Barkly vs Malware
Barkly Research
Mar 2017

Blocking Spora Ransomware During Runtime

Spora is a new ransomware family gaining widespread distribution and notoriety thanks in part to its sophisticated payment portal. See how Barkly prevents Spora infections from encrypting files by stopping them during runtime.

Spora Ransomware Overview

Spora was first spotted in early January 2017 and immediately began generating buzz in the research community, thanks primarily to its complex encryption routine and extremely professional customer support and payment portal.

While the first wave of Spora attacks were limited to Russian-speaking territories, it's quickly become a global threat. The developers behind the ransomware have been able to expand their distribution channels to include exploit kits, spam campaigns, and even a fake Google font update.

Quick Facts

  • Spora encrypts victims' files using a combination of RSA and AES encryption and does not require an internet connection to work.
  • There is no change made to encrypted file names or extensions.
  • Spora only targets files with the following extensions: .xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup
  • Spora infections leave behind an HTML ransom note and a .KEY file used to identify the victim and determine victim-specific ransom demand amounts.
  • Victims are directed to a payment portal where they are offered a variety of payment options, including full decryption, decryption for individual files, immunity from future Spora infections, and removal of all Spora-related files. Fees have been seen ranging from $79 to $280.
  • Victims are also offered the option of decrypting two files for free.
  • In addition, the Spora payment portal features a chat service with customer support.
  • Like other ransomware, Spora deletes Shadow Volume Copies to make recovering encrypted data more difficult.

How Spora is Being Delivered

Phishing emails: Spora was first spotted being distributed via spam emails disguised as invoices and carrying .zip file attachments. Hidden inside the .zip file is an HTML application (HTA) that utilizes JavaScript to extract and execute the Spora payload.

Exploit kits: Researchers have also seen Spora being spread via RIG-v exploit kits taking advantage of Flash vulnerabilities.

Fake Chrome font pack update: Spora is also one of the payloads being delivered by a scam tricking Chrome users into believing their browser is missing the "HoeflerText" font.

Stopping Spora with Barkly's Runtime Malware Defense

Barkly utilizes runtime malware defense (RMD) to stop Spora ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Spora is attempting to gain execution by suspicious means and stop it before it does.

Why blocking malware during runtime matters

By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.

That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.

Learn more about how RMD works here.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.