Ransomware 2.0: Spora now steals your credentials and logs what you type

Spora has become the latest form of ransomware to inflict several different forms of misery on its victims.
Written by Danny Palmer, Senior Writer

A vicious strain of ransomware has been upgraded to enable it to steal browsing information and record keystrokes from infected PCs.

Spora ransomware -- one of the most common families of the file-locking malware -- appears to be following in the footsteps of Cerber, which recently gained the ability to steal passwords and currency from Bitcoin wallets.

By stealing credentials from victims, criminals are ensuring a double payday, because not only can they make money from extorting ransoms, they can also potentially sell stolen information to other criminals on underground forums.

All of this is achieved with the aid of a complex encryption process, which Spora has become known for, that combines an AES key and an RSA public key to lock files on the victim's computer.

In addition, the ransomware also uses Windows Crypto API to encrypt temporary data and Windows Management Instrumentation to delete backup copies of all encrypted files.

Essentially, Spora was already a powerful form of ransomware before gained the ability to steal data. The new variant was spotted by security researchers at Deep Instinct.

This version of Spora -- distributed during a 48-hour campaign that began on August 20 -- is spread by a phishing campaign that sends targets a Word document claiming to be an invoice.

In order to see the contents of the file, the user is asked to enable a Windows Script File, which allows the document to drop its malicious payload. It's the first time Spora has been embedded in a document, rather than pulled from a web server.


The malicious payload asking for permission to run.

Image: Deep Instinct.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Once executed, the payload is similar to earlier versions of Spora, in that it carries out the encryption, without adding or changing extension names, and deletes the shadow copies before presenting the victim with a ransom note.

Researchers say this latest version of Spora also collects browsing history and credentials from users' web histories and cookies, and has the ability to capture keystrokes.

While many other forms of ransomware, such as Cerber, are coded not to attack Russian users, Spora appears to be targeting Russia specifically. However, it's currently unknown who is behind Spora or where in the world they're operating from.

While the cryptography behind Spora is particularly strong, the phishing email messages are somewhat basic, meaning a user educated about threats should be able to avoid falling victim.

"Since Spora's attack vector relies on user interaction, users' awareness can play a significant role in stopping the threat. The basic rule of thumb is to pay special attention to unsolicited emails, attachments and avoiding from running or allowing any kind of content from an untrusted source," said Guy Propper, cyber intelligence researcher at Deep Instinct.

Before Spora or even Cerber, there were instances of ransomware families stealing data from victims, but the functionality is now finding its way into some of the most common ransomware families.

Related coverage

Ransomware: Why one version of this file-encrypting nightmare now dominates

Move over Locky; there's a new king of ransomware.

Now Cerber ransomware wants to steal your Bitcoin wallets and passwords too

One of the worst forms of ransomware has suddenly become even worse in an effort to make its malicious authors more money.


Editorial standards