How to Remove Spora ransomware and Restore Your Files

My computer has got infected with a malware called Spora ransomware. It encrypts all files on my disks and demands payment for their safe return. I swear this is the worst thing I have ever met since the new year. I have no ideas what I should do when infected by a ransomware. Is it possible that I remove the ransomware and get my files back? Please help me!

Ransomware has been a growing computer threat that can bring data or money losses to the victims. It can attack your computer, encrypt your data and demand you to pay money, usually in Bitcoin, for the decryption key. Having evolved over a decade, ransomware has grown mature. Some new variants of ransomware now not only target individuals, but also attack businesses, such as Cerber 4 Ransomware. Today we are going to talk about another strain of ransomware that is discovered on January 10th. Dubbed Spora, the new threat seems to be the work of professionals that it can perform strong offline file encryption and bring several innovations to the ransom payment model. In the following, we will give detailed information about Spora ransomware and also provide the solution for the infection.


Know about Spora Ransomware

Security researchers have spotted a new piece of ransomware that uses very complicated data encryption algorithm to encrypt the victims’ personal files for ransom. This ransomware is called Spora. This ransomware targets both Russian-speaking users and English-speaking users. Like many other strains of ransomware, it attacks a computer, looks for certain types of files, encrypts them and then demands payment for the decryption key. But this new ransomware has some unique features which distinguish itself from the previous types of ransomware.

Spora ransomware performs the encryption without a command and control (C&C) server connection. Traditional ransomware programs generate an AES key for every encrypted file and then encrypt these keys with an RSA public key generated by a C&C server. According to researchers from security firm Emsisoft, the Spora creators have developed this ransomware to contain a hard-coded RSA public key. This RSA pulic key is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that’s also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files. If victims want to pay the ransom, they have to upload their encrypted AES keys to the ransomware creators’ payment website. The creators will use the AES keys to decrypt victims’ unique RSA private keys that were generated locally and that keys will then be used to decrypt the per-file AES keys needed to recover the files. This procedure may look complicated but it allows the ransomware to encrypt files without an internet connection and avoids releasing a master key that will work for all other victims of the same campaign.

encryption process

Different from the previous types of ransomware like Cerber ransomware, Osiris Ransomware, and Locky Ransomware, this new ransomware doesn’t rename files it encrypts and it skips files located in specific directories. Researchers guess that the creators want the infected computers to boot normally after the file encryption. Thus, they can make sure victims won’t suffer from computer malfunction and fail to make the payment. According to the research, this ransomware only encrypts files with the following extensions:

.1cd .7z .accdb .backup .cd .cdr .dbf .doc .docx .dwg .jpeg .jpg .mdb .odt .pdf .psd .rar .rtf .sqlite .tiff .xls .xlsx .zip

What makes Spora ransomware clearly distinguish itself from other types of ransomware should be its decryption portal. After encrypting a user’s file, it will drop a ransom note and a .KEY file on the desktop of the infected computer. The HTML file explains how to pay and the .KEY file contains the user’s asymmetric keypair encrypted with the ransomware creators’ public key. Note that the base name of both files is identical to the user ID assigned by the ransomware. As the victim double clicks on the icon of the ransom note, a page will pop up as below:

Russian Version

ransom note-russian

English Version

ransom note-english

This page tells the victim that all his work and personal files have been encrypted by using RAS-1024 algorithm and to restore those data, a decryption key is needed. If the victim clicks on the button named authorization with his unique ID filled into the blank box, he will be taken to a special portal page designed by the ransomware creators. Here’s what it looks like:

Russian Versionpurchasing page-russian

English Version

purchasing page-english

This page is obviously different from what we have seen before. Firstly, the interface itself has a professional and nice look. Secondly, the ransom asked by the ransomware creators is lower than that is required by other ransomware variants. Thirdly, there are several purchasing options for the victim, “full restore”, “immunity”, “removal”, and “file restore”, each one corresponding to a kind of price. If the victim chooses to pay for “file restore”, he will only get his files back; but if he also pays for “removal”, it means that the ransomware will be removed after decrypting the files; paying for “immunity” will means that the ransomware will not infect the computer again. Certainly, the victim can buy all three for a lower price by selecting the “full restore” option. Besides, the victim can try decrypting 2 files for free. This service should be offered to make the victim believe that he really can decrypt the files after paying the ransom.

The page also provides a chat box where the victim can communicate with the ransomware creators. Although this is not unique, it is rather uncommon that the creators seem to give reply rather promptly. This is also a tactic used by the creators to ensure the payment rate. They won’t hope to miss any chance of getting money from their victims.

If you have no patience to read the content above, just have a look at the below form which contains the brief information of Spora ransomware.

Threat Name Spora ransomware
Detected Date January 10th 2017
Threat Level High
Target Areas Russian-speaking countries and English-speaking countries
Main Features 1. It performs the encryption without a command and control (C&C) server connection.
2. It doesn’t rename the encrypted files and skips files located in specific directories.
3.It offers several purchasing options for the victims.
4. It demands a comparatively low ransom.
File Encryption Process 1. It generates a public-private RSA keypair that is unique to a victim’s computer.
2. It then generates a random AES symmetric key for each file and encrypts the file.
3. It encrypts each file’s AES key with the public key generated for the victim’s computer.
4. It encrypts the victim’s unique public-private keypair with a public key stored in the ransomware file.

