Spora ransomware virus - how to remove and decrypt files (March 2017 update)

Malicious software is becoming increasingly popular among criminals day by day, and more and more scams become millionaires thanks to new viruses. Viruses from "ransomware" family are most profitable, and because of this, new programs appear in hundreds every day. Most of them are lost in obscurity, since the creation of ransomware requires certain skills, time and resources. However, some programs become known, and serious hacking specialists of the leading IT-companies in the world get interested in them. Today we are talking about such a program, which is called Spora ransomware.

Spora is focused on English, Russian and French segments of the Internet, and therefore has a manual translated into these three languages. However, judging by the price most famous ransomware, such as Locky or Cerber, the Spora still focused precisely on the former Soviet Union countries. The amount that extortionists demand for full restoration of the system and all infected files is $79. In addition, on the fraudster’s website there are few extra features that cost from $20 to $79. When the virus encrypts victim's files, it generates the "key" in which there's information about the amount of encrypted files. The more files you hade, the more you'll have to pay. Also, scammers analyze the file names to decide is it a common user or a company and change the price depending on this.

The virus uses the standard encryption scheme and public algorithms such as AES and RSA. Files are encrypted on your computer using one of these algorithms, and the resulting key is encrypted using the other to eliminate the possibility of decryption. Received key is encrypted with use of public key that's imbued in malware's code, and this last key is saved in the "key" file that contains information about your system and the quantity of files. The penetration is carried out by means of the distribution of fake invoices, resumes, invitations, notifications and other documents, which are sent to an e-mail nowadays. Each letter has an attachment that contains script to install a virus. If user receives such a letter, and opens the attached file, the virus is installed and immediately begins to encrypt the data on computer. Once the encryption process is completed, the user receives a message with the requirements and conditions.

Unlike most modern ransomware, Spora does not receive data from the C&C center, and does not send any data, constantly being offline. On the one hand, it is a little bit difficult to control the virus, but on the other hand - increases the level of security and eliminates worries about how to hide IP. Another difference from other ransomware species is that Spora developers managed to create a nice website that looks and works pretty well. There are many options for ransomware victims and the tech-support that really answers the questions. Scammers are trying very hard to mke the victims pay and even offer the 10% of money back to those users who already payed for decryption, if they will comment the forum threads about Spora and say that scammers really restore files after the payment. All these signs tell us that Spora creators are very experienced in their business and, most likely, were involved in creation of other ransomware.

Regarding the country of origin of the virus, we cannot say anything definite. After the commotion that arose around the so-called "Russian hackers", influenced the election of the president of America, most scammers are inadvertently inserting few words in Russian into their programs, or in any other way indicate that they belong to great and terrible "Russian hackers”. In conclusion, we want to tell you that in any case, we recommend not to pay for decryption. The wisest solution is to remove the virus from the computer, and wait until its encryption keys will be revealed. If Spora is currently on your computer, you might want to know how you can remove the virus from your system. The removal guide is on video under this paragraph. You can also use the instructions below.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode


Video guide on Spore ransomware virus


The tips on decryption of files can be found in specialized article, called "How to decrypt files, corrupted by ransomware".


This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.