The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to evade detection from some email scanners and maximize its outreach. The contents of the email are carefully crafted to lure victims\u00a0using social engineering techniques. This HTA file also tricks users by using the double extensions rtf.hta and doc.hta. If file extensions are hidden on victim\u2019s machines, then they will see only the first extension and might be fooled into opening the file.<\/p>\n
The spam email looks like this:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png\")
<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/2.png\")
<\/p>\n
The contents of HTA file:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/2-1.png\")
<\/p>\n
At runtime the HTA file drops a JavaScript file in the %Temp% folder. Further JavaScript extracts an executable with a random name (in this case: goodtdeaasdbg54.exe) in %TEMP% and executes.<\/p>\n
The HTA file also extracts and executes a .docx file that is corrupted and returns an error to distract the victims:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/3.jpg\")
<\/p>\n
Analysis<\/strong><\/h2>\nGoodtdeaasdbg54.exe is packed using the UPX packer and contains the payload (Spora). It first checks whether a copy of this file is running in memory. If not, it creates a mutex. Spora uses mutex objects to avoid infecting the system more than once.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/5.png\")
<\/p>\n
Spora checks for the logical drives available in the system:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/6.png\")
<\/p>\n
Once a resource is available, Spora searches for files to encrypt but avoids \u201cwindows,\u201d \u201cProgram files,\u201d and \u201cgames.”<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/7.png\")
<\/p>\n
Spora removes the volume shadow copies from the target\u2019s system, thereby preventing\u00a0the user from restoring the encrypted files. (A shadow copy is a Windows feature that helps users make backup copies (snapshots) of computer files or volumes.) To delete the shadow volume copies, Spora uses the command \u201cvssadmin.exe Delete Shadows \/All \/Quiet.\u201d This ransomware uses the vssadmin.exe utility to quietly delete all the shadow volume copies on the computer.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/8.png\")
<\/p>\n
It also creates .lnk files along with .key and .lst files in the root drive.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/9.png\")
<\/p>\n
Spora also deletes the registry value to remove the shortcut icons.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/10.png\")
<\/p>\n
Encryption process<\/strong><\/h2>\nStep 1:<\/strong> It generates a random \u201cper file AES\u201d symmetric key for each file.<\/p>\nStep 2:<\/strong> Spora generates a local public-private key pair.<\/p>\nStep 3:<\/strong>\u00a0The public key generated from Step 2 will encrypt the \u201cper file AES\u201d key and append it to the encrypted file.<\/p>\nStep 4:<\/strong> After encrypting all the files, Spora generates a unique AES symmetric key.<\/p>\nStep 5:<\/strong>\u00a0The private key generated in Step 2 is copied into the .key file and encrypted by the unique AES key generated in Step 4.<\/p>\nStep 6:<\/strong> Finally the unique AES key is encrypted by decrypting the public key (explained below) and appending it to the .key file.<\/p>\nThe malware author\u2019s public key is embedded in the malware executable using a hardcoded AES key. The decrypted public key:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/11.png\")
<\/p>\n
The decryption is possible only by the private key held by the malware author. Once the payment is done, the author may provide victims with the private RSA key to decrypt the encrypted AES key appended in the .key file. The decrypted AES key will decrypt the remaining .key file, which contains the user’s private RSA key.<\/p>\n
The whole process is bit complex and lengthy but using this scheme Spora successfully avoids the dependency of obtaining a key from a control server and can work offline.<\/p>\n
Key file<\/strong><\/h2>\nSpora encrypts six types of file extensions:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/12.png\")
<\/p>\n
The .key filename contains information in the following format:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/13.png\")
<\/p>\n
And encodes all this information with a substitution method.<\/p>\n
In our case US736-C9XZT-RTZTZ-TRHTX-HYYYY.KEY translates to:<\/p>\n
\n- USA as locale.<\/li>\n
- The characters “736C9” for the beginning of the MD5 hash.<\/li>\n
- 10 encrypted office documents (Type 1).<\/li>\n
- Two encrypted PDF (Type 2).<\/li>\n
- Zero encrypted CorelDraw\/AutoCAD\/Photoshop files (Type 3).<\/li>\n
- Zero encrypted database files (Type 4).<\/li>\n
- 25 encrypted images (Type 5).<\/li>\n
- 15 encrypted archives (Type 6).<\/li>\n<\/ul>\n
The decoding mechanism of .key file:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/5-1.png\")
<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/4.png\")
<\/p>\n
Ransom message<\/strong><\/h2>\nThe ransom note is written in Russian, here with our translation:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/15.png\")
<\/p>\n
The Spora payment site provides several packages for victims with different prices with a deadline.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/16.png\")
<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/17.png\")
<\/p>\n
The hashes used in the analysis:<\/p>\n
\n- a159ef758075c9fb64d3f06ff4b40a72e1be3061<\/li>\n
- 0c1007ba3ef9255c004ea1ef983e02efe918ee59<\/li>\n<\/ul>\n
McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect the malicious HTA file and Spora binary as JS\/Spora.a and Ransom-Spora!\u00a0[Partial hash],<\/em> respectively, with DAT Versions 8435 and later.<\/p>\nThis post was prepared with the invaluable assistance of Sourabh Kadam.\u00a0<\/em><\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":"
Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180,4549],"coauthors":[3973],"class_list":["post-69077","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"\n
