How To Remove Spora Ransomware Virus And Recover Files

Spora is a new quickly spreading ransomware virus. It encrypts users’ files and makes them impossible to open. The virus then asks to pay a ransom in order to decrypt the files and regain the access to them. The first attacks started in Russia but now it has spread all over the world.

Unlike other “traditional” ransomware viruses Spora is very sophisticated in its implementation. It uses a very strong data encryption method making it unlikely that a decryption tool will be available in the nearest future. The ransomware also has a payment website with multiple services offered, including full file restore, virus removal and even immunity from further attacks.

This is a very aggressive threat and should be removed from your computer immediately. Paying the ransomware does not guarantee that you will regain the access to your files or that the threat will be removed completely since the criminals still have control of your machine. Therefore, the only reliable option is to remove it by using a proper malware removal tool. We have an automatic removal and protection tool listed below. We also have prepared a manual removal guide but it does not guarantee that the threat will be removed completely since it is very sophisticated. Also, removing the virus manually does not protect you from possible future attacks.


Recommended Method: Download Spora Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Spora ransomware virus?

The virus operates similarly to any other ransomware since it also encrypts user’s files and then asks for a payment in order to recover them. However, Spora is made very professionally making it harder to remove and retrieve the files.

This ransomware has a very sophisticated website where infected users can buy full files restore, removal, one file restore or even an immunity from future Spora attacks. It also allows you to decrypt two files for free. The payments are accepted in BitCoin only. The website also has a deadline indicator showing how many days are left until the price increases. It also displays your computer username, block date and has a chat where you can communicate with the creators.

The payment website can be accessed through several domains:

https://spora.bz
https://spora.store
https://spora.one
https://spora.biz
https://spora.bz
https://spora.ht
https://spora.hk
https://spora.ch
https://spora.cc
https://spora.la
https://spora.li

The prices of the recovery are different for each infected user depending on the number of files that the Spora virus manages to encrypt. The more files are encrypted the more it costs to get the decryption key. Currently the virus encrypts a very limited number of file formats but .backup files are among them which means that restoring the ransomed files from backups may become virtually impossible:

.backup, .xlsx, .docx, .rtf, .dwg, .cdr, .cd, .mdb, 
.1cd, .odt, .pdf, .psd, .dbf, .doc, .sqlite, .accdb, 
.jpg, .jpeg, .tiff, .zip, .rar, .7z, .xls.

The virus does not change file extensions after encryption. Instead, it generates randomly named .html and .KEY files and places them in the directories where the encrypted files are located. The .html file leads to the payment website while the .KEY file is required in order to decrypt your files with the software created by the criminals.

The most common way to get infected with this ransomware is by opening spam email attachments. The malicious emails usually contain a .ZIP or .HTA file with a long random name helping to hide the real extension. It later extracts a corrupted .DOCX file. An example of a russian file name is “Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta” which is designed to trick users into thinking that the file extension is actually “.pdf” and not “.hta”.

When the infected file is launched, the virus will immediately start scanning your files and group them according to their perceived importance. It will then start encrypting the files in the background. The virus also places several infected files in your system and modifies many shortcuts (.lnk extension) so that they would launch Spor when clicked. This means that you can activate the virus simply by navigating through your computer.

IMPORTANT: If you believe that you have just been infected by this or any other ransomware you should immediately turn off your computer in order to stop the encryption process and salvage as many files as possible. Common signs that the encryption is currently taking place is increased CPU, RAM and hard disk space usage and a slower machine in general.

Here is an example of a ransom note in Russian language presented in the generated .html file:

Все Ваши рабочие и личные файлы были зашифрованы
Для восстановления информации, получения гарантий и поддержки,
следуйте инструкции в личном кабинете.
SPORA RANSOMWARE
1. Только мы можем восстановить Ваши файлы.
Ваши файлы были модифицированы при помощи алгоритма RSA-1024. 
Обратный процесс восстановления называется дешифрование. 
Для этого необходим Ваш уникальный ключ. Подобрать или "взломать" его невозможно.
2. Не обращайтесь к посредникам!
Все ключи восстановления хранятся только у нас, соответственно, если Вам кто-либо предложит 
восстановить информацию, в лучшем случае, он сперва купит ключ у нас, затем Вам продаст его с наценкой.
Если Вы не смогли найти Ваш ключ синхронизации
Нажмите здесь

The payment instructions presented on the website are as follows:

The procedure of your computer restore
Step I. You need to fill up you balance with an amount equal your price for "Full Restore". 
Note:
- All deposits are possible only via Bitcoin, video about Bitcoin
• Your linked Bitcoin address: 1Gz5ocfBJkyBFaxPs16SNYHKXd2Ujb5fv9
- You did synchronization and received you personal Bitcoin address 
(in payment section "Refill"), where you need to send Bitcoins.
- Basically, you could send needed amount to that Bitcoin address via reputable 
resellers or exchange services.
- Online exchangers work for a long time and have a decent reputation. 
The basic concept of exchange: Your money (USD/EUR) -> Exchange Service (BTC) -> Our Bitcoin wallet
- The list of recommended exchangers: 
• https://buybitcoinworldwide.com
• https://localbitcoins.com
• https://coinmama.com
• https://coinbase.com
• https://coinhouse.io
• Also you could find your local exchanger via Google query: "Buy Bitcoin online".

Recommendation (!), refill your account via small transactions to verify, that system receives your funds. 
After this, you can fill the rest of amount. On the Payment page there is a calculator, 
where you could make necessary calculations.

Step II.
- After your balance is replenished, in section "My Purchasings" you choose FULL RESTORE.
- After successful purchase, click again on the icon. 
You will be prompted to save the recovery utility (archive .ZIP)
- Inside ZIP archive you will find your private key (.key) and recover utility (.exe).
- Unpack .exe file to any place you want and lauch it.
- After short process, all the data will be decrypted.

We strongly discourage you from paying the ransom. Instead, you should remove the ransomware completely by using the automatic removal tool provided at the beginning of this page. This way you will be sure that no remains of the threat are present on your machine and that it is protected from any attacks in the future. We have also prepared a manual removal guide on how to remove the files associated with this virus and recover the encrypted data.

Here are some screenshots of the virus in action:

      


 Manual Removal Instructions:

NB: Even if you follow this guide completely there might be some virus files remaining deep in the system. Therefore, we recommend using the automatic removal tool listed above. This way you will be sure that Spora is removed completely as well as that your computer will be protected from any further threats.

Make sure you bookmark this page as a computer restart will be required. The best way to work is to open this website on a separate device while removing the threat.

Step 1:

You will need to restart the computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the virus and terminate them.

Press CTRL + SHIFT + ESC to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each process manually.

We recommend not skipping any of the processes as viruses sometimes hide in various processes that look like essential Windows components.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have checked all processes.

Step 3:

Look for any suspicious programs in your startup config.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab.

Uncheck all suspicious entries. Usually they have “Unknown” listed as Manufacturer. However, sometimes they might have a fake manufacturer.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

spora

Click Find Next.

If you find any registry entries that could be associated with Spora ransomware, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore.

Step 5:

Clean up Windows temporary files.

Spora is known to create randomly named .exe, .js and .docx files and operate from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 6:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Common files associated with the ransomware:

close.js
<random>.js
<random>.hta
<random>.docx

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files and your .KEY files on a separate media in case you are not able to recover the files using our methods.

Check for Spora decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Spora decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *