Spora is presently among the most common ransomware families. For instance, it struck countless victims in the fake “Chrome Font Pack Update” campaign, encrypting victims’ files even without having to communicate over the Internet. Minerva is releasing a proof-of-concept tool that is able to contain Spora infections by generating an infection marker that this ransomware seeks, to determine whether it’s already running on the system.
Spora’s Infection Marker
After analyzing recent Spora samples, Minerva discovered these specimens use a predictable and consistent method for their mutex-based infection marker. Spora creates a mutex when infecting the system, and checks for its presence to determine whether the system is already infected. It doesn’t infect the system if it locates the mutex.
Spora’s algorithm for naming the mutex consists of a lowercase “m” being concatenated with the Volume serial number in decimal format.
By preemptively generating this mutex, users can render their systems immune against these Spora variants.
Minerva’s Spora Vaccination Tool
Minerva’s free tool offers a proof-of-concept approach for generating the Spora infection marker in the form of the mutex mentioned above. This tool might be practical for protecting individual endpoints against this threat. If running on the system, it’s effective at preventing all Spora infections that we’ve seen to date.
Download Minerva’s Spora vaccination tool here:
The tool’s source code is available at:
Deceiving Malware in the Enterprise
The Spora vaccination tool demonstrates how malware could be deceived into inaction, in this case by presenting a dynamically-generated infection marker to prevent the infection.
However, applying this approach on a large-scale production environment requires an enterprise-focused solution such as the Minerva Anti-Evasion platform.
Minerva stops advanced and evasive attacks that can slip past traditional and next-generation security tools. We do this without relying on signatures or statistical models, which focus on detection rather than prevention.
To learn about how Minerva renders malware ineffective by controlling how it “perceives” reality, please request a demo.