A few days ago, our colleagues at G-Data published an interesting analysis of Spora, a new ransomware that appeared in January. It had first been spotted by the people at ID Ransomware, and is mainly affecting Russia. A link was published in a forum detailing the analysis results of one of the samples sent by way of spam in VirusTotal. It is an HTA file that none of the engines present there detected, neither Panda Security, nor G-Data, nor any other.
Does this mean that the 53 participants in VirusTotal are unable to detect and block this new threat? Not at all. It means that at the time of the analysis nobody had bothered to write a signature to detect a file that, besides, is actually ephemeral. The important thing is to protect users and prevent them from becoming infected. If there is no other way to accomplish this than by creating signature, there’s not much you can do about it. But at least for some of us this is seems to be completely unnecessary in most cases, as in the present one.
Taking a look at the information in our cloud, we have observed and blocked Spora detections from the first moment, without having to create signatures for it. We can confirm that indeed most of the cases are in Russia, although we have also seen cases in Japan.
These are the different hashes that we’ve seen:
312445d2cca1cf82406af567596b9d8c
acc895318408a212b46bda7ec5944653
c1f37759c607f4448103a24561127f2e
c270cf1f2cfeb96d42ced4eeb26bb936
Always make sure to detect threats well in advance with a good cybersecurity solution such as Panda’s Adaptive Defense 360.
2 comments
always the russians, any idea how long will it take to decrypt the files/system on a regular computer? If it will be too long, say weeks or months, will security companies offer cloud computing to decrypt them as a paid service?