Spora Ransomware was first noticed in the beginning of 2017 and it has already started to spread worldwide.
The first version of the ransomware included a ransom note only in Russian, which means that its distributors were only targeting territories with Russian-speaking users. However, it looks like they have new targets now.
This assumption was supported by the ID-Ransomware’s statistical data, a service letting PC users upload encrypted files and get a possible match for the ransomware which has infected their computers.
Over the first days, the Spora-encrypted files have been uploaded by Russian users only. The trend continued during the week, along with sporadic infections in neighboring countries such as Kazakhstan, Belarus, and others, though not on the same level as the numbers of infections registered in Russia.
Nevertheless, during the past weeks the things have changed. The security experts claim that they have noticed a number of spam campaigns distributing Spora Ransomware.
In the next days, the ID-Ransomware service started registering uploads of Spora-encrypted files from users outside the Russian territories. Austria, Saudi Arabia, and the Netherlands, are among the other countries infected with Spora Ransomware via spam emails written in Russian.
The security experts Malware Breakdown and Brad Duncan have also spotted RIG-v exploit kits spreading Spora Ransomware.
The MalwareHunterTeam claimed that there was a malware distribution server which had been used to host a number of ransomware versions during the past week. Among these versions were Locky, Cerber, Spora, and Sage Ransomware.
The malware distribution server had been used together with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the “malcenter.”
Presently, it is still not certain if these are different actors, however, the Emisoft experts claim that the Spora Ransomware includes support for a “campaign ID”. This is a parameter usually used to track both the effectiveness of different spam runs, as well as some other groups renting Spora from its developers.