How to Remove Spora Ransomware and Recover Encrypted Files?

Hi, this is Bob. Did you go into my room? Why I can’t find my important files? Oh, I am sorry to be angry at you. Just now I have find my files but I can’t open them. These files seem to be locked by Spore Ransomware. There is a HTML file among locked files. I am told that as long as I pay the price, the key to unlock files will be sent to me. Should I believe the words? Are there other ways to get my files back? I don’t really want to spend a dime. Do you know Spore Ransomware? Any help will be appreciated.



Know about Spora Ransomware


Spora Ransomware is a new ransomware discovered in January 10th, 2017. The Spora ransomware comes from Russia because used language and the origin of the threat name are associated to Russian. In Russian language, the name “Spora” refer to the victims. Its appearance quickly arouses many computer security researchers’ attention because the ransomware has the ability to attack online users. It also has a strong encryption engine and an advanced payment site. So the ransomware is regarded as a member of the most sophisticated ransomware. Like most of ransomware, it mainly encrypts victims’ important file and asks for ransom. However, there is a big difference between the ransomware and other ransomware. Spora doesn’t rename encrypted files or add specific extension to files’ name. For example, “1.jpg” encrypted by Osiris Ransomware (click here to know more about the Osiris) will be renamed to “D89BBG4-G8A1-8G01-AR1G6L1K-HAKK3LOHGM31.osiris”, as shown in the figure below. Unlike Osiris, encrypted files by Spora ransomware don’t have special name. Your encrypted files retain the original name and file extension.


Files that have extensions below may be easily targeted and encrypted by the ransomware:

.backup, .xlsx, .docx, .rtf, .dwg, .cdr, .cd, .mdb, .1cd, .odt, .pdf, .psd, .dbf, .doc, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .xls.


Files on not only local drives but also shared network drives will be encrypted by the ransomware. However, the ransomware won’t encrypt Windows system files and program directories in order to make victims enter their computer successfully and pay for the ransom.


Have you received the ransom note? While encrypting victims’ file, the ransomware creates a. KEY file and a HTML file. The HTML file contains the ransom note, as is shown in the two pictures.

The screenshots of the ransom note:

(The Russian Ransom Note)



(Translated Ransom Note)



What Information You Get from the Ransom Note?

  • Users are told that all files have been encrypted. Other ransomware will make excuses like protecting your computer for files encryption. But Spora doesn’t. It comes straight to the point.
  • The ransomware claims that only they can restore encrypted files. Actually, it is difficult to encrypt files because it employs RSA-1024 algorithm and ASA encryption. There are two keys – the public key for encryption and the private key for decryption. But the private key is usually stored in remote servers. Victims are encouraged to follow the instruction and get the private key to decrypt their files. The Key file named after random characters in every folder need to be sent to the developers of the ransomware by using the payment website in order to decrypt your important files.

(The screenshot of Spora payment website)



Spora Ransomware owns a professional payment website and gives detailed instructions. Once computer users click on the ransom note, they will be redirected to the the payment website. Every user receives their own ID based on different hosts servers so that they can purchase the private key to decrypt files. Unlike other ransomware, the payment site of Spora provides victims with all kinds of options. For example, you can pay $79 for fully restoring files, pay $50 for ostensible immunity or pay $20 for removing the ransomware from the system. Some ransomware like Cerber encourages users to purchase decryption tool for all service. However, the developers of the ransomware separate decryption services into several parts and hope users to buy service several times, which actually improve revenue and profit. Victims are only allowed to do the payment in BitCoin (a diginal currency). By the end of January 16th, the Spora’ developer has improved the payment website. In addition to different decryption options, the website provides Help page and details of available payments including discount and deadline. There is a public communication window where users can make transactionon or discuss on the right side of the website. In general, you can’t access the payment website because the payment website is not public and hides in the Tor anonymouse network. Victims can log into the payment website because they have their own ID provided by the ransom note. After the website receive information from ID and key file, victims will be provides with the payment options quickly.


protect_tComputer users are not advised to pay for the ransom even though the payment website looks like friendly and professional. It is not safe to make any transactionon by using a strange payment website. There is a big possibility that your personal information or identify will be in the danger of leakage or theft. If possible, computer users should choose a reliable anti-malware program to remove the malicious payload and decrypt locked files rather than visit the payment website.



