Windows 10 + Chrome + Avast (all up to date)
I visited a website (a site I am familiar with, a reputable company - Efergy.com), and as it loaded in Chrome a very convincing Chrome popup about needing an extra font appeared. Avast warned it was suspicious but did not identify a problem - the website was reputable so I allowed the file to execute anyway. I the saw a script execute and the popup telling me I had been ransomwared.
I tried calling Avast to ask what to do - dialled the number on the Avast website, and 30 minutes of discussion and hold time and all I could find were people who worked at AVG who said that I should try to call this Avast company and call them instead. sigh.
I found & followed the forum sticky https://forum.avast.com/index.php?topic=195230.0 and followed the destructions in it to the letter.
Malwarebytes found it - I quarantined and rebooted but when the system restarts and I login, it pops up a browser window with the original Spora popup message. Subsequent scans with Malwarebytes finds nothing, and the popups continue.
Hard-drive still encrypted.
hi there - i’m not trying to decrypt. i’m trying to disinfect.
it seems to be smarter than malwarebytes, its still infected even though MBAM thinks it is.
yes, with 20:20 hindsight we could all avoid everything. it was a legitimate website (and still is) for a global vendor. thats why i went there. somehow they must have been compromised is all i can think. seems to have been some sort of temporary insertion or intercept. don’t know really except that visiting the website 2 minutes later it no longer asked for the Chrome update - unless of course it was smart enough to know i was already infected? i have notified the vendor so they can look into it.
as a last note, if i did not execute every time avast raises a suspicious flag, i wouldn’t get anything done. so far, i’ve had 100% success avoiding these things. alas, this one was quite cleverly done and i am under the pump at work (and now even worse with a fubar PC) so didn’t give the idea of needing a Chrome font pack update as much thought as i should have.
In the meantime, I should provide a little additional detail as to how it presented itself to me, which I found reference to elsewhere http://sensorstechforum.com/remove-spora-ransomware-restore-files/ if you scroll down to the subheading that says March 2017 Update. The website said it needed the HoeflerText font etc etc.
So it seems to be a new variant which might explain why it outsmarts MBAM, and Hitman Pro doesn’t see it all.
i honestly don’t know what you just asked me to do. what is a virustotal result?
oh no sorry!! i’d love to but i just got off the phone with lenovo support who just reset my PC to factory default.
their reasoning was that all the files are unrecoverable, so may as well wipe & recover instead of trying to clean.
they have a recovery utility that does that.
so i’m mid-way through some process that i’m suspicious may not work: shortly after starting the recovery process it came up and said ‘could not delete your personal files, if you want to wipe these too, you may try running this process again’ before proceeding anyway with a suspiciously windows-looking reinstallation process.
Couldn’t delete files??? Why didn’t it just delete/format the partition and reinstall clean from the recovery partition?
Bearing in mind that Spora encrypted my ‘Documents’ folder, I hope this process doesn’t just use the windows native recovery software from the original partition in which case it may not completely remove the infection?? does anyone have any thoughts on this?
For now there is no way to decrypt the files, corrupted by Spora ransomware. And of course, if your files are encrypted, the installing of new anti-viruses won’t help. If you have a valid version of some paid anti-virus, you might call them for help, but the only thing that they could do is to pay the ransom. The best thing that you can do is to remove a virus, gather all encrypted files in one folder and wait until the decent decryptor will be developed. Spora ransomware already attracted an attention of such great research teams as MalwareHunterTeam and EmsiSoft. Also, the MalwareTips and BleepingComputer communities are involved in the research, so I suppose that the decryptor might come in a month or even less. if you want to remove the virus - here are the simple instructions that might help you to do it. http://it-help.info/news/3070-spora-ransomware-removal-tips-and-useful-information