Spora Ransomware Spreads Worldwide

0
485

Spora Ransomware was first noticed in the beginning of 2017 and it has already started to spread worldwide.

The first version of the ransomware included a ransom note only in Russian, which means that its distributors were only targeting territories with Russian-speaking users. However, it looks like they have new targets now.

This assumption was supported by the ID-Ransomware’s statistical data, a service letting PC users upload encrypted files and get a possible match for the ransomware which has infected their computers.

Over the first days, the Spora-encrypted files have been uploaded by Russian users only. The trend continued during the week, along with sporadic infections in neighboring countries such as Kazakhstan, Belarus, and others, though not on the same level as the numbers of infections registered in Russia.

Nevertheless, during the past weeks the things have changed. The security experts claim that they have noticed a number of spam campaigns distributing Spora Ransomware.

In the next days, the ID-Ransomware service started registering uploads of Spora-encrypted files from users outside the Russian territories. Austria, Saudi Arabia, and the Netherlands, are among the other countries infected with Spora Ransomware via spam emails written in Russian.

The security experts Malware Breakdown and Brad Duncan have also spotted RIG-v exploit kits spreading Spora Ransomware.

The MalwareHunterTeam claimed that there was a malware distribution server which had been used to host a number of ransomware versions during the past week. Among these versions were Locky, Cerber, Spora, and Sage Ransomware.

The malware distribution server had been used together with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the “malcenter.”

Presently, it is still not certain if these are different actors, however, the Emisoft experts claim that the Spora Ransomware includes support for a “campaign ID”. This is a parameter usually used to track both the effectiveness of different spam runs, as well as some other groups renting Spora from its developers.

SHARE
Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at www.virusguides.com.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.