The creators of a recently discovered form of ransomware have devised a way to extort customers with hijacked files borrowed from the world of apps: a freemium model.

Called Spora after the Russian word for spore, the ransomware offers five levels of decryption to those unfortunate enough to be infected. An initial tier allows a victim to decrypt two files for free, escalating to a full restore for $120, with prices in between for options including the ability to restore a single file, remove the ransomware and gain “immunity” from it.

The ransomware is being distributed through a spam email campaign that disguises itself as a ZIP file that has an HTA file (a HTML application) inside it with an enticing name, according to Naked Security. Once opened, the file extracts a Jscript in the %TEMP% folder, which then further extracts an executable to the same folder and runs it. Upon installation, Spora encrypts files using the Windows CryptoAPI  in combination with RSA and AES keys, and delivers a HTML-based ransom note and a .KEY file.

While that sounds like standard form for this sort of infection, Spora differs itself to others forms of ransomware by being able to encrypt files without having to contact a command-and-control server. That is, it can encrypt files if a machine is offline, while still delivering to every victim a unique decryption key.

Spora is also highly aggressive in its implementation, limiting options for victims to respond. That includes deleting online backup copies of Windows as well as breaking shortcuts in the start menu to make it difficult to access the control panel and command prompt, limiting the victim’s ability to reboot the PC in recovery mode.

In the event you were to be infected by Spora, the bad news is that at this stage there is no cure other than to wipe a machine and restore it from a backup. Researchers at Emsisoft noted that they have yet to find any holes in Spora’s encryption routines.

“The best protection still remains a reliable and proven backup strategy, especially since the encryption used by Spora is secure and the only way to get the data back is through the help of the ransomware author,” the post notes.

Image courtesy of Emsisoft