Spora, a new ransomware variant recently discovered, has emerged with advanced features which will cause problems for security solutions working to protect against this type of malware.
I was afraid of this. The motivation and resources are driving attackers to innovate too quickly. Malware and security developers are in a constant race to outmaneuver each other. Ransomware has been a troublesome problem and it is getting progressively worse. Only recently have some security tools been able to zero in on a possible dependency, that resides in most ransomware, to become more effective against this rising scourge. Then the game changes again.
Basically, most ransomware calls back to a Command and Control (C2) site run by the attacker, to get an encryption key that will lock the victim’s files. It happens after the infection, but before any significant damage is done. This was a known point-of-weakness that anti-ransomware/malware security solutions could take advantage of. Looking for this call is a way to detect infections. If the transmission of the0 key can be blocked, the ransomware tends to just sit and patiently wait. This gives time for the security tools to sweep in and eradicate the infection.
Well, no more. Spora has implemented off-line encryption. Spora bypasses the need to call-home for an encryption key and can immediately begin file encryption once it gains a foothold on the target system. It has a few other features, but none more concerning than the offline encryption capability.
This evolutionary change was expected, but we all hoped it would take longer before the ransomware writers would successfully develop and implement such a feature. I expect other ransomware suites to follow suit, as this is a big step forward for the attackers.
Well my security colleagues, it is time to ramp-up our innovation. Let’s get cracking!