Most ransomware goes out via spam or spoofed emails, but some developers also try to make their product spread by itself.
This is the case with the Spora ransomware. Spora (meaning “spore” in Russian) spreads via email, but it can also propagate via USB drives.
Spora was first spotted ten days ago and it targets Russian users.
Unlike most ransomware, Spora is able to work offline and does not generate any network traffic to online servers. It also targets a very limited list of file types (Office documents, PDFs, image files, database files, and archives).
It doesn’t touch any system files, and the infected computer can still end up used to surf the web, or buy Bitcoin.
Once the victims access the ransom payment site, they are asked to share the key file created by the ransomware. Also, which is very unusual, they can choose services offered by the attackers.
Spora is a combination of ransomware and worm, and uses Windows shortcuts (.LNK files) to spread to removable drives, said researchers at G Data.
When double-clicked by the victims, the .LNK files Spora generates to replace hidden files and folders execute the worm.
“Using this strategy, it will not only spread to removable drives like USB thumb drives, it will also encrypt newly created files on the system. This renders the system unusable, for storing or working on any pictures or documents, until it is disinfected,” said G Data security researcher Karsten Hahn in a blog post.