How Does Spora Ransowmare Get Installed on Your Computer


The ransomware is mainly distributed by spam emails or attachments. In general, an HTA file may be contained in each malicious email. A sender tries every opportunity to send malicious emails to a victim. The HTA files are included in ZIP file, which email attachment contains. These HTA files dress up as PDF or DOC file. Once the HTA file is executed, a javascript file will be extracted from the HTA file. And then the javascript file called “close.js” is placed in the folder named %Temp%. An executable file of the ransomware is also extracted from javascript file. And then the ransomware begins to conduct a sercious of unfriendly activities. In addition to the executable, a .docx file will be extracted and then executed. The purpose of the file is sending wrong message that the downloaded attachment is not accessible to computer users. Hence, a victim only sees the email downloaded is blank or filled with confused words, which is a technique of the ransomware to conceal its real purpose and activities. The process that the ransomware goes into and encrypts users’ files carries out in secret.



Summary about Spora Ransomware

Threat Name Spora Ransomware
Category Ransomware ; Malware
Type of encryption algorithm RSA-1024 algorithm and AES cryptography
Danger Level 8
Operating System Windows XP, Windows 7, Windows Vista, Windows 8/8.1 and Windows 10
Symptoms ①Encrypt your important data②extort computer users and demand ransom ③Decrease computer performance
Ransom Varied

Payment Options:

FULL RESTORE: Fully restores the affected files.
IMMUNITY – Guarantees immunity from malware.
REMOVAL – Delete the malicious payload from the computer.
FILE RESTORE – Restores individual files.

Distribution Methods Via spam emails, attachments, suspicious links or exploit kits.
Solution Read the detailed guide below or download a removal tool!


Spora Ransomware Removal Instruction

Restart Your PC in Safe Mode

Use Auto-fix Tool to Remove Spora Ransomware

File Restoring Instruction

Option One Use Windows Previous Versions feature

Option Two Use System Restore

How Can You Keep Your System From Spora?

Restart Your PC in Safe Mode


logo-windows8For Windows 8/10 User


Press Windows + R key to initiate “Run” dialogue box.



Type “msconfig” in the dialog box and hit Enter key.


Go to the Boot tab and then select the Safe Boot option.



Click on Apply and OK button for changes to take effect.


Choose Restart when you are required by the System Configuration or go to Power menu and then click on Restart.



And then you will see a blue screen, please select Troubleshoot > Advanced options > Windows Startup Settings > click Restart button.


When you see the screen below, select 5) Enable Safe Mode with Networking by pressing F5 or 5 key.



The black wallpaper and the Windows Help and Support window are the signs that you have entered Safe Mode.




logo-7For Windows 7/XP User


Go to Start menu and then click on Restart button.



Tap the F8 key before you see the Windows logo appears



Use the arrow keys to highlight Safe Mode or Safe Mode with Networking from Advanced Boot Options menu, as shown below.



And then you will enter Safe Mode. After you enter the system, the Windows Help and Support window will pop up and give details of Safe Mode and instruction.



Use Auto-fix Tool to Remove Spora Ransomware


Click on the button below and download SpyHunter.


When you open the SpyHunter-Installer, you may be asked whether you want to run this file. In this case, please click Run button.



Select your language and click OK button.



Click Continue button when Enigma Software Installer pops up.



Opt for I accept the EULA and Privacy Policy option and click Install button.



When the setup is completed, click Exit button.



After installation is completed, run the SpyHunter, go to “Start a New System Scan” tab, and click “Scan Computer Now!



After the scan is finished, screen shows all detected items in the list (click + to read more descriptions about the infection).

Now, press “Fix Threats” button to remove detected computer threat.



Reboot the computer to take effect if you are asked by the program.

Download Plumbytes Anti-Malware from the button below.plumbytes-anti-malware-downloadbutton


Install Plumbytes Anti-Malware by clicking INSTALL.



After installation is done, run Plumbytes Anti-Malware by double-clicking onopenplumbytes (or Plumbytes Anti-Malware will run automatically).

Go to OVERVIEW, and then click Run a scan.



After scan is completed, all detected items will show in the list.

Check the box beside Spora or Select All and then click REMOVE SELECTED.



Restart the computer to apply all the changes.


File Restoring Instruction


Option One Use Windows Previous Versions feature


Step 1 Show Hidden Files


Go to File Explorer, click on Organize on the top bar and then select Folder and search options.



