January 25, 2017
According to data gathered via the ID-Ransomware service, what all of us had predicted is now happening; Spora Ransomware has started to spread to new territories outside former Soviet states.
Spora Ransomware appeared in the first week of the year, and its first version featured a ransom note only in Russian, meaning its distributors were only targeting territories with Russian-speaking users.
First Spora Ransomware wave targeted Russian-speaking users
This presumption was immediately reinforced by statistical data gathered via ID-Ransomware, a service that allows users to upload encrypted files and get a possible match for the ransomware that has infected their system.
For the first few days, the only ones that were uploading Spora-encrypted files were Russian users.
This trend continued in the week, along with sporadic infections in neighboring countries such as Kazakhstan, Belarus, and others, but not on the same level as the numbers of infections registered in the main Russian territory.
Spora ransomware goes global
Things appeared to have changed last week, according to multiple researchers, who have now spotted multiple Spora Ransomware distribution campaigns.
Shortly after, the ID-Ransomware service started registering uploads of Spora-encrypted files from users outside the former Soviet space. Countries like Saudi Arabia, Austria, or the Netherlands, became hotspots of Spora infections.
This geo-targeting shift happened because Spora stopped being exclusively distributed via spam emails written in Russian.
Spora spread via exploit kits, new spam waves
Security researchers Brad Duncan and Malware Breakdown have spotted RIG-v exploit kits spreading Spora.
According to MalwareHunterTeam, a malware distribution server had been used to host multiple ransomware versions in the past few days, such as Cerber, Spora, Locky, and the newly launched Sage ransomware. This center had historically distributed proven threats like Cerber and Locky, and recently tested out Spora and Sage. Spora most likely because of its wide range of user payment options, and Sage because of its easy to use Ransomware-as-a-Service (RaaS) distribution package.
This server had been used together with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the aforementioned "malcenter."
It is currently unconfirmed if these are different actors but according to Emsisoft, the Spora ransomware includes support for a "campaign ID," a parameter often used to track both the effectiveness of different spam runs, but also different groups renting Spora from its creators.
While we still investigate if Spora has been made available as a Ransomware-as-a-Service offering, what's sure is that this malware has now become a global threat.