Spare Ransomware

The Spare Ransomware is a file-locking Trojan that's part of a Ransomware-as-a-Service family, the Dharma Ransomware (or Crysis Ransomware). The Spare Ransomware can keep users' files from opening by encrypting them and holds them for ransom with a pop-up note. Users should have backups for recovering any media and let compatible cyber-security software remove the Spare Ransomware on detection.

Sparing not a File for Hostages

The Spare Ransomware campaign is malware analysts' a re-confirmation of the activity of the RaaS, or Ransomware-as-a-Service, going by both the Crysis Ransomware and the Dharma Ransomware. Like many of its relatives, the Spare Ransomware updates its extension and address but is, in other areas, a mostly-static copy of past code. Therefore, it retains both the weaknesses and strengths of its ancestors, such as secure data-encrypting attacks.

The Spare Ransomware uses the now-cliche feature of AES encryption, with additional RSA protection, for converting Windows users' media files into blocked, unreadable content. Each variant of the family includes a custom extension (for comparison, see: the Cvc Ransomware, the Devil Ransomware, the Rxx Ransomware or the SWP Ransomware) on their hostage files' names; in this case, it's 'spare.' Victims should note that the extension strictly is for identifying and doesn't affect the encryption in any way.

Besides blocking documents, pictures, music, and other media, the Spare Ransomware also deletes the user's Restore Points. Since the Trojan family is secure from most decryption opportunities, users have few direct means of reversing its attack and the file loss. Malware experts recommend that users save backups securely for recovering instead of giving in to the Spare Ransomware's ransom (which the Trojan delivers in a classic, skull-and-bones pop-up).

Pulling Out of a Busy Trojan's Business Model

Besides backups on cloud services or removable drives like USBs, our malware experts recommend some standard precautions against the Spare Ransomware campaign. Windows users are at the most risk from the Spare Ransomware, and should avoid endangering their PCs explicitly by downloading illicit content, leaving JavaScript or Flash on, or enabling macros on unusual documents or spreadsheets. E-mail tactics and torrents are two of the more typical infection vectors for file-locker Trojans.

Administrators also should check all login credentials for brute-force vulnerabilities. Shorter, simpler commonplace passwords are at risk from attackers 'guessing' them and gaining an informal backdoor into the target's system. Applying software updates also blocks many vulnerabilities that hackers may use for installing threats.

Most variants of Crysis Ransomware's group show limited qualities for avoiding threat-detecting services. Users with updated anti-malware programs should easily remove the Spare Ransomware before it puts their files in danger.

The Spare Ransomware campaign's activities go back to mid-2020, but it can harm users' files just as easily in 2021. Anyone who forgets that fact is risking often-irreplaceable data with expensive ransoms that may not even make up for it.