Spora Ransomware Infects 'Offline'\u2014Without Talking to Control Server | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many computers in a short time due to\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spora Ransomware Infects 'Offline'\u2014Without Talking to Control Server | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many computers in a short time due to\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-22T23:01:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T01:47:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/02\/1-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"719\" \/>\n\t<meta property=\"og:image:height\" content=\"587\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Spora Ransomware Infects ‘Offline’\u2014Without Talking to Control Server\",\"datePublished\":\"2017-02-22T23:01:41+00:00\",\"dateModified\":\"2025-06-06T01:47:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/\"},\"wordCount\":762,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/\",\"name\":\"Spora Ransomware Infects 'Offline'\u2014Without Talking to Control Server | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png\",\"datePublished\":\"2017-02-22T23:01:41+00:00\",\"dateModified\":\"2025-06-06T01:47:34+00:00\",\"description\":\"Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many computers in a short time due to\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Spora Ransomware Infects ‘Offline’\u2014Without Talking to Control Server\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spora Ransomware Infects 'Offline'\u2014Without Talking to Control Server | McAfee Blog","description":"Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many computers in a short time due to","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Spora Ransomware Infects 'Offline'\u2014Without Talking to Control Server | McAfee Blog","og_description":"Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many computers in a short time due to","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-02-22T23:01:41+00:00","article_modified_time":"2025-06-06T01:47:34+00:00","og_image":[{"width":719,"height":587,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/02\/1-1.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Spora Ransomware Infects ‘Offline’\u2014Without Talking to Control Server","datePublished":"2017-02-22T23:01:41+00:00","dateModified":"2025-06-06T01:47:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/"},"wordCount":762,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png","keywords":["computer security","cybercrime","endpoint protection","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/","name":"Spora Ransomware Infects 'Offline'\u2014Without Talking to Control Server | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png","datePublished":"2017-02-22T23:01:41+00:00","dateModified":"2025-06-06T01:47:34+00:00","description":"Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many computers in a short time due to","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/02\/1-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spora-ransomware-infects-offline-without-talking-control-server\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Spora Ransomware Infects ‘Offline’\u2014Without Talking to Control Server"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/69077","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=69077"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/69077\/revisions"}],"predecessor-version":[{"id":215148,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/69077\/revisions\/215148"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=69077"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=69077"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=69077"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=69077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\nStep 1:<\/strong> It generates a random \u201cper file AES\u201d symmetric key for each file.<\/p>\n Step 2:<\/strong> Spora generates a local public-private key pair.<\/p>\n Step 3:<\/strong>\u00a0The public key generated from Step 2 will encrypt the \u201cper file AES\u201d key and append it to the encrypted file.<\/p>\n Step 4:<\/strong> After encrypting all the files, Spora generates a unique AES symmetric key.<\/p>\n Step 5:<\/strong>\u00a0The private key generated in Step 2 is copied into the .key file and encrypted by the unique AES key generated in Step 4.<\/p>\n Step 6:<\/strong> Finally the unique AES key is encrypted by decrypting the public key (explained below) and appending it to the .key file.<\/p>\n The malware author\u2019s public key is embedded in the malware executable using a hardcoded AES key. The decrypted public key:<\/p>\n The decryption is possible only by the private key held by the malware author. Once the payment is done, the author may provide victims with the private RSA key to decrypt the encrypted AES key appended in the .key file. The decrypted AES key will decrypt the remaining .key file, which contains the user’s private RSA key.<\/p>\n The whole process is bit complex and lengthy but using this scheme Spora successfully avoids the dependency of obtaining a key from a control server and can work offline.<\/p>\n Spora encrypts six types of file extensions:<\/p>\n The .key filename contains information in the following format:<\/p>\n And encodes all this information with a substitution method.<\/p>\n In our case US736-C9XZT-RTZTZ-TRHTX-HYYYY.KEY translates to:<\/p>\n The decoding mechanism of .key file:<\/p>\n The ransom note is written in Russian, here with our translation:<\/p>\n The Spora payment site provides several packages for victims with different prices with a deadline.<\/p>\n The hashes used in the analysis:<\/p>\n McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect the malicious HTA file and Spora binary as JS\/Spora.a and Ransom-Spora!\u00a0[Partial hash],<\/em> respectively, with DAT Versions 8435 and later.<\/p>\n This post was prepared with the invaluable assistance of Sourabh Kadam.\u00a0<\/em><\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Spora is a ransomware family that encrypts victims\u2019 files and demands money to decrypt the files. It has infected many…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180,4549],"coauthors":[3973],"class_list":["post-69077","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"\n<\/p>\nKey file<\/strong><\/h2>\n
<\/p>\n<\/p>\n\n
<\/p>\n<\/p>\nRansom message<\/strong><\/h2>\n
<\/p>\n<\/p>\n<\/p>\n\n