How to remove Spora virus and restore encrypted files

For the past few years, experts have been trying to draw public attention to the increased activity of all unwanted programs and to ransomware in particular. These viruses have quite complex structure, so their creation and further maintenance requires time and certain skills. Every such virus, even if it is not very complex, is a serious problem for its victims, because modern encryption algorithms are almost impossible to crack. The only hope of the victims is to wait until malware fighters researchers will crack the virus code and extract the master key, or the entire list of encryption keys. In this article, we'll talk about the Spora virus, which is considered one of the most dangerous in 2017.


Spora ransomware virus


Spora penetrates the system through malicious additions in electronic mail, and then immediately starts to encrypt data. If you haven't stopped ransomware before it got in, then by now you already suffer losses. Spora encrypts all file types, including video, text, images and audio. The encoding takes from 5 minutes to several hours, depending on the amount of information on the computer. Hackers require you to give them bitcoins for your own files.


The Spora virus belongs to the category of encrypting ransomware which means that it penetrates the user's computer, encrypts the files and requires ransom for their decryption. Most likely, the virus was created by Russian hackers and is focused on the Russian segment of the Internet. This can be argued because, although the virus is equipped with instructions in Russian, English and French, most of the victims are from Russia, although reports of infection come from all over the world. In addition, viruses of this type usually require fairly large amounts of foreclosure. So, the Cerber and Locky viruses at different times required from 0.5 to 3 BTC, that is, at the current rate, from about $500 to $3000. The average Russian user will not pay such a sum in order to decrypt his files. Spora, in turn, requires the average user to only $ 79 for full decryption.


Spora ransomware virus


In addition to the complex structure of the virus itself and encryption algorithms, there is another sign indicating that the Spora virus is exploited by a professional team of scammers who have extensive experience in creating ransomware and working with it. It’s the website of the virus. Most often hackers do not try to create sites for their viruses, and endow them with only minimal functionality, but in the case of Spora, we see a completely different picture. The site is high-quality, and it has many options for decryption, for every taste:


  • Decryption of all files - $ 79
  • Immunity from Spora infection in the future - $ 50
  • Clearing the computer of the virus and residual files after paying a foreclosure - $ 20
  • Decryption of a single file - $ 30
  • Free decryption of two files (obviously, in order to demonstrate that scammers are able do it).


The site has its own technical support service, whose staff responds promptly to questions asked. In addition, hackers offer the victims of the virus a refund of part of the amount paid if the victim comments on one of the popular articles on fighting the virus, and says that the best way is to pay the ransom. All these facts indicate that scammers have set their sights on the long exploitation of the virus, and they intend to earn a lot of money with its help. Our task is not to let them do it.

What is Spora ransomware and how does it work?

Now let's proceed to the technical information. The virus penetrates computers using good-old spam by e-mail. This method is preferred by all creators of ransomware, and the creators of Spora are no exception. There are several templates of letters that are sent to thousands of users. In general, letters are aimed at attracting office workers, and are disguised as invoices, price lists, resume of employees, complaints and other business documentation. There is an archived file attached to the letters, and at first glance it looks like a Word document or an Excel spreadsheet. The files have the extension .HTA, and users see only the name, because the display of file extensions is disabled by default. The files are called ...... ..DOC.HTA, ......... .XLSX.HTA or ...... ..PDF.HTA, where the points are randomly chosen file names, such as "Metal bill" or "Schedule for the next month". When user unpacks and launches an HTA file, a javascript close.js file is extracted from it, which creates an executable file with a random name and starts it. This file that is the core of the virus, and it immediately starts the encryption. In addition, when you click on the HTA file, the .docx file is launched, in order to distract the user's attention. At startup, the file gives an error, and the user thinks that the file was corrupted during transmission or archiving.


Most modern ransomware species have an impressive list of encrypted extensions, some lists have 500 or more titles. Spora is able to encrypt only files stored in such extensions as: .xls, .doc, .xlsx, .docx, .rtf, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .1cd, .dbf, .sqlite, .accdb, .jpg, .jpeg, .tiff, .zip, .rar, .7z, .backup. This allows hackers to reduce the cost of creating and maintaining a virus, while not losing much in efficiency, since the main extensions are present in the list. Another difference is the lack of a command center. Spora functions completely autonomously, without transmitting any data, and thus preventing them from being hacked. All reports are stored in a key file, which the user himself will have to upload to the scam site to decrypt the data. The virus affects only the files with information, leaving the system files and program files untouched. Thus, even after infection, the computer is in working order and victim can use it to pay the ransom.


Encryption is carried out using AES and RSA algorithms, whose completely excludes the possibility of deciphering by "bruteforce". The encryption mechanisms are quite complex, and in simple expressions they can be described like this:


  • Generating the AES key, generating the RSA key, the AES key is encrypted using the RSA key. All received keys are stored in the “key” file.
  • To decrypt the files hackers use a private key. First they decrypt the AES key, which was used to encrypt the RSA key of the victim’s system. Then they decrypt the RSA key, enter it into the decryption program and send it to the victim.
  • The program uses the RSA key to decrypt the AES keys from each file, and then the files themselves using the received keys.


For those who do not understand such things, everything looks very confusing, so we will describe the situation in one sentence. Files encrypted with Spora cannot be decrypted until someone hacks the hacker’s database and extracts the private key.

How to delete Spora Virus

What the victim of the virus should do? At the moment, you have two choices: to pay extortionists, thereby giving them the opportunity to continue to operate, or not to pay, remove the virus from computer and wait until the program for decryption has been created. There is also a third option: you can download previously made backups. If backups are done regularly and stored on an external drive that is not connected to a computer or to a network, the damage from any virus will be minimal. In this case, you will need to completely remove the virus from your computer, scan it several times with various antiviruses, and only then download the backup. If you do not want to wait and are ready to pay - follow the instructions of the scammers. If you are willing to wait a while and don’t want to let hackers earn with your help - then follow the instructions under this paragraph. First step of each given method is to remove this virus itself. It could be done manually, but it requires lots of experience and might call huge errors. We advise you to remove Spora with help of decent antiviral tool – Spyhunter AntiