February 07, 2017
The Spora ransomware is slowly making a name for itself as one of the most well-run ransomware operations on the market, with a very well-designed ransom payment portal, some solid customer support, and also efforts to improve the ransomware's reputation among victims.
Discovered at the start of the year, Spora distinguishes itself from similar threats by a few features, such as the option to work offline, and a ransom payment portal that uses "credits" to manage Bitcoin fees.
Another of those unique features is a real-time chat window where victims can get in contact with ransomware operators.
By tweaking the ransomware infection ID, security researchers can access the ransom payment page of different Spora victims. This has allowed researchers to keep track of conversations between victims and Spora operators.
As stated in our original article about Spora, the criminals behind this ransomware operation consider themselves "professionals" and appear to have considerable experience in running ransomware campaigns.
The thing that stood out for us in the beginning, and is still valid even today, is that the Spora gang pays a lot of attention to customer support.
They provide help in both English and Russian and are very attentive not to escalate conversations with angry victims, always providing appropriate and timely responses to any inquiries.
Spora operators asking customers for favorable reviews
Security researcher MalwareHunter has spotted a few interesting conversations in the Spora ransom payment portal in the past few days.
First and foremost, Spora authors have been very lenient to victims that couldn't pay the ransom, often offering to extend or even disable the payment deadline altogether.
Second, Spora authors had been offering discounts, free decryptions of important files and deadline extensions for people who were willing to leave a review of their support service on the Bleeping Computer Spora ransomware thread. At the time of writing, we haven't observed any users taking them on this offer and posting such reviews on our forum.
The reason why the Spora crew asks customers for reviews is so other victims can read about their story and feel confident that if they pay, they'll receive their files back. This is a smart marketing move, since it builds trust in their service.
Many times, other ransomware authors don't always provide a way for victims to recover files, and more and more people now know there's a high chance that paying the ransom won't always recover their files.
MalwareHunter cites one case where the Spora gang has offered a 10% discount to a company that suffered Spora infections on more than 200 devices. The researcher calls Spora's customer support more user-friendly and helpful than the customer support service provided by many tech companies today. On the other hand, we call it "smart PR" instead, since crooks have everything to gain from "being nice" to their customers.
As for Spora itself, according to data gathered via the ID Ransomware service, MalwareHunter says that Spora continues to grow, with a recent activity spike detected over the weekend.
Spora detections in the last 7 days (Data Source: ID Ransomware)
Spora is not yet at the same distribution numbers as Cerber or Locky, the undisputed kings of ransomware infections, but it's slowly getting there.
With increasing numbers, currently unbreakable encryption, solid customer support, and an interest in creating a good brand around their name, the Spora ransomware gang looks like a player that's not going anywhere anytime soon.
Spora infections in the last day
Spora infections in the last week
Spora infections - all time
Locky infections in the last week
Cerber infections in the last week
Spora immunity installer
Last but not least, MalwareHunter has finally managed to get his hands on the "Spora immunity installer," which provides infection from future Spora ransomware infections.
According to MalwareHunter, this installer creates a file with the same name that Spora creates when it runs. This means that after installing this tool, if users get infected with Spora, the ransomware would find this file and deduce it should not run on this machine again.
According to an analysis of the file by Lawrence Abrams of Bleeping Computer, the immunizer will create a file located in %UserProfile%\AppData\Roaming\ that is named after the volume serial number.
This is the same serial number shown when you do run the dir command in the cmd.exe command prompt. The difference is that Spora converts serial number from hexadecimal to decimal. An example file name is %UserProfile%\AppData\Roaming\2155530532.