Attention! Spora ransomware is a piece of malicious software that attacks your computer, encrypts your important files, and demands payment from you to get them back. If you have unluckily been a victim of this ransomware, it is highly recommended that you get rid of this threat from your PC immediately.This can avoid further unwanted problems from happening to you!


How Does Spora Ransomware Gets into a Target Computer?

Spora ransomware is found to spread via emails containing attachments that pretend to be invoices so far. These emails contain a ZIP attachment and the ZIP contains an HTA (HTML Application) file inside, disguising as a PDF or DOC to entice users to click on it. The HTA files contains a VBScript program that creates and runs an embedded JavaScript file called “close.js”. Once users click and run the HTA file, the JavaScript file will be extracted in the %TEMP% folder and executed immediately. Then, the close.js file creates and runs a program that contains the Spora ransomware.


Warm Tips: Since the ransomware mainly spreads through email attachments, you should be very careful of unexpected emails with attachments in future. Don’t open the attachments, nor click any links within the email messages.

How to Remove Spora Ransomware from Your Infected Computer?

If you want to remove the ransomware without paying any money to its creators, then you can follow he methods given below to try cleaning it out of your PC. Usually, the common ways to remove ransomware is to use a powerful malware removal tool and perform system restore.  In the following, we have given the detailed steps for you.

Method 1: Run SpyHunter to remove Spora ransomware.


What Is SpyHunter?
SpyHunter is a professional anti-malware program developed by Enigma Software Group USA LLC. This program is designed with advanced features that it can provide the highest level of protection for you computer and deal with many types of malware threats like viruses, rogue antivirus programs, ransomware, and rootkits. Besides, it offers 7×24 online assistance to help you resolve problems that cannot be fixed by the program.


Now you can follow below steps to download, install and use SpyHunter to remove Spora ransomware from your PC:

  • Copy the downloaded file to your computer and then run it on your PC. When a dialog box pops up as below, click the Run button.


  • Select your language and click OK button.

select your language

  • Click CONTINUE to proceed.


  • Click I accept the EULA and Policy and click the INSTALL button.


  • Now SpyHunter is being installed on your PC. Just for a few time.


  • Once SpyHunter is successfully installed on your PC, click the EXIT button.


  • Then, boot your PC into the Safe Mode. After you access the desktop, double click the icon of SpyHunter to launch it. On its main screen, click the Scan Computer Now button to do a full system scan.


  • SpyHunter now will start scanning the entire system for any existing threats.


  • When the scanning is done, SpyHunter will show you all detected threats. Click the Fix Threats button if you want to remove all found threats.

fix threats

  • After all threats are completely deleted from your PC, restart your PC.
Warm tips: If for some reason you cannot find any item related to Spora ransomware, we still suggest that you click the Fix Theats button to remove other detected threats. After being infected by the ransomware, some of your system settings could change, which lowers the security level. Under this situation, your computer system is very easy to be attacked by other types of malware and suffer from more unwanted problems. Hence, removing other malware threats is also an important thing that you need to do.


Method 2: Perform system restore to remove Spora ransomware.

System restore is a Windows feature that can help fix certain types of computer problems, like crashing, blue screen of death, and malware infections. If you want to try the system restore to clean Spora ransomware, then you can follow the steps below to do it.

  • Click Start menu and type system restore into the search box. Then, click System Restore from the result list.

restore system_1

  • In the window that appears, select the option of Recommended restore or Choose a different restore point (note: if the ransomware infection occurred earlier than the date of the Recommend restore, you should choose the later option).

restore system-2

  • Then, you’ll be presented with a list of restore points you have created previously. If you want more options, tick the box labelled Show More Restore Points. Then, you can Select an acceptable restore point and click the Next button.

restore system_3

  • Confirm your restore point and click on Finish. A dialog box will appear and require you to confirm that you really want to perform system restore. Click Yes button, and then the system restore will begin.

restore system_4

restore system_5

  • Please wait while your Windows files and settings are being restored.

restore system_6

  • After the system restore is completed, please log into your account.

restore system_7

  • Then, you will see a dialog box as below once the desktop loads up. Click on the Close button.

restore system_8

Note: Performing system restore is effective for the removal of some malware; however, it may not work when your computer is infected by a ransomware. This is because ransomware always first infect the restore points of a target system when it starts the attack so as to avoid being removed from the computer. So, if you cannot successfully get rid of Spora ransomware from your PC after the system restore, you can turn to an exclusive malware removal tool instead.



How to Restore Your Files?

As we have mentioned above, the creators of Spora ransomware use very intricate encryption technique encrypt your files. To recover your files, you need the AES key for each file; to recover the AES keys you need the private key that is unique to your computer; and to recover your own private key you need the global private key that matches the global public key stored in the ransomware program file. All these mean that, you won’t be able to get your files back unless you pay the ransom required. There is no need to wait a special decryption tool to be released and help decrypt your files. But if you have luckily backed up your files before the ransomware infection, then you can restore them by following the steps below.

  1. Click the Start menu, type backup into the search text box and click Backup and Restore from the resulting list.
  2. In the popup window, find and click the Restore my files button.
  3. In the Restore Files window, locate the files or folders you want to restore and then click Next.
  4. Choose the location where you want the files to be restored.

Now you know that the most important thing that will defeat ransomware is having a regularly updated backup. Having your files backed up regularly, even though your computer is unfortunately attacked by ransomware, you will only lose a few files, maybe some not so important. So, you don’t need to pay for the ransom at all. Certainly, there are some other things you need to do to prevent ransomware. Check here.


Share Button