Spora ransomware could become the new Locky

A recent decrease of Locky ransomware infections has been tied with the lack of activity of the Necurs botnet, which is used to deliver the malware directly to potential victims’ email accounts.

Choices available to Spora ransomware victims

In fact, most ransomware – and malware in general – is delivered via spam or spoofed emails, but some malware authors also try to make their creation spread by itself.

This is the case with the recently discovered Spora ransomware. Spora (meaning “spore” in Russian) is spread by email, but it can also spread via USB drives.

It was first spotted some ten days ago. It targets Russian users, uses well made ransom payment sites and online decryption service, and some very good encryption.

Unlike most ransomware, Spore is able to work offline and does not generate any network traffic to online servers. It also targets a very limited list of file types (Office documents, PDFs, image files, database files, and archives).

It doesn’t touch any system files, and the infected computer can still be used to, for example, surf the web, or buy Bitcoin.

Once the victims access the ransom payment site, they are asked to share the key file that has been created by the ransomware. Also, which is very unusual, they can choose an number services offered by the criminals (as evidenced in the screenshot above).

According to research by G Data, Spora is a combination of ransomware and worm, and uses Windows shortcuts (.LNK files) to spread to removable drives.

When double-clicked by the victims, the .LNK files Spora generates to replace hidden files and folders execute the worm.

“Using this strategy, it will not only spread to removable drives like USB thumb drives, it will also encrypt newly created files on the system. This renders the system unusable, for storing or working on any pictures or documents, until it is disinfected,” notes G Data security researcher Karsten Hahn.

All in all, Spora does look like it was made by professional cyber crooks who have much experience when it comes to ransomware setups. And, according to Hahn, its sophistication could easily make it the new Locky.