Home / malware Ransom:Win32/Spora.A
First posted on 23 January 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Spora.A.
Explanation :
Arrival and installation
This ransomware may arrive as attachment to spammed emails. It may arrive either as a document with malicious macro codes or as an HTML application (HTA) packaged in a .zip file.
When executed, it makes sure there is no other instance of itself running on the PC. It does this via a simple mutex check. If it doesn't find an instance, it creates a mutex with the format m%u. For example: m289832943.
It then drops a copy itself in %SystemRoot% and %TEMP% folders in this format: 8x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x.exe.
It also drops .lnk files using the name of folders in the PC. For example, if your PC has a folder name C:\test, this threat creates a link file name C:\test.lnk, which points to the dropped copy. It then sets the actual folders' property to "hidden". Opening the link files executes this ransomware.
Payload
Encrypts files
This ransomware encrypts files with the following file name extensions:
- .1cd
- .7z
- .accdb
- .backup
- .cd
- .cdr
- .dbf
- .doc
- .docx
- .dwg
- .jpeg
- .jpg
- .mdb
- .odt
- .psd
- .rar
- .rtf
- .sqlite
- .tiff
- .xls
- .xlsx
- .zip
Notably, unlike other ransomware, this threat doesn't change the file name extensions of the file it encrypts. This may be to avoid generic detection of multiple file deletion and creation.
It avoids encrypting files in the following folders:
- Games
- Program Files (x86)
- Program Files
- Windows
It drops the following files, which are needed for the decryption of files:
.KEY - this file contains encrypted public key to be used for decryption .LST - this is an encrypted copy of the list of files that the malware encrypted
It displays the following ransom note, which contains instructions to decrypt files:
Spreads in the network
This ransomware has worm capabilities. It can drop copies of itself in mapped drives and removable storage.
It can also spread laterally in the network. It foes this via the following steps:
- It enumerates all network resources via the WnetOpenEnumW API using RESOURCE_GLOBALNET scope.
- On identified resources, it searches for available folders, and then sets their property to Hidden.
- In each folder it finds, it drops a copy of itself. This copy is also Hidden.
- For each folder it finds, it creates a shortcut file using the folder name and using a folder icon. For example, if it finds the folder \\ test_folder\test_folder2 it creates a .lnk file \\ test_folder\test_folder2.lnk. This is done to possibly trick you into opening the .lnk file instead of the folder.
- The .lnk file points to the dropped copy. When the .lnk file is opened, this threat is executed.
Analysis by Patrick EstavilloLast update 23 January 2017