{
	"id": "584af61c-6993-4ef9-a9f3-c16566fd4554",
	"created_at": "2026-04-06T00:06:13.163306Z",
	"updated_at": "2026-04-10T03:20:50.165796Z",
	"deleted_at": null,
	"sha1_hash": "94ff1e03edc2a3c03406f46b101c20b472c7cf08",
	"title": "Spora - the Shortcut Worm that is also a Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 282758,
	"plain_text": "Spora - the Shortcut Worm that is also a Ransomware\r\nBy Karsten Hahn\r\nPublished: 2020-02-13 · Archived: 2026-04-05 18:06:54 UTC\r\n01/18/2017\r\nReading time: 7 min (1776 words)\r\nSpora spreads via USB drives like Gamarue and Dinihou aka Jenxcus whilst also encrypting files. The\r\nsophistication of this threat could easily make it the new Locky. We discuss its infection and encryption procedure\r\nand show how it uses statistical values about encrypted files to calculate the ransom amount.\r\nHTA email Attachment as common infection vector\r\nSpora's ransom note was first spotted by the ID Ransomware maintainers and announced via Twitter\r\nby MalwareHunterTeam. Several malware researchers and Twitter users were amazed by the good-looking,\r\nprofessional ransomware website and ransom note. Experience showed that most of these websites are in a bad\r\nshape. The first sample was provided by a member of Bleepingcomputer and discussed in their Spora support\r\ntopic.\r\nThis sample is an HTA application with obfuscated VBScript code. According to Bleepingcomputer it arrived in a\r\nZIP archive via email attachment. Submissions on VirusTotal show the filename Скан-копия _ 10 января 2017г.\r\nСоставлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta.\r\nThe HTA file writes a JScript file to %TEMP%\\close.js and executes it. The JScript file in turn is a dropper for a\r\nWord document that is written to %TEMP%\\doc_6d518e.docx and a PE file that is saved to\r\n%TEMP%\\81063163ded.exe. Both files are opened by close.js, the Word document with a parameter to show and\r\nfocus the window, and the PE file with a parameter to hide it. As a result the document will be opened by the set\r\ndefault application for .docx files, e.g., Word, but an error message is shown because it is corrupt. The PE\r\nfile 81063163ded.exe has a seemingly random name, but it is actually hardcoded by the dropper. The PE file is\r\nUPX packed and contains the actual payload.\r\nhttps://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nPage 1 of 6\n\nError message, appears after opening the corrupt document\r\nWorm-like behavior similar to Dinihou and Gamarue\r\nWhile ZCryptor had already been deemed a combination of ransomware and worm due to its usage of autorun.inf,\r\nSpora goes some steps further using the same techniques as Gamarue and Dinihou. The functionality of\r\nautorun.inf had been removed in Windows 7 and was patched on Windows XP and Windows Vista more than\r\nseven years ago, thus making it an ineffective technique for worms to spread via removable drives. The trick is:\r\nGamarue, Dinihou and now also Spora use Windows shortcuts (.LNK files) instead.\r\nSpora adds the hidden attribute to files and folders on the desktop, in the root of removable drives and the system\r\ndrive. These hidden files and folders are, with the standard folder options, not visible anymore. Spora then puts\r\nWindows shortcuts with the same name and icon as the hidden files and folders as a visible replacement. Those\r\n.LNK files open the original file to avoid raising any suspicion and simultaneously execute the malware. An\r\nexample: the folder C:\\Windows will be hidden and a file named C:\\Windows.lnk will be created; it looks exactly\r\nlike the original folder if the standard folder options on Windows are set.\r\nThe .LNK files use the following command to execute the worm and open the original file. If the original file is a\r\nfolder it will open Windows Explorer to show its contents:\r\n/c explorer.exe \"\u003coriginalfile\u003e\" \u0026 type \"\u003cworm\u003e\" \u003e \"%%tmp%%\\\u003cworm\u003e\" \u0026 start \"\u003coriginalfile\u003e\"\r\n\"%%tmp%%\\\u003cworm\u003e\"\r\nThe worm copies itself as hidden file alongside the .LNK files, its filename is generated by calculating the CRC32\r\nchecksum for the VolumeSerialNumber. The result is put into the pattern %08x-%04x-%04x-%02x%02x-\r\n%02x%02x%02x%02 (see address 0x405492). This means, the name for the malware file can be, e.g., a277a133-\r\necde-c0f5-1591-ab36e22428bb.exe.\r\nThe worm deletes the registry value HKCR\\lnkfile\\isShortcut with the effect that the shortcut icons don't show the\r\ncharacteristic bent arrow in the lower left corner, which would be telltale sign to the user that something is wrong.\r\nSimply navigating through the folders on your system and desktop using double-click will execute the worm.\r\nUsing this strategy, it will not only spread to removable drives like USB thumb drives, it will also encrypt newly\r\nhttps://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nPage 2 of 6\n\ncreated files on the system. This renders the system unusable, for storing or working on any pictures or\r\ndocuments, until it is disinfected. \r\nFunction that deletes the isShortcut value in the registry\r\nEncryption\r\nSpora actually does not rename encrypted files and targets a comparably small set of extensions. The encryption\r\nprocedure is shown in the diagram below.