For an extortion racket, Spora ransomware spends a bizarre amount of attention on UI.
With multiple payment options, customer support chat, and a freemium component, Spora may be the most “user-friendly” ransomware out there. (If you can call digital extortion user friendly.)
But for all the attention Spora’s slick UI is getting, it’s the ransomware’s ability to dynamically adjust its ransom demand prices based on each specific victim and the types of files it encrypts that’s the bigger game changer.
Before we dive into why that ability has such a huge potential impact on the future of ransomware, let’s take a quick look at the UI features generating all the buzz.
(note: if you're looking for specific info on how Spora works, how it's being delivered, and how to stop it, see our post "Blocking Spora Ransomware During Runtime")
What the Spora payment portal looks like
Payment options and transations history and chat support, oh my!
Right off the bat, the crooks behind Spora have attempted to reduce friction by using a publicly accessible gateway at Spora.bz rather than requiring victims to download a Tor browser to access the payment site (like most ransomware does).
The current site even has an SSL certificate issued by Comodo, securing visits via a HTTPS connection.
Once on the site, victims are presented with a dashboard that’s been customized for them based on data collected while encrypting their files.
Spora ransom payment options (including freemium)
Make your selection from the Spora ransomware value menu.
One of Spora’s most talked about differentiators is the variety of payment options it offers victims. Rather than simply offering one flat fee like most ransomware (ex: one Bitcoin in exchange for the decryption key), Spora presents the following options:
- Full restore: decrypting all encrypted files
- Immunity: buying a file that will exist in %UserProfile%\AppData\Roaming\ that future Spora infections will see as prompt to stop running (for more info on Spora's "immunity installer" see this post)
- Removal: wiping all Spora-related files off the machine
- File Restore: decrypting a single file
- File Restore (freemium): decrypting two files for free to see that it actually works
Chat support + requests for positive reviews
So, if we cut a deal you'll give us 5 stars?
Source: Bleeping Computer
Another prominent feature that sets the Spora ransomware payment portal apart is the inclusion of "customer support" via its chat window.
Malware researchers have spotted the Spora crew not only utitlizing chat to answer victim questions and walk them through the payment process, but also to present some victims with discounts, deadline extensions, free decryptions, and refunds in exchange for positive reviews on public forums.
The real innovation: automated file-specific pricing
While the flashy front-end features are certainly interesting, the more noteworthy innovation Spora brings to the table might be its ability to calculate ransom demand prices based not only on how many files it encrypts on a victim's device, but what types of files it encrypts.
The key is the .KEY file that Spora creates and drops on victim machines. In addition to containing identifying information about the victim (their private RSA encryption key, date of infection, location, etc.), the .KEY file also keeps track of encrypted victim files by placing them in the following buckets:
Not all files are created equal.
- Documents (.xls, .doc, .xlsx, .docx, .rtf, .odt)
- PDFs (.pdf)
- Design files (.psd, .dwg, .cdr)
- Databases (.cd, .mdb, .1cd, .dbf, .sqlite, .accdb)
- Pictures (.jpg, .jpeg, .tiff)
- Archives (.zip, .rar, .7z, .backup)
Each category is assigned its own value used to calculate the total amount of the ransom demand.
Variable pricing isn't unheard of for ransomware (CryptoWall was observed adjusting prices based on victim geography years ago), and many variants have experimented with raising prices once a specified payment deadline has passed.
But the idea that not all data is created equal — that victims are likely willing to pay more for data they consider more valuable — isn't really something attackers have been able to put to the test outside of extremely manual and targeted attacks. Spora changes that.
Here's how malware researcher xXToffeeXx sums it up in her excellent Spora write-up for the Emsisoft blog:
“We have seen these victim-specific pricing before in targeted attacks via RDP, where attackers check who owns the server and what files it contains before encrypting it. Spora, however, takes it further and not only makes this tactic accessible to the mainstream but fully automates it.”
The next step: a better system of identifying high-value files
While the criminals behind Spora have developed an interesting way of automating file-specific ransomware pricing, its way of assigning separate values to files (based on six categories of file type) is currently very basic. Assuming victims will pay more for jpegs than docs or PDFs, for example, is a gross generalization.
Until attackers develop more sophisticated ways of singling out more valuable data (scanning for files with "W2" in the filename, for ex), this approach seems to have limited practical applications. If and when they do manage to take that step, however, it could push ransomware forward in dangerous new directions.
"I think we may see more ransomware copying Spora with their specific encryption prices based on the number of files," xXToffeeXx confirmed when I reached out to her for comment. "We may even see the criminals upload the information and threaten to release it."
The latter threat of doxing is something that was also on the mind of Bleeping Computer creator Lawrence Abrams when he shared his predictions on how ransomware is set to evolve in 2017:
“I expect ransomware to start stealing 'interesting' documents that are discovered as they encrypt a computer. For example, if they encounter files that contain certain strings they could upload the file to their C2 before encrypting them. This provides the ability to steal corporate secrets or blackmail companies based on information they learn.”
— Lawrence Abrams, Bleeping Computer
Such a drastic change in tactics might do far more to bully victims into paying than any facelift to a payment portal, no matter how snazzy.
Looking for more info on Spora ransomware?
Get the facts on how it works, how it's infecting victims, and how to stop it in our post, "Blocking Spora Ransomware During Runtime".