The spora ransomware is distributed through Phishing mails which seems to be legitimate this contains the attachment in zip format. This ransomware is named in Russian. The zip folder contains a HTA files that uses two extension such as PDA.HTA or else DOC.HTA. If the victim gets tricked and clicks on it without noticing the extension of the file the victim gets compromised. When the victim clicks on the attachment the backend process starts the HTA file will start to runa JS file named as close.js to the temporary folder in the victim device that is %Temp% folder which helps to extract an .exe file to the same folder once this process is done it gets executed by itself. The .exe uses random names to evade itself. One of the major advantage for this ransomware is that this will work even in offline. Some of the targeted files by this ransomware are
.xls, .doc, .xls, .docx, .rtf, .odt, .pdf, . dwg, .cd, .cdr, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpeg, .tiff, .zip, .rar, .7z, . jpg.
Once this process is done the encryption happens which makes the files inaccessible for the victims. After encryption, the ransomware changes the desktop wallpaper for the victim’s device and also drops down the ransom instruction for paying the ransom.
The execution path varies depending on the parameter in which it gets deployed initially this runs without any parameter. The major process of this ransomware is to delete the shadow copy files, modifying the INKfile settings, dropping the note(ransom note on all possible location). Some of the directories are excluded from this infection such as the program files and the game files. In addition to the operations this uses the Crypto API for its other purposes. The Spora’s website is very much advanced compared to other ransomware websites. The creators of this ransomware provide the victims with various option such as different prices for recovering the files if the victims need complete recovery then the price for recovering is different if the victim requires partial decryption they have a waver for it. The decryption service for this ransomware is something that is different compared to all the other ransomware decryption site. Before even thinking of decrypting the files the victim has to synchronize their computer with the decryption portal that is provided by the attacker with a unqiue .KEY file. This ransomware once infected drops down a .KEY file in all victims device. Once the synchronization is done the unique information about the victims device is uploaded to the payment site as per the unique Id. Even the decryption site uses an SSL certificate which is issued by Comodo protecting the incoming traffic via HTTPS. The payments can be done only through bitcoins. This ransomware mostly targets only the Russian circle. Security researchers claims that they have spotted some interesting conversation in the portal. The creator of malware seems to be lenient to the victim who couldn’t pay the ransom on the deadline. The creators have even decrypted the important files for the victims if they couldn’t afford the ransom. They even have requested the victims to give the feedback for their service.