Security researchers have spotted a new piece of ransomware that uses very complicated data encryption algorithm to encrypt the victims’ personal files for ransom. This ransomware is called Spora
Security researchers have spotted a new piece of ransomware that uses very complicated data encryption algorithm to encrypt the victims’ personal files for ransom. This ransomware is called Spora. This ransomware targets both Russian-speaking users and English-speaking users. Like many other strains of ransomware, it attacks a computer, looks for certain types of files, encrypts them and then demands payment for the decryption key. But this new ransomware has some unique features which distinguish itself from the previous types of ransomware.
Spora ransomware performs the encryption without a command and control (C&C) server connection. Traditional ransomware programs generate an AES key for every encrypted file and then encrypt these keys with an RSA public key generated by a C&C server. According to researchers from security firm Emsisoft, the Spora creators have developed this ransomware to contain a hard-coded RSA public key. This RSA pulic key is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that’s also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files. If victims want to pay the ransom, they have to upload their encrypted AES keys to the ransomware creators’ payment website. The creators will use the AES keys to decrypt victims’ unique RSA private keys that were generated locally and that keys will then be used to decrypt the per-file AES keys needed to recover the files. This procedure may look complicated but it allows the ransomware to encrypt files without an internet connection and avoids releasing a master key that will work for all other victims of the same campaign.