Spora virus - How to remove

Spora ransomware virus (1) was one of the novel infections that modified the common hassle of transmitting .zip files that possessed HTA file, managing to run an executable of JavaScript VBScript. According to the reports from June, Spora has adopted a more evasive strategy, skillful enough to remain undetected by anti-virus tools and other malware-hunting protectors (2). Recent tactic hopes to trick people into downloading the same HTA file, but more deceptive than usual. A the beginning of this new exploration, people from Russian-speaking countries were the main targets.

Few months after it took its first steps, some security researchers had indicated Spora crypto-infection to become one of the most frightening and sophisticated encoding-malware samples (3). In the more up-to-date campaign of distribution, this ransomware aimed to convince people that extracting .zip files was a wise idea. Since most operating systems refuse to be set to display extension on demand, users are not introduced with the actual content that is going to be zipped.

After the first time that this virus stumbled upon our radar, high-competence was evident when it came to the way ransomware proceeded. It was designed in C and with UPX executable packer; the Spora computer virus arrived in email letters that attachment, named in the Russian language (4). This once again proves that Russian speaking countries were the main target of this infection. Another one very unusual feature was that the malware sample had its way of averting the obstacles that arise when a ransomware has to work offline (5).

More useful details about Spora virus and its uniqueness

Spora ransomware is definitely one of those infections that come with a BANG, showing security researchers that they will have to address it efficiently in order to find a cure. This infection is spread in email letters, appended with executables that are going to begin processes of Spora after being launched. Surprisingly, the ransomware does not target many files, but sticks with the most popular types that are present in every computer. Indeed, why bother targeting hundreds of file types when popular oned are the most present in devices?

Spora virus will attempt to affect Word documents, PDF files, photos, ZIP and RAR files and etc. The .KEY file implements extremely complex encryption process. We are not going to go into much detail. Nevertheless, we should mention that a combination of RSA and AES algorithms for encryption are exploited in this process to make sure that security researchers would have very little chance in creating a free decryptor. Spora virus also destroys all Shadow Volume copies to diminish the possibility of file-recovery even more.

It was discovered that the ransomware operates with three executables. At first, after being ran, it places close.js file in, presumably, Temp folder. After that, this file is joined by an additional executable, responsible for a successful encryption process. It does not have a specific title and can be created differently for every victim. The third file that can be assigned to Spora virus is a .docx type of excutable which will trigger a message, suggesting that “Word cannot open the file because the file format does not match the file extension.”.

We have already mentioned that the payment/decrytion website of Spora virus is a little different. Infected victims have to enter their ID numbers in order to access the full version of the website. This means that if you have not been compromised with Spora, you won’t be invited to its party-site. However, typing in the ID combination won’t be enough: you will also have to add the .KEY file into the website.

Only then the website will be able to generate prices for decryption, depending on the number of files that have been encoded. In addition to offering file-decryption and full restoration of the system, hackers are definitely squeezing everything from this opportunity. People can buy immunity from other ransomware infections that are going to be created by these vile programmers. This indicates that they plan to generate additional ransomware viruses in the future. In the following photo, you can see an example of a malicious letter (in English).

Such a complicated strategy for encryption: is there any chance to beat Spora virus?

Knowing the way that Spora virus chooses to encrypt its victims’ files, it is pretty difficult to state whether a free file-recovery tool is going to be released very soon. Complicated samples like this might require more analysis if a decryptor is there to be released. We advise you to remain calm and rational: do not get tricked into paying the hackers for decryption. However, you should restore 2 files for free: this can help security researchers generate a free tool.

Even though this virus targets mainly Russian-speakings users for the time being, we can see it quickly jumping into other streams when the time is right. If you fishing for advises, we can indicate two most helpful methods to become immune to ransomware: store your files in backup storages or keep them in other secure locations. If you get infected, you won’t have to worry about file-recovery since you will be able to retrieve them from another source.

Tactics that Spora virus can exploit to reach computer devices

Creators of Spora ransomware send email letters to random people with infectious attachments. You run the appended file, you will allow virus to begin its dirty work. For this reason, you should always keep your inboxes clean from spam. Nevertheless, sometimes it is extremely difficult to draw a line between a reliable message and a straight-up scam. We recommend never opening letters from unfamiliar sources. Open attachments only after you have made sure that it is safe to do so.

Since Spora virus deletes Shadow Volume copies and uses other tricks to complicate file-decryption, we have little to offer in this field. However, you should eliminate the ransomware as soon as possible. Spyhunter or Malwarebytes can help you during this process.

Update of the 24 of January, 2017. Just as we predicted, it did not take too long for this ransomware infection to target people from different locations than their primary selection. At first, people from Russia were the main recipients of malicious spam letters. Now, people from various countries have potential of becoming victims of Spora virus. In addition to that, Spora has been noticed to be transmitted by a server that spreads such ransomware-giants like Cerber and Locky. This cannot end well: please be extremely cautious since it is yet unknown which countries are going to be added to the list of targets.

Update of the 6th of February, 2017. Security experts noticed that Spora virus incorporated a new strategy for its distribution. Now, it is spread via Google Chrome, when users are requested to update their browser. EITest Chrome Font Update is the window that is presumably going to be introduced, but users should not agree to install it.

Update of the 20th of March, 2017. Thanks to analysis by security researchers, it is now much easier to recognize Spora infection. Furthermore, it appears that a new website has been incorporated by this variant: Torifyme.com.

How to recover Spora virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Spora ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Spora virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Spora ransomware. You can check other tools here.  

Step 3. Restore Spora virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Spora ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Spora virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

References:

1. Ransomware. Trendmicro.com.
2. How Spora ransomware tries to fool antiviruses. Nakedsecurity.sophos.com.
3. From DarkNet with love: Meet Spora ransomware. Blog.emsisoft.com.
4. Explained: Spora ransomware. Blog.malwarebytes.com.
5. Spora Ransomware Infects ‘Offline’—Without Talking to Control Server. Securingtomorrow.mcafee.com.