1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stung by Spora Ransomware - Bastard!

Discussion in 'BlackHat Lounge' started by Hawkster, Jan 20, 2017.

  1. Hawkster

    Hawkster Jr. VIP Jr. VIP

    Joined:
    Jun 22, 2013
    Messages:
    3,429
    Likes Received:
    3,619
    Gender:
    Male
    Occupation:
    Listen to everyone - Follow no-one
    Location:
    UK
    Home Page:
    So i was busy creating a link list in scrapebox, i decided i wanted to manually check a few. Opened up a link in chrome and the font on the page was all messed up, after a few seconds a box shows up (seemingly from google) saying something like 'font outdated' or some shit.

    In a moment of dumbness i clicked the exe download and ran it. Now all my word files etc are encrypted. It opens a tab on the browser to tell you your files are encrypted

    I did a system restore to yesterday but somehow that didnt work.

    I also followed this video but somehow the fucking virus is checking the box in the start up menu after i un-check it.

    So yeah thats what im doing right now lol

    Info:

    https://www.pcrisk.com/removal-guides/10824-spora-ransomware
    https://threatpost.com/spora-ransomware-offers-victims-unique-payment-options/123130/
    https://www.bleepingcomputer.com/ne...he-most-sophisticated-payment-site-as-of-yet/

    Newly written article: https://www.bleepingcomputer.com/ne...ry-20th-2017-satan-raas-spora-locky-and-more/
     
    Last edited: Jan 20, 2017
  2. ArtOfVaw

    ArtOfVaw Junior Member

    Joined:
    Nov 23, 2016
    Messages:
    141
    Likes Received:
    40
    Here are some tips to start surfing the interent securely:

    - Don't rush.
    - Check if the content is legit (through many ways).
    - Don't use Microsoft Windows.

    Shit, I've heard about another ransomware that offer you to decrypt your files for free as soon as you "invite" your friends (two of them) to download it. Forgot the name tho.
     
    • Thanks Thanks x 6
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,071
    Likes Received:
    10,840
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    Geez man sorry to hear you fell for this.

    I haven't heard of this particular plague, but from other cases I've heard of 90% ended up paying ransom. Sucks.
     
    • Thanks Thanks x 5
  4. asap1

    asap1 BANNED BANNED Jr. VIP

    Joined:
    Mar 25, 2013
    Messages:
    4,961
    Likes Received:
    3,179
    Damn, that sucks.
     
  5. tymillz

    tymillz Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 15, 2009
    Messages:
    1,158
    Likes Received:
    3,585
    Occupation:
    This
    Location:
    (215)The Hood(215)
    I recently got hit with Ransomware. Cleaned my server. Server was clean for a week or so and bang, go hit again. I ended up wipe the server and saying fuck it.
     
    • Thanks Thanks x 3
  6. datsunguy

    datsunguy Supreme Member

    Joined:
    Sep 30, 2016
    Messages:
    1,459
    Likes Received:
    1,070
    Occupation:
    professional duck
    Location:
    a pond near you
    Home Page:
    ouch thats terrible, i hope you have your files backed up.

    whats the ransom they are charging?
     
  7. elavmunretea

    elavmunretea BANNED BANNED

    Joined:
    May 14, 2016
    Messages:
    1,579
    Likes Received:
    2,091
    Sometimes they hide in the System files and are fully undetectable.

    Last week I was installing something and after a minute or so I had a whole desktop full of shit. Every time my AV removed it and rebooted, it was there again.

    Like you said, wiping windows is the best way to deal with this shit.
     
    • Thanks Thanks x 1
  8. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,849
    Likes Received:
    5,311
    Gender:
    Female
    Ouch.

    Let us know how it goes honey bunch. You may have to wipe everything like @tymillz did.

    I was wondering if you ever got that fixed. You in the clear now?
     
    • Thanks Thanks x 1
  9. Capo Dei Capi

    Capo Dei Capi BANNED BANNED

    Joined:
    Oct 23, 2014
    Messages:
    754
    Likes Received:
    1,732
    One of the best ways to prevent them is to build up a massive list of sites blocked in the hosts files in addition to using adguard in a chromium browser. So many sites are blocked using that combination.

    I got one of those things a few years ago and I immediately turned off the pc and used a linux start up disk to delete the bad files and recover the important good files that weren't corrupted yet.
     
    • Thanks Thanks x 2
  10. tb303

    tb303 Power Member

    Joined:
    Dec 18, 2011
    Messages:
    734
    Likes Received:
    388
    I didnt see him do it in the video so sorry if you tried this already.
    But you should also go to the services tab in msconfig. Select hide all microsoft services and disable everything you see that looks odd before reboot. If this stops if coming back. Then re-enable one by one until you find the culprit.
    Also I had an infection recenty that kept being triggered by chrome's thumbnail view of most visited. I had to delete the contents of chromes appdata folder to stop it coming back. Random but worth knowing.
     
    • Thanks Thanks x 1
  11. tymillz

    tymillz Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 15, 2009
    Messages:
    1,158
    Likes Received:
    3,585
    Occupation:
    This
    Location:
    (215)The Hood(215)
    Yeah after a complete wipe. I swore I was clean and then bang they kidnapped my shit all over again. I know they were Russian but if they were Russian women I would've offered the good ole HJV in return for my server.
     
    • Thanks Thanks x 1
  12. Hawkster

    Hawkster Jr. VIP Jr. VIP

    Joined:
    Jun 22, 2013
    Messages:
    3,429
    Likes Received:
    3,619
    Gender:
    Male
    Occupation:
    Listen to everyone - Follow no-one
    Location:
    UK
    Home Page:
    $79

    I aint fuckin paying them anything, they can fuck right off. I'll throw my pc in the bin before i do that

     
    • Thanks Thanks x 6
  13. datsunguy

    datsunguy Supreme Member

    Joined:
    Sep 30, 2016
    Messages:
    1,459
    Likes Received:
    1,070
    Occupation:
    professional duck
    Location:
    a pond near you
    Home Page:
    Good on ya, dont give in.
    If you dont absolutely have to get a few docs back dont do it.
     
  14. fullwall3t

    fullwall3t Power Member

    Joined:
    Apr 22, 2015
    Messages:
    707
    Likes Received:
    73
    I was.able to decrypt.the files with software I forgot the name /: . But.from what you have wrote I probably got older version of this virus
     
  15. MisterF

    MisterF Jr. VIP Jr. VIP

    Joined:
    Nov 29, 2009
    Messages:
    6,308
    Likes Received:
    4,817
    Occupation:
    Conference Organiser, Business Advisor.,
    Location:
    JADIP
    Home Page:
    Scum like this need their hands nailing to the floor.
     
    • Thanks Thanks x 4
  16. nakaam30

    nakaam30 Regular Member

    Joined:
    May 29, 2012
    Messages:
    342
    Likes Received:
    48
    someone needs to findout where those assholes lives and nuke the sh*t out of them, along with those IRS scammers
     
  17. redarrow

    redarrow Elite Member

    Joined:
    Apr 1, 2013
    Messages:
    4,357
    Likes Received:
    990
    I looked heavy into this even file wise , there no way to un encrypt the files , best to re install the os and make a clone and if it happends in future re load the clone .

    There no way to un encrypt the files unless you pay for the encript key that encrypt them all.

    You must of made backups ,you no the score with any pc work, always back up and even make another backup on disc

    The random infection is ruthless
    It go thru all your files just the same as any virus cheek , it then encrypts the files and dll to the programs and folders , has cost business millions , top hacker and programmers tried there best to un encrypt the files , but there so meny diffrent en crypted files most give up , been impossable to solve , only solution was , one i posted above....
     
    Last edited: Jan 20, 2017
  18. Conor

    Conor Jr. VIP Jr. VIP

    Joined:
    Nov 7, 2012
    Messages:
    3,544
    Likes Received:
    5,862
    Gender:
    Male
    Location:
    South Africa
    Home Page:
    Thankfully all my important stuff (Totally legal movies and music) are on an external hard drive, whilst business documents are saved on Google Drive. I should be okay if this ever happens to me. Let's hope you haven't got anything super important at risk OP.
     
  19. Taegn

    Taegn Junior Member

    Joined:
    Jul 22, 2016
    Messages:
    171
    Likes Received:
    32
    If the developer was even moderately competent you will have a really tough time of this...
     
  20. Hawkster

    Hawkster Jr. VIP Jr. VIP

    Joined:
    Jun 22, 2013
    Messages:
    3,429
    Likes Received:
    3,619
    Gender:
    Male
    Occupation:
    Listen to everyone - Follow no-one
    Location:
    UK
    Home Page:
    Think i've successfully got rid of it from the PC

    Interestingly it seems only wordpad files are affected, all the text in those files is encrypted while text in notepad files remains as it was.

    Can access all programs, videos, images etc.