\r\n.backup, .7z, .rar, .zip, .tiff, .jpeg, .jpg, .accdb, .sqlite, .dbf, .1cd, .mdb, .cd, .cdr, .dwg, .psd, .pdf, .odt, .rtf, .docx,\r\n.xlsx, .doc, .xls\r\nhttps://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nPage 3 of 6\n\nThe Spora encryption shown in an info graphic\r\nSpora generates a pair of RSA keys, C1 and C2 (1024 bit). This newly generated public RSA key C2 is used to\r\nencrypt the per-file AES keys which are also generated by Spora. The generated private RSA key C1 on the other\r\nhand is stored in the .KEY file. That file is encrypted using a newly generated AES Key B (256 bit). The attacker's\r\npublic RSA key A2 is used to encrypt AES key B. The encrypted key B is appended to the .KEY file. The figure\r\nbelow shows the code that writes the .KEY file's content including the encrypted AES key B to disk.\r\nA second important file is the .LST file which contains a list of all encrypted files. Its encryption works analogous\r\nto the .KEY file encryption. A new AES key is generated, used to encrypt the .LST contents, encrypted by the\r\npublic RSA key A2 of the attacker and appended to the .LST file in encrypted form (see screenshot below):\r\nUsing this encryption scheme, Spora does not have to obtain a key from a command and control server and can\r\nwork offline. The user has to upload the .KEY file to the payment site. \r\nThe .KEY file is only decryptable by the ransomware authors. Using their private RSA key A1 they could decrypt\r\nthe AES Key B that was appended to the .KEY file.  They could decrypt the remaining .KEY file contents\r\nincluding the user's private RSA key C1 using AES key B. Then they may put the private RSA key C1 into a\r\ndecrypter that they send to the user after they have received the payment. This handling ensures that the attackers'\r\nprivate RSA key A1 is not exposed and that the decrypter only works for one user.However, this also means that\r\nthere is only one private RSA key A1 for several infections. If that key is leaked or obtained by law enforcement,\r\nit can be used to decrypt all files that were encrypted by this variant of Spora and as such we can consider it a\r\nmaster key.\r\nhttps://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nPage 4 of 6\n\nThe Spora payment site includes a chat system and provides several decryption packages with\r\nvarying prices\r\nStatistics about encrypted files\r\nSpora counts the number of encrypted files for six different extension categories. They are listed in the table\r\nbelow.\r\nThe .KEY file saves these statistical values in the form date|user name|locale|cat1|cat2|cat3|cat4|cat5|cat6, e.g.\r\n13.1.2017|horst|USA|10|2|3|0|103|51\r\nThe same statistics will be used for the naming scheme of the .LST file, the .KEY file and the ransom note. Let's\r\ntake the following triplet of .KEY file, .LST file and ransom note as example.\r\nRU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.LST\r\nRU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.KEY\r\nRU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.HTML\r\nThe first two letters of the filename are the locale which is RU in our example. The following five letters are the\r\nfirst characters of the MD5 hash for the contents of the .KEY file, in our example '30215'. The counters start right\r\nafter the MD5 substring at the 8th letter. They have to be decoded using the substitution table below:\r\nThat means the file name RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY translates to Russia as\r\nlocation, the characters '30215' for the beginning of the MD5 hash, 12971 encrypted office documents, 6370\r\nencrypted PDF, 8 encrypted CorelDraw/AutoCAD/Photoshop files, 9 encrypted database files, 16632 encrypted\r\nimages and 144 encrypted archives.\r\nAfter uploading the .KEY file to Spora's payment website, the ransom amount will be calculated depending on the\r\nnumber of encrypted files. The table below shows some examples, sorted by the amount of ransom asked (thanks\r\nto xXToffeeXx for providing these):\r\nhttps://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nPage 5 of 6\n\nAdditional behavior\r\nSpora does not bypass User Account Control (UAC). This means, the user will be asked whether the malware is\r\nallowed to make changes to the computer in use. Spora deletes shadow volume copies and disables Windows error\r\nrecovery and startup repair.\r\nList of files involved\r\nRelated articles:\r\nShare Article\r\nSource: https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nhttps://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware"
	],
	"report_names": [
		"29442-spora-worm-and-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94ff1e03edc2a3c03406f46b101c20b472c7cf08.pdf",
		"text": "https://archive.orkl.eu/94ff1e03edc2a3c03406f46b101c20b472c7cf08.txt",
		"img": "https://archive.orkl.eu/94ff1e03edc2a3c03406f46b101c20b472c7cf08.jpg"
	}
}