New ransomware allows users to not only pay to recover their encrypted files, but also for immunity from future attacks, researchers said.
Called Spora by the Emsisoft researchers, the new ransomware has well-implemented encryption procedures, a well-designed payment site, and the availability of several “packages” that victims can pay for.
Those hit by the malware can choose to recover files only or pay to remove the malware and gain immunity from future attacks.
For distribution, the ransomware uses spam emails that pretend to be invoices. These messages contain a ZIP attachment with an HTA (HTML Application) file inside, masquerading as a PDF or DOC. When run, the file extracts a JScript file in the %TEMP% folder, writes an encoded script into it, and then executes the file, the researchers said in a blog post.
The ransomware leverages Windows CryptoAPI for encryption, and uses a mix of RSA and AES in the process, Emsisoft reveals. The malware uses a public RSA key embedded inside the executable, then creates a new 1024 bit RSA key pair, which consists of a private and public key, and then will encrypt this using a newly generated 256 bit AES key.
This key then ends up encrypted using the original public RSA key, and the encrypted keys along with some additional information are saved inside a .KEY file.
Because of this complex operation, the ransomware can perform the encryption without a command and control (C&C) server connection. Moreover, the malware’s encryption process is strong enough to ensure a decryption tool developed for one victim won’t work for another.
This also means security researchers analyzing the threat can’t yet help victims restore their files for free, at least not as long as they don’t have access to the malware author’s private key.