Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

mcafee.com/activate: Spora is a family of ransomware that encrypts the files of the victims and demands money to decrypt the files. It has infected many computers in a short time due to a large spam campaign. It has a very special feature: work offline.

Vector propagation

The spam campaign carries a .zip file, which contains an HTA file (HTML Application) to evade the detection of some email scanners and maximize their reach. The content of the email is carefully designed to attract victims who use social engineering techniques. This HTA file also tricks users by using the double extensions rtf.hta and doc.hta. If the file extensions are hidden in the victim’s machines, they will only see the first extension and could be tricked into opening the file.

The junk email looks like this:


mcafee activate

The content of the HTA file:

At run time, the HTA file releases a JavaScript file in the% Temp% folder. More JavaScript extracts an executable with a random name (in this case: goodtdeaasdbg54.exe) in% TEMP% and runs.

The HTA file also extracts and executes a damaged .docx file and returns an error to distract the victims:


Goodtdeaasdbg54.exe is packaged using the UPX wrapper and contains the payload (Spora). First verify if a copy of this file is running in memory. If not, create a mutex. Spora uses mutex objects to avoid infecting the system more than once.

Spora looks for the logical units available in the system:

Once a resource is available, Spora searches for files to encrypt but avoids “windows”, “program files” and “games”.


Spora removes volume snapshots of the target’s system, thus preventing the user from restoring the encrypted files. (A blind copy is a Windows feature that helps users make backup copies (snapshots) of files or volumes on the computer.) To remove the copies in the hidden volume, Spora uses the command “vssadmin.exe Delete Shadows / All / Quiet”. This ransomware uses the vssadmin.exe utility to silently remove all copies of hidden volumes on the computer.

It also creates .lnk files along with .key and .lst files in the root drive.