Jump to content

Spora Ransomware


8bit

Recommended Posts

We are currently being infected with the Spora Ransomware. ESET NOD 32 does not pick up the infections after scanning.

it has not been able to hold our PC's ransom but has corrupted MS office files. The file names were not changed nor encrypted.

it has affected windows 8 and 10 machines without admin rights.

decrypt.txt or similar files have not been found on any of these systems.

the infection stored an exe file within the Startup folder and I will add to this thread as we learn more. We did find an HTML file that contained the spora Ransomware name, RSA info, and Russian characters.

Has anyone else run into this or similar viruses as of late?

Link to comment
Share on other sites

Below are a couple of links on Spora. The G-Data article indicates it can arrive on an infected USB drive and it has worm characteristics.

In any case, it appears someone "let it in" since it repeatedly asks to elevated privileges via UAC prompt.

https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/

https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware

Here's the bleepingcomputer.com thread on the bugger: https://www.bleepingcomputer.com/forums/t/636975/spora-ransomware-support-and-help-topic/page-1

Also your files might be encrypted since Spora doesn't generate a unique file extension.

Edited by itman
Link to comment
Share on other sites

17 hours ago, 8bit said:

ESET NOD 32 does not pick up the infections after scanning.

Forgot to mention that most ransomware and I assume also for Spora will delete all ransomware malware files after the second stage of the infection is accomplished. That is, the first boot after all files have been encrypted where the malware will delete all shadow volume copies, etc. to ensure any local file recovery is impossible.

Hence, any subsequent scanning by an AV will find no malware traces of the ransomware. However, current ransomware are delivering secondary malware payloads. So AV scanning after a ransomware incident is mandatory to detect and remove those infections if they exist.

Hopefully, you have backups of your network files you can recover from?

Link to comment
Share on other sites

Thank you for your response and help itman. Per ESET support via phone, they added Spora to their database of definitions back in January of this year. We are currently restoring files from backups but are looking to prevent future infections.

Another odd thing is that the online scanner from ESET has identified it while our local copy does not and that will updated virus definitions.

We have yet to find an infection with our local copy of ESET. Also, we don't currently use a malware application on our desktops but Malwarebytes didn't find any infections either.

Makes sense what you said in your second reply regarding the scanning for infections.

We are just doing what we can to prevent future infections.

Many thanks!

Link to comment
Share on other sites

Per the G-Data write up:

This sample is an HTA application with obfuscated VBScript code. According to Bleepingcomputer it arrived in a ZIP archive via email attachment. Submissions on VirusTotal show the filename Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta.

The HTA file writes a JScript file to %TEMP%\close.js and executes it. The JScript file in turn is a dropper for a Word document that is written to %TEMP%\doc_6d518e.docx and a PE file that is saved to %TEMP%\81063163ded.exe. Both files are opened by close.js, the Word document with a parameter to show and focus the window, and the PE file with a parameter to hide it. As a result the document will be opened by the set default application for .docx files, e.g., Word, but an error message is shown because it is corrupt. The PE file 81063163ded.exe has a seemingly random name, but it is actually hardcoded by the dropper. The PE file is UPX packed and contains the actual payload.

Although I use Smart Security 10, I additionally added the HIPS rules Eset recommended to their Endpoint users. One of those rules is to block/monitor any cs/wscript plus Powershell program startup from System32/SysWOW64 mshta.exe. This rule would have prevented the above .js based Spora payload from executing.

Edited by itman
Link to comment
Share on other sites

itman,

Can you kindly point me to the HIPS rules that ESET recommends? I'll put them into place asap!

Again, thank you for your help!

Link to comment
Share on other sites

24 minutes ago, 8bit said:

itman,

Can you kindly point me to the HIPS rules that ESET recommends? I'll put them into place asap!

Again, thank you for your help!

This article is a "best practices" recommendation for ransomware protection: https://support.eset.com/kb3433/

This article contains the specific anti-ransomware HIPS rules: http://support.eset.com/kb6119/

Also as a FYI in regards to script delivered malware. In most cases, the malware is packed and obfuscated to avoid AV signature detection. On Win 10, Eset uses the AMSI interface to scan those scripts after they decrypt but prior to being loaded into memory and executed. One of a number of reasons to upgrade to Win 10.  

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...