest Chrome Font Update is the window that is presumably going to be introduced, but users should not agree to install it.
Update of the 20th of March, 2017. Thanks to analysis by security researchers, it is now much easier to recognize Spora infection. Furthermore, it appears that a new website has been incorporated by this variant: Torifyme.com.
How to recover Spora virus encrypted files and remove the virus
Using System Restore to restore PC to previous state
1. Reboot your computer to Safe Mode with Command Prompt
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2. Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Spora ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
3. Complete removal of Spora virus
4. Restore Spora virus affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Spora ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.
a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties>Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
5. Use Data Recovery programs to recover Spora virus encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.