Spora Adds a Wretched New Feature to Ransomware

Spora Adds a Wretched New Feature to Ransomware

Spora, a new ransomware variant recently discovered, has emerged with advanced features which will cause problems for security solutions working to protect against this type of malware. 

I was afraid of this. The motivation and resources are driving attackers to innovate too quickly. Malware and security developers are in a constant race to outmaneuver each other.  Ransomware has been a troublesome problem and it is getting progressively worse. Only recently have some security tools been able to zero in on a possible dependency, that resides in most ransomware, to become more effective against this rising scourge. Then the game changes again. 

Basically, most ransomware calls back to a Command and Control (C2) site run by the attacker, to get an encryption key that will lock the victim’s files. It happens after the infection, but before any significant damage is done. This was a known point-of-weakness that anti-ransomware/malware security solutions could take advantage of. Looking for this call is a way to detect infections. If the transmission of the0 key can be blocked, the ransomware tends to just sit and patiently wait. This gives time for the security tools to sweep in and eradicate the infection.

Well, no more. Spora has implemented off-line encryption. Spora bypasses the need to call-home for an encryption key and can immediately begin file encryption once it gains a foothold on the target system. It has a few other features, but none more concerning than the offline encryption capability. 

This evolutionary change was expected, but we all hoped it would take longer before the ransomware writers would successfully develop and implement such a feature. I expect other ransomware suites to follow suit, as this is a big step forward for the attackers. 

Well my security colleagues, it is time to ramp-up our innovation. Let’s get cracking! 


Interested in more? Follow me on Twitter (@Matt_Rosenquist)Steemit, and LinkedIn to hear insights and what is going on in cybersecurity.

_ Paolo C.

Senior Cybersecurity Strategic Advisor @ BARE Cybersecurity | Startup Fractional CISO | vCISO | SME | Founder, CTO | IT Compliance pains? Contact me.

8 年

This is not the first time ransomware adopts this technique. It happened in the past (don't recall the actual variant) and it was adopted, interestingly, by less sophisticated types. I don't know all the details so it's difficult to say here but one of the reason of keys generated on the fly by the malware and the sent to the C&C machine was its uniqueness &a the fact that it wasn't hard coded, making it easy to find when the code was disassembled by experts. I would say that, although this option might indeed present a challenge for consumers and SMB, it will make it easier to counterattack for enterprise and government organizations with the right skills and resources?

回复

要查看或添加评论,请登录

Matthew Rosenquist的更多文章

社区洞察

其他会员也浏览了