Welcome 2017 – Marlboro / Spora Ransomware

2017 has just begin and with that a new wave of ransomware has emerged. Two of the extreme cases of new variants have been discovered by researchers, Spora for one is one of the most sophisticated variant, while Marlboro is the epitome of immaturity.

MarlboroSpora

Marlboro Ransomware, encrypts the files and changes the extension to .oops and displays the message.

!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA – 2048 and AES-128 ciphers.
Information about the RSA More and the AES CAN the BE found! Found here:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encnption_Standard
Decrypting of your files is Possible is only with the private key and decrypt program, which is on our secret server.
To receive your private key you need to make payment to us.
After you make payment, run program called ‘DecryptFiles’ that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files !
If you try to decrypt files with another software your files can be forever lost.

How to buy decrypter? 
1. You can make a payment with BitCoins , there are many methods to get them.
The Bitcoin
2. You Should The register BitCoin wallet (Simplest of online wallet some the OR OTHER Methods of Creating Company wallet).
3. Purchasing Bitcoins – Although it is not yet easy to buy bitcoins, it is getting simpler every day.
Our Recommendations are Here
• Localbitcoms.com (the WU) – the Buy Bitcoins with Western Hotel Union
• Coincafe.com – Recommended for of fast, simple service
• Localbitcoms.com – Service allows you to search  for people in your community willing to sell bitcoins to you directly.
CEX.IO • – with the Buy Bitcoins of VISA MASTERCARD or the Transfer-Wire
• btcdirect.eu – the FOR EUROPE THE of BEST
4. of Post Send – 0.2 of BTC to the Bitcoin address: *****
5. you the make of After payment, the run program Called ‘DecryptFiles’ that is located on your Desktop and your  Documents.

Program will automatically decrypt all of your files !
Over here we have to note that the author claims to have implemented RSA and AES ciphers. However, the Ransomware author, had faked this message and was using XOR to encrypt the data and to make the matters worse used BOOST Library to do this task.

For a layman these terms are technical, however from programming point of view, even a skiddie with little bit of intelligence would write the XOR code himself, rather than relying on Boost library for this.

However, when we look into Spora Ransomware, it is quite evident from the first instance that its on the other side of the spectrum. Professionally coded, usage of AES and RSA, with the public keys being encrypted, the dashboard too showing elegance and to make the matters worse, Spora offers the victims immunity from further attacks if their demands are met.

Moreover, in recent weeks, we have observed that Ransomwares are now targeting Database Servers, especially the MongoDB and ElasticSearch Clusters. The criminals have not just realized the importance of these servers but have also found several insecure deployments.