Spora Ransomware

Posted by Max Lehmann on January 11, 2017

What is Spora Ransomware?

Spora Ransomware is a serious computer threat that comes forth well-prepared. This infection was created by Russian cyber criminals, and so far, the program targets computer users in the Russian-speaking countries. Nevertheless, it is very likely that users in other countries will be targeted soon enough because this infection was released just now, and there is no saying how farther it might spread.

If you were infected with this dangerous program, please refer to a computer security professional to remove Spora Ransomware for good. Although we do cover the manual removal in this description, it is always a lot more efficient to rely on a professional security tool for that.testtesttest

Where does Spora Ransomware come from?

The program spreads via spam email attachments. It is the most common method of ransomware distribution. Users open spam messages that look like invoices from various online stores or even financial institutions. Spora Ransomware is very good at making users think that the file they are about to open is safe. For example, the installer file comes with a double extension, and it might confuse the user for a second. Like, the file could be a title like “example.doc.hta.” By default, Windows hides file extensions (unless you have the settings set to showing the extensions all the time), so the user who downloads the malicious file, will only see the “example.doc” filename and will think that it is just a mere document file.

What does Spora Ransomware do?

However, once you open that “document” file, this is where the hell breaks loose. The infection will create several executable files, dropping them across your system. The directories and folders where the files are dropped may differ from one infected computer to another. You will find a list of all possible locations below the description, but the point is that Spora Ransomware creates a lot of files making the removal process harder.

What’s more, then the malicious file is launched, the original .hta file will also extract and launch a corrupted .docx file. This is not anything weird: as the user launches the fake .doc file, the corrupted .docx file will cause an error pop-up to open, and this pop-up will convince the user that the initial .doc file has been damaged.

Spora Ransomware will encrypt the files with the following extensions: .xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup. Once the encryption is complete, the program will delete Shadow volume copies and disable Windows Startup Repair, and the same time changing BootStatusPolicy. As a result, it will not be possible to restore your files without an external backup.

Like most ransomware programs do, Spora Ransomware will also drop a ransom note together with a .KEY extension file. These files will appear on your desktop, and in a number of other locations (see the list below). The .KEY file also comes with an .HTML file with the same infection ID filename. If you open this .HTML file after the encryption, it redirects you to the spora.bz website, which is the homepage for this infection. The homepage looks very sophisticated as if the ransomware is about to offer you a superb service.

The fees for Spora Ransomware are known to be between $79USD and $280USD. The users can load their Bitcoin account and purchase any service they want. Of course, it makes the infection look somewhat reliable, especially as the website even comes with a chat window where the users can communicate with the site administrators. Every user can send up to five messages.

The point is that no matter how sophisticated an infection could be it is no reason to succumb to its demands. The fact that Spora Ransomware looks so polished simply means that this infection could grow into a full-out epidemic. Do not allow this to happen, and remove Spora Ransomware at once.

How do I remove Spora Ransomware?

Things could take a complicated turn if you decide to delete this program manually. Although it is possible to do, you might accidentally miss a few malicious files. Therefore, the best way to get rid of this program would be relying on a legitimate antispyware application that would terminate all the malicious files for you. What’s more, the program would protect your system from similar intruders, and you could transfer healthy copies of your files back into your clean system.

Manual Spora Ransomware Removal

  1. Find and delete the malicious file* from the Desktop.
  2. Press Win+R the Run prompt will open.
  3. Type %AppData% into the Open box and click OK.
  4. Locate and remove the malicious file from the directory.
  5. Repeats steps 2 and 3 in these directories: %TEMP%, %HOMEDRIVE%.
  6. Access the following directories via Run prompt (Win+R) to delete malicious files:
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[Unique ID].HTML
    %APPDATA%\Microsoft\Windows\Templates\[Unique ID].HTML
    %APPDATA%\Microsoft\Windows\Templates\[Unique ID].KEY
    %APPDATA%\Microsoft\Windows\Templates\[Unique ID].LST
    %APPDATA%\[Unique ID].HTML
    %APPDATA%\[Unique ID].KEY
    %APPDATA%\[Unique ID].LST
    %USERPROFILE%\Desktop\[Unique ID].HTML
    %USERPROFILE%\Desktop\[Unique ID].KEY

* NOTE: the malicious installer usually has a 10-digit filename. It might also have a CLSID type of filename (XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.exe).

100% FREE spyware scan and
tested removal of Spora Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *