Security researchers have found a new ransomware program dubbed Spora that can perform strong offline file encryption and brings several innovations to the ransom payment model.
The malware has targeted Russian-speaking users so far, but its authors have also created an English version of their decryption portal, suggesting they will likely expand their attacks to other countries soon.
Spora stands out because it can encrypt files without having to contact a command-and-control (CnC) server and does so in a way still allows for every victim to have a unique decryption key.
Traditional ransomware programs generate an AES (Advanced Encryption Standard) key for every encrypted file and then encrypts these keys with an RSA public key generated by a CnC server.
Public key cryptography like RSA relies on key pairs made up of a public key and a private key. Whatever file is encrypted with one public key can only be decrypted with its corresponding private key.
Most ransomware programs contact a command-and-control server after they’re installed on a computer and request the generation of an RSA key pair. The public key is downloaded to the computer, but the private key never leaves the server and remains in the attackers’ possession. This is the key that victims pay to get access to.
The problem with reaching out to a server on the internet after installation of ransomware is that it creates a weak link for attackers. For example, if the server is known by security companies and is blocked by a firewall, the encryption process doesn’t start.
Some ransomware programs can perform so-called offline encryption, but they use the same RSA public key that’s hard-coded into the malware for all victims. The downside with this approach for attackers is that a decryptor tool given to one victim will work for all victims because they share the same private key as well.
The Spora creators have solved this problem, according to researchers from security firm Emsisoft who analyzed the program’s encryption routine.
The malware does contain a hard-coded RSA public key, but this is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that’s also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files.
In other words, the Spora creators have added a second round of AES and RSA encryption to what other ransomware programs have been doing until now.
When victims want to pay the ransom, they have to upload their encrypted AES keys to the attackers’ payment website. The attackers will then use their master RSA private key to decrypt it and return it back to the victim — likely bundled in a decryptor tool.
The decryptor will use this AES key to decrypt the victim’s unique RSA private key that was generated locally and that key will then be used to decrypt the per-file AES keys needed to recover the files.
In this way, Spora can operate without the need of a command-and-control server and avoid releasing a master key that will work for all victims, the Emsisoft researchers said in a blog post. “Unfortunately, after evaluating the way Spora performs its encryption, there is no way to restore encrypted files without access to the malware author’s private key.”
Other aspects of Spora also set it apart from other ransomware operations. For example, its creators have implemented a system that allows them to ask different ransoms for different types of victims.
The encrypted key files that victims have to upload on the payments website also contain identifying information collected by the malware about the infected computers, including unique campaign IDs.
This means that if the attackers launch a Spora distribution campaign specifically targeted at businesses, they will be able to tell when victims of that campaign will try to use their decryption service. This allows them to automatically adjust the ransom amount for consumers or organizations or even for victims in different regions of the world.
Furthermore, in addition to file decryption, the Spora gang offers other “services” that are priced separately, such as “immunity,” which ensures that the malware will not infect a computer again, or “removal” which will also remove the program after decrypting the files. They also offer a full package, where the victim can buy all three for a lower price.
The payments website itself is well designed and looks professional. It has an integrated live chat feature and the possibility of getting discounts. From what the Emsisoft researchers observed, the attackers respond promptly to messages.
All this points to Spora being a professional and well-funded operation. The ransom values observed so far are lower than those asked by other gangs, which could indicate the group behind this threat wants to establish itself quickly.