- 220.127.116.11 – fredomasearchdsd.top – RIG-v EK
- 18.104.22.168 – spora.biz – Spora ransomware domain
File name: Landing Page.html
File name: Flash Exploit.swf
File name: radF0D46.tmp.exe
I found a website with an iframe containing a URL for a RIG-v EK landing page:
It doesn’t look like EITest or pseudo-Darkleech. Anyways, as I stated above, the URL is for a RIG-v landing page and not the “pre-landing” page that we’ve been seeing lately. I’m not sure why the “pre-landing” page wasn’t used this time. It could be a one-off or maybe they’re changing tactics again.
Next we see the request for the landing page, followed by the Flash exploit:
Following the Flash exploit we see two requests for the same payload:
The malware payload is dropped in %Temp%:
And it is copied in the user’s root directory (C:):
Scanning the file shows it is Spora ransomware. This is also obvious as there is a Spora ransom note that pop-ups on the user’s Desktop (.HTML):
Logging in presents the user with the following Spora ransomware client page:
Users must click on “CHOOSE .KEY” and select the .KEY file that has been dropped on their Desktop (circled in red below):
Once the .KEY file has been uploaded the user will click on “SYNCHRONIZE”. After that the user will see their Block Date and their Username (circled in red):
Notice how they are offering live chat support. People in chat are upset that they paid but their files aren’t being decrypted. Other modules on the page show current transactions, available payment methods and a deadline to pay (7 days). Also there is a “discount” option under Available Payments. These people really are bastards.
It is a good idea to have backups of important documents and pictures stored someplace else (Flash drive, disconnected external hard drive, etc.) in case your computer does get hit with ransomware. I would recommend not paying them but people will have to make their own decisions.
Here are some processes found while running the sample:
Spora is using common methods seen with other ransomware variants. My recommendations would be to block the RIG-v EK IP at your perimeter firewall(s) and to disable vssadmin.exe. To read more about why and how you should disable vssadmin.exe click HERE.
Until next time!