Dubbed “Spora,” the ransomware currently only targets Russian users and is distributed via spam emails that mimic invoices. Those invoices appear as attachments containing ZIP files which house HTA files, according to a 10 January Bleeping Computer blog post.
The malicious files contain double extensions such as PDF.HTA or DOC.HTA however, on Windows computers where the file extension is hidden, users will see only the first extension and might be tricked into opening the file, Bleeping Computer researchers said in the post.
The ransomware features a solid encryption routine, a well put together payment website, the ability to work offline and doesn’t generate network traffic to online servers.
“Threat actors think that offline encryption is the most reliable and a safe method,” Kaspersky Lab senior malware analyst Anton Ivanov said.
The ransomware’s encryption only targets files with certain extensions and only targets local files and network shares while avoiding damage to computers to the point where it prevents normal boot procedures and other operations by skipping certain files with specified strings in their names.
Ivanov said it’s possible that newer versions of the ransomware may target more file extensions.
Furthermore, Bleeping Computer researchers said the entire encryption method appears to not contain weakness and is very uses a complicated routine for the creation of .KEY files and for the creation of the encryption key used to lock each file.
Once infected, users are provided an infection ID an instructed to visit a decryption portal located on a publicly accessible front end domain which is actually a TOR gateway to a hidden TOR site that is not being publicly advertised.
Users must then entire their infection ID and are presented with multiple decryption options which include two free files restored, $US30 file restores, $US20 removal, $US50 immunity, and $US79 full restore to accommodate particulate needs of the victims.
“To protect against such threats, users should install a security solution with a behavioral detection component,” Ivanov said. “Also they should not open any files that were sent from untrusted sources.”
Ivanov added that it’s interesting that the ransomware is qualitatively targeting Russian users.