SPORA Ransomware Virus (Restore Files and Remove) - How to, Technology and PC Security Forum | SensorsTechForum.com

SPORA Ransomware Virus (Restore Files and Remove)

An article created to learn more about SPORA ransomware, remove virus files and try to decrypt encrypted data.

The notorious SPORA ransomware which was first detected back in 11th of January has begun to have worm-like spreading capabilities. This virus aims to perform multiple modifications on pictures, music, documents on the computers it infects resulting in those files becoming corrupt. But not permanently, SPORA ransomware begins to demand from the user to pay a hefty ransom fee, but this is not all, the virus also offers unique payment options and even offers future immunity. In case you have become a victim, we’d still advise not to pay any ransom to the crooks, behind it. Instead, read our article on SPORA and see other methods on removing it and restoring encrypted files.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a well-designed web-page.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by SPORA


Malware Removal Tool

User ExperienceJoin our forum to Discuss SPORA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The SPORA Virus – Ransomware Information

This really appears to be ransomware on the next level, based on how it was created and the “customer service” this threat offers. But there are other innovations as well, primarily in terms of how it infects.

SPORA’s Infection Methods

To cause an infection, the criminals who are behind SPORA have used quite the unique technique – they are using a worm. These type of worms cause much more damage in much shorter time frames. A worm does not traditionally infect by opening an executable, instead it automatically moves from one infected computer to another one in a given network. So the cyber-criminals may still use spammed e-mails to spread SPORA ransomware, but this time they may aim to inflict maximum damage to a network by infecting other computers in it, besides the “patient zero” PC.

The e-mails that were detected to spread SPORA ransomware were e-mails that contain .ZIP archives and in those there were .HTA types of files. These files aim to resemble fake .PDF files and end with “.pdf.hta” where the actual file extension is the .hta one. The user is usually driven to be misled that this is a document that was processed, like a request, for example and becomes fooled into opening it.

After opening the file, SPORA drops it’s distinctive payload which consists of:

  • The flash exploit kit file, belonging to RIG-V(latest RIG EK) version).
  • A randomly named .tmp.exe file which is the actual encryption module.
  • An .html file, linking to SPORA’s web page.
  • Another .html file with the ransom note and unique ID of the victim.

Security researchers feel strongly convinced that SPORA ransomware is injected by connecting the .hta file from a compromised website. From there the virus may begin to spread from a computer to computer to terrorize users.

SPORA Ransomware’s Encryption and Ransom

SPORA is very interesting when it comes to encryption, because it looks evolved there as well. One key indicator for the ransomware to be evolved is the extremely well-designed payment web page which offers multiple methods to pay and even “kindly” enough offers future immunity against attacks and the free decryption of 2 files.

The ransomware even has an online chat service which can help the victim establish communication with the criminals. All of these tools and tricks are believed by experts to be created for the purpose of giving users the sense that they have fallen in the right wrong hands, increasing the belief that their files will be restore after paying the ransom. However, paying is still highly inadvisable for obvious reasons:

  • You may not get your files back.
  • You may not be immune against future attacks.
  • You support the cyber-criminals to spread SPORA even more.

This is why we advise you to follow our guidelines for removing the virus and trying to restore your files while waiting for a decryptor.

Remove SPORA and Try Decrypting Your Files

The first thing to do if you are infected by SPORA ransomware is to immediately turn of the internet connection of the infected computer because this virus uses a worm to infect other PCs on your network.

Then, we advise immediately downloading and installing an advanced anti malware tool on the infected computer, and hence removing SPORA automatically. This can happen if you follow the removal instructions below.

After having removed this virus, we recommend you to backup the encrypted files and leave copies of them on your computer. Then you can try the file restoration methods we have suggested below at step “2. Restore files encrypted by Spora”. They may not be fully successful, but some users have reported restoring encrypted files, so it really depends on what is your situation.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share