Illusive Blog March 30, 2017

Detecting & Stopping Spora Ransomware With Deception

By Nir Greenberg

On February 29, 2017 illusive networks received a customer alert and initiated forensic analysis after malicious activity was detected on a certain endpoint in the network. Our Deception Management System identified the malicious activity as Spora, a variant of ransomware, which like Locky, silently encrypts files with selected extensions and then attempts to redeploy itself on additional hosts via elevated privileges.  However, with Deceptions Everywhere deployed illusive networks diverted the ransomware from encrypting files on the original host – redirecting the encryption process to deceptive files – and more importantly thwarted the encryption of files located on the company’s network shares. 

Early and accurate detection allowed the customer to mitigate the attack, quarantine the machine from the network, and protect critical assets. Upon deeper investigation by the illusive Security Operations Team, the sample was discovered to be a new variant of Spora ransomware which was not detected by any other end-point technology deployed within the customer environment.  Moreover, on February 29th Virus Total reported only 5 anti-viruses which could detect the Spora variant as malicious; one week later, 46 Anti Viruses could detect the sample according to Virus Total.

Further forensics proved that this exploit masqueraded as the EITest Chrome Font Update campaign on a compromised blog page – visitors were presented with a mis-formated blog which appeared as gibberish along with a message appearing to be from the visitor’s Google Chrome browser.   In the message visitors were instructed to download an update to the browser to fix the formatting issue, and upon clicking the update button, encryption was initiated and users were forced to pay a ransom to obtain their files.

In the end, Deceptions Everywhere protected this customer’s data and provided evidence of the tools and techniques used by the Spora variant.  By creating a deceptive layer across the entire network – agentlessly deployed on every endpoint, server and network – illusive networks disrupts and detects breaches with source-based, real-time forensics without interrupting business.