Case subject – Spora “replacer” ransomware (Virustotal details)
For today’s exercise, the Temasoft Research Lab Team focused on a new and intriguing ransomware variant: Spora. This ransomware is interesting because it is what the security community calls a “replacer,” exhibiting a different and more complex behavior than typical ransomware.
We have run the malware sample in our test lab on computers where Temasoft Ranstop is installed. We have observed and recorded the behavior both with the protection on and off.
What are replacers
The replacers belong to a category of ransomware that has a very specific way of rendering the data unavailable. They encrypt information in a very particular way, different and more complex than typical ransomware. Instead of creating an encrypted file container on the disk, separate from the original target file and then removing the latter, as most of the common ransomware does, “replacers” replace the contents of the target files directly, without creating copies or changing the file name or the extension. Some variants encrypt current contents entirely, while others simply replace the contents with other information (like a ransom note). There are also variants that use a mixed approach. Spora is a “replacer” ransomware that fully encrypts the contents of the target files directly, without performing additional file operations. This means that while typical ransomware has a bigger footprint when it comes to file related activity (file read, file create, file write, file delete), replacers have a far smaller one: only read/write operations on the same file. Just like most production applications. This characteristic makes the replacers tough to detect and block.
The Spora “replacer” ransomware is a simple executable that can be accidentally downloaded from malicious websites, or installed by adware or other malicious software. Upon execution, it enumerates files of a particular type and starts encrypting their contents, making them unusable. A ransom note is shown once the activity is complete.
TEMASOFT Ranstop detects and stops this variant in around 2 seconds, time in which the ransomware managed to encrypt around 80 files. At this rate, such a ransomware can corrupt over 100,000 files in an hour’s time. The malware executable was quarantined, and the incident was recorded in the TEMASOFT Ranstop Console. At the same time, the 80 files lost were fully recovered automatically.
TEMASOFT Ranstop managed to successfully block this replacer ransomware which eluded most AV engines, at the time of the test. The video below presents the behavior of the malware when TEMASOFT Ranstop protection is turned on, and when the behavior is turned off, together with the virustotal.com statistics at the time.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.