Palo Alto Networks threat intelligence analyst Brad Duncan discovered that Spora, a ransomware family that doesn’t require internet traffic to encrypt PC users’ files and doesn’t generate any traffic by connecting to its command-and-control servers, is spreading through fake “Chrome Font Pack” pop-ups.
Tricking Users Into Downloading The Spora Ransomware
Most ransomware spreads either through spam and email attachments or hacked ad networks and websites. That’s how attackers get internet users to click on something so they can download and install the ransomware.
Sometimes, if the users don’t have their browsers or operating systems up-to-date, the ransomware can also download or install automatically by taking advantage of unpatched software vulnerabilities.
Spora's creators have hacked multiple websites most likely via automated scripts that use known and unpatched server-side vulnerabilities. They use these to gain access and put their own files on those servers.
After that, they turn the websites’ pages into gibberish and tell visitors that the “HoeflerText” font is missing and that they can fix this by downloading a supposed "Chrome Font Pack."
Installing The Spora Ransomware
People accidentally download and install the ransomware when they click on the pop-up, thus locking their own files. The installation isn't automatic, so people still have to be tricked into installing the "update.exe" file that handles the malware's installation. However, if users download a fake Chrome font pack, chances are good that they'll also install it. Spora's creators are also being "helpful" by indicating where their victims can find the file to install.
Unlike other ransomware families, which tend to encrypt whole drives, Spora only seems to encrypt files with the following extensions:
.xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup
Afterwards, the PC users are prompted with a note that lets them know their files were encrypted and that they need to login to the Spora website to determine how much ransom needs to be paid.
As usual, people shouldn’t click on any pop-up they see on the web that suggests they install something. Even if the issue the pop-up warns about was real--like for instance, a missing Flash plugin--it's better to do your own research and install the necessary files from their source than from the pop-up.