Spora ransomware has recently been upgraded and it appears that in addition to encrypting victim data, it also has the ability to steal passwords and digital coins from Bitcoin wallets.
By forging the credentials from their victims, criminals secure double profits, earning money from the ransom, and selling stolen information to other criminals in underground forums.
All this is accomplished with the help of a complex encryption process, with which Spora has been known. Encryption combines an AES key and a RSA public key to lock files on the victim's computer.
In addition, the ransomware uses the Windows Crypto API to encrypt temps data as well as Windows Management Instrumentation to delete the backups of all encrypted files.
In fact, Spora was from the beginning a very powerful ransomware and now has the ability to steal data. The new variant was identified by its security researchers Deep Instinct.
This version of Spora ransomware – which was spread on duration of a 48-hour campaign that began on August 20, is transmitted by a phishing campaign that sends targets a Word document claiming to be an invoice.
To view the contents of the file, the user is required to activate a Windows Script File, which allows the document to expel its malicious load. This is the first time that Spora is incorporated into a document, according to researchers.
Once executed, malware begins to encrypt the computer's files, altering the file name extensions. Along with encryption, it searches for and deletes any backups on the computer before presenting the victim's note to the victim.
Researchers report that the latest version of Spora ransomware also collects the browsing history, web credentials, and cookies of users, and has the ability to record and keystrokes.
Spora ransomware: Protection
While cryptography που χρησιμοποιεί το Spora είναι ιδιαίτερα ισχυρή, τα μηνύματα ηλεκτρονικού “ψαρέματος” είναι κάπως εμφανή. Ένας χρήστης εκπαιδευμένος στο να εντοπίζει ψεύτικα emails will be able to avoid some contamination.
“Since Spora's attacking agent is based on user interaction, user awareness can play an important role in stopping the threat. The main rule is to pay close attention to messages, attachments and avoid running or opening any content from an untrusted source, "said Deep Propinct researcher Guy Propper.