Tap View tab and then choose “Show hidden files, folders and drives” in the Advanced settings.



In order to save the change, please click on Apply and then OK button.

For Windows 8/10, you need to go to View tab > Options > Change Folder and search options > Folder Options.

For Windows XP, you need to go to Tools > Folder Options.


Step 2 Restore Previous Version


Find your encrypted files, which aren’t in the System disk because the ransomware won’t encrypt Windows system files.

Right click on one of your encrypted files and then select Properties or Restore previous versions.



Tap Previous Versions tab, and then select one Restore points when files haven’t been encrypted in the list.



Click Restore button when you are asked whether you want to restore the previous version.


You may ask, why can’t I find available versions? Well, one reason is that you haven’t modified the file before. Another reason is that the ransomware may delete shadow volume copies. Moreover, Some systems don’t have the Windows previous version feature. Based on different factors, you may fail to restore the previous version. Don’t be worried, you can take into account using System Restore feature. It is still advised to remove malicious payloads of the ransowmare firstly and then restore your files (Click here to navigate to automatic removal guide).



Option Two Use System Restore


logo-xpFor Windows XP


Click on Start button and then click All Programs.



Go to Accessories, select System Tools and then click on System Restore.



After the System Restore window pops up, you need to choose “Restore my computer to an earlier time” and then click Next button.



All of the dates that have restore points are displayed in the following calendar. There are various types of restore points. The first type is the manual restore point, which means that you create a restore point by yourself. The second type is the installation restore point, which means that the system creates a restore point automatically when important settings or program is installed.


Choose a date on the calendar and then click a restore point.


Click Next button to proceed the process.

You are required to click on Next button after confirming the selected restore point.



Don’t stop the process until the system restore is complete, as shown below.




logo-7For Windows 7 User


Right click on My Computer icon and then select Properties.



Click on System protection on left side.



Click on System Restore button.



In the Restore system files and settings page, you can choose Recommended restore or Choose a different restore point, and then click Next button.



Choose a restore point when Spora Ransomware doesn’t enter your computer and then click Next button.



Click Finish button to confirm your restore point. It required you to save any open files and close all programs (see above)


Click Yes button in the pop-up window and wait for completion of System Restore.



If you don’t close the antivirus program, the System Restore will be interrupted, as shown in the figure below. You can try System Restore again and choose a different restore point. If you continue to see this error, you can try an advanced recovery method.



The pop-up window below means that System Restore completes successfully.



Click Close button.

How Can You Keep Your System From Spora?

  1. Avoid open spam emails or download attachments from unknown email addresses.
  2. Don’t visit strange websites including phishing websites, pornographic website or illegal trading sites, unless you make sure these websites are safe after the whole scan of antivirus programs.
  3. Download software you want on the official websites as soon as possible no matter what you use PC or mobile phone.
  4. Back up your file or system settings regularly in the event of system crash or files loss.
  5. Install and download system security patches in order to prevent ransomware from exploiting vulnerabilities.
  6. Install reliable anti-malware programs or blockers and scan your system regularly.

Friendly Advice: Although Spora Ransomare won’t encrypt important system files, computer users are still troubled by other locked files. Its payment website is so professional that computer researchers are surprised at it. However, you are not advised to do the payment based on the unreliable platform and potential safety of your personal information. Computer users need to think twice and ask themselves whether they can stand the payment. According to the research, restoring all encrypted files at least cost you to 280 USD. Maybe you think it is a small number. But paying for the ransom is a risk because no one can make sure you must get these files back. It is strongly suggested to remove the ransomware with reliable removal tools in the post firstly, and then restore your files in order to avoid the second file encryption. Notably, there haven’t been a free decryptor for Spora ransomware because it is new ransomware and its sophisticated encryption method. The only effective and easy method is using System Restore. If you have back ups, you’d better restore files as soon as possible.




How to Remove Dharma Ransomware and Recover Encrypted Files?

Remove Osiris Ransomware and Restore the Encrypted Files

Instruction to Remove Cerber 4.0 Ransomware




The following video offers a complete guide for Spora Ransomware removal. You’d better watch it in full-screen mode!

Share on FacebookShare on Google+Digg thisPin on PinterestShare on LinkedInShare on TumblrShare on RedditShare on StumbleUpon