Spora Ransomware

Spora Ransomware is a sophisticated infection that is in the same league as the infamous Locky Ransomware and Cerber Ransomware. While there are hundreds of ransomware threats that were clearly created by amateurs, this one was developed by someone who knew what they were doing. At this moment, it is impossible to decipher the encryption key used for the encryption of your files, and, according to our researchers, it is highly unlikely that this will become possible in the future. That means that once this infection is in, your files are really locked. At the time of research, this infection was primarily targeted at Windows users in Russia; however, this threat has the potential to terrorize users all over the world. If this infection has slithered into your operating system already, there are things you need to learn before you can remove Spora Ransomware, which, by the way, will not automatically decrypt your files. If you have not faced this infection yet, immediately upgrade your system’s protection and, of course, back up your personal files.

The malicious Spora Ransomware was first discovered in January 2017. Just like most other threats, this one spreads via spam emails, but even here the infection is superior to others. Instead of just attaching the launcher to a misleading spam email, this ransomware takes it to another level. The email message, of course, is misleading, but what ensures successful infiltration is the file. An .HTA file is hidden in a .ZIP file that you are meant to download, but you are unlikely to realize what kind of a file it is because the ransomware attaches another extension to the name. Due to this, you might think you are opening, for example, “invoice.doc,” when, in reality, you are opening “invoice.doc.hta” since the real extension is automatically hidden. Once the launcher is executed, a fake DOCX file is launched with an error to distract you from the infiltration of malware. Also, several EXE files are created, and their names and locations are random. Of course, if you do not delete these files in time, the encryption of your personal files will begin.

Our research has revealed that Spora Ransomware does not need connection to the Internet to initiate file encryption, which is a very distinctive feature. Also, this infection is sophisticated enough to evade files whose encryption could prevent users from paying the ransom successfully. In order to ensure this, all files are checked, and those whose location paths contain “games,” “program files (x86),” “program files,” and “windows” strings are avoided. It was found that the ransomware might encrypt files with these extensions: .1cd, .7z, .accdb, .backup, .cdr, .cd, .dbf, .doc, .docx, .dwg, .jpg, .jpeg, .mdb, .odt, .pdf, .psd, .rar, .rtf, .sqlite, .tiff, xls, .xlsx, and .zip. After encrypting the files, Spora Ransomware also deletes the Shadow volume copies, which means that you will not be able to recover your files using Windows Startup Repair. Once that is done, the infection creates files that are meant to introduce you to the information regarding the ransom fee. Needless to say, this infection was created only to collect money.

The most important files for the Spora Ransomware are the .KEY and .HTML files that represent the ransom demand. These files are created on the Desktop, but they are copied to every folder and subfolder with encrypted files. These files have unique names in every case, but they follow the “AABXX-XXXXX-XXXXX-XXXXX-XXXXX” format, in which the “X “stands for any random character and “AAB” (in other cases, “AB”) represents the code of your country. The .HTML file has a point of execution, and so it can be opened automatically if you restart the computer. The file routes to https://spora.bz, which is the ransom payment website. Notably, the language you face depends on your region. The website offers different options, ranging from “FULL RESTORE” for $79 (in some cases, the price might be as high as $280) to “FILE RESTORE” for $30. Compared to many other infections alike, the fees demanded by Spora Ransomware are not incredibly big, which should make this infection more successful at extorting money. Of course, this does not mean that we advise paying the ransom. Although it might be your only option to recover your files, keep in mind that cyber crooks are unpredictable, and their promises to decrypt your files could be empty.

There is no doubt that Spora Ransomware is a tool made by professionals, and, unfortunately, it is likely to spread across the world pretty soon. The only thing that can help you prevent the attack of this infection is reliable security software, and we advise installing it as soon as possible. You should also employ this software once you delete Spora Ransomware because there is nothing stopping this infection from attacking your operating system again. Keep in mind that cyber criminals could use different distribution methods as well, so do not rely on your ability to spot corrupted spam emails. When it comes to removal, you MUST eliminate the ransomware regardless of whether or not you recover your files. The instructions below should help you get rid of this threat yourself, but we advise installing anti-malware software instead to have this threat eliminated and your system’s protection taken care of simultaneously.

Spora Ransomware Removal

1. Right-click the launcher file (the one you might have downloaded from a spam email) and click Delete. Note that this file might have 10 random digits in its name, or it could have a CLSID-type name. You should check Desktop, %APPDATA%, %TEMP%, and %HOMEDRIVE% directories for this file.
2. Launch Windows Explorer by tapping Win+E files.
3. Enter the path (see the list below) into the bar at the top and Delete the unwanted file (in bold):
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[Unique ID].HTML
   • %APPDATA%\Microsoft\Windows\Templates\[Unique ID].HTML
   • %APPDATA%\Microsoft\Windows\Templates\[Unique ID].KEY
   • %APPDATA%\Microsoft\Windows\Templates\[Unique ID].LST
   • %APPDATA%\[Unique ID].HTML
   • %APPDATA%\[Unique ID].KEY
   • %APPDATA%\[Unique ID].LST
4. Enter %USERPROFILE%\Desktop\ into the bar at the top:
5. Delete these files: [Unique ID].HTML and [Unique ID].KEY.