Spora Ransomware

Unfortunately, someone close to me got hit by Spora Ransomware a few days ago. This is quite a nasty piece of work, and if they’re telling the truth about their RSA encryption, not easily decrypted. We even considered paying the ransom at some point, but couldn’t even get on the website. Every time we tried to connect we got a “Server not found” message. Perhaps they’ve already taken the money and ran? There is a happy ending to this story though, which we’ll get to in a little bit.

First though, let’s discuss how to avoid this kind of thing happening in the future:

  1. Do not use Windows. For anything. I only have a Windows partition for gaming, but with more and more games available on Linux, this is starting to look like a flimsy excuse. I hardly get to play anything these days, anyway…
  2. Do not open suspicious email attachments. This one can be slightly tricky, because the email may look like someone you know has sent it. However, if you do not recognise the file extension, and you think it might be a legitimate communication, ask them to re-send it in a more acceptable format. (They will probably reply that they never sent that email.) And if the attachment asks you to install something in order to view it (e.g. a new font), never, ever, ever, ever comply!
  3. Have everything backed up. This one will save you after nearly any kind of attack. Preferably have some kind of cloud storage and automatic back up set. I do like to have many backups, so I occasionally back up all my documents and photos on an external hard drive as well. Things that are easily available online don’t really need this treatment, unless you have a really slow connection. This will mean that even if your entire system is fried, you can just install a new open-source OS and continue working. If you don’t want to pay for storage (you should, it’s worth it), you can get some free space at various providers. The most that I’ve seen is Mega, which gives you a cool 50GB for free.

Of course, in this case the above advice had not been followed in time. We were looking at the possibility of lost work, family photos that were archived nowhere else and a serious amount of financial documentation. After some trial and error, we managed to get nearly everything back by following the following steps, and without paying the ransom!

  1. Clean the computer. There are quite a few ways to do this. I used Malwarebytes and HitmanPro (look it up; I’m not going to link everything in this blog).
  2. Remove the startup file. Even after removing the malware, Firefox still opened on startup with the ransom note. Turns out there is a file which the software didn’t remove. Use msconfig to get to the start up applications and untick the box.
  3. Recover your files. You probably won’t be able to decrypt the files, but the ransomware fortunately did not encrypt all of your files, just the ones it could see. There are still many older versions of your files that hang around in your hard drive, that don’t show up in Windows Explorer. I found a rather nifty little program called Shadow Explorer to find and restore the files (Windows does have an option that let’s you do this for each file, but it is sucky). By using Shadow Explorer, we were able to recover all important documents, and only lost a page or two of work from the most recent document.

One other thing I did before starting to play with recovery was to make a full backup of the hard drive, after the bugs had been removed. That way, I knew that if I screwed things up even more and I could get hold of the authors, I still had the option of paying the ransom. But you don’t really want to do this, since you don’t want to encourage this kind of behaviour, and you also have no guarantee that they’ll give you the key!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s