Spora Ransomware

Spora Ransomware Description

The Spora Ransomware is a sophisticated ransomware Trojan that has an advanced payment site and the capacity to carry out its attacks online. The Spora Ransomware first appeared in January 2017 and caught the attention of PC security researchers immediately, because of its ability to carry out attacks online, a strong encryption engine, and a sophisticated ransomware payment site that is far more advanced than payment sites associated with other ransomware Trojans observed previously.

How the Spora Ransomware may be Distributed

The Spora Ransomware may be distributed using spam email messages that trick computer users into believing that the email contains an invoice attachment. The attachment is a ZIP archive file that contains HTA files inside. These HTA files use a double extension, which causes computer users to believe that the file is a PDF or a DOC file. Opening this HTA file begins the process of installing the Spora Ransomware on the victim's computer. The HTA file extracts a JavaScript file named 'close.js' into the Temp directory on the targeted computer. This, in turn, extracts an executable file and runs it. The executable associated with the Spora Ransomware uses a randomly generated name and encrypts the victim's files. Apart from the executable, a corrupted DOCX file will also be extracted and executed. The file will show an error message deliberately, making the computer user believe that the file is a damaged invoice file that was not accessible, while the attack occurs in the background.

The Spora Ransomware can Work Even on an Off-Line Computer!

One aspect of the Spora Ransomware that sets it apart from many other ransomware Trojans is that it can work offline; the Spora Ransomware does not generate traffic to its Command and Control servers. The Spora Ransomware also does not target a large variety of files (unlike some Trojans that can encrypt up to one thousand different file types!). The Spora Ransomware limits its attack to the following files:

.xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup.

The Spora Ransomware will encrypt files on all local drives and shared network drives. The Spora Ransomware leaves file names unchanged, not adding file extensions as other ransomware Trojans do. tTe Spora Ransomware avoids Windows system files and program directories, to ensure that the victims can still access their computers to pay the Spora Ransomware ransom.

The Spora Ransomware uses a solid encryption method. It is very unlikely that PC security researchers will release a decryption utility for the Spora Ransomware threat. The Spora Ransomware's encryption method is quite sophisticated, resulting in a .KEY file and an encryption key necessary for the decryption of the affected files. To decrypt the affected files, victims of the Spora Ransomware attack are asked to send the generated .KEY file to the people responsible for the attack. They can then use their own private key to retrieve the decryption key necessary to decrypt the victim's files.

Some Curiosities about the Spora Ransomware's Payment Website

The Spora Ransomware's payment website is accessible through the Spora.bz publicly. However, this website is a gateway to a hidden TOR site that is not accessible to the public. At the time of writing, there are at least ten different URLs that have been associated with the Spora Ransomware. Victims of the Spora Ransomware attack can log into the decryption service by using an ID number delivered in the Spora Ransomware ransom note. Victims also have to upload the .KEY file created on their computers. Once this information has been synchronized, the victims of the Spora Ransomware attack have access to the following features:

'Decrypt files (currently $79)
Buy immunity from future the Spora infections (currently $50)
Remove all the Spora-related files after paying the ransom (currently $20)
Restore a file (currently $30)
Restore 2 files for free'

The layout of the Spora Ransomware payment website is quite sophisticated, more similar to an eCommerce website than to a ransomware payment website.

Infected with Spora Ransomware? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect Spora Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of Spora Ransomware outbreaks and other threats from global to local level.

File System Details

Spora Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 file.exe 19,456 312445d2cca1cf82406af567596b9d8c 14

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 5 + 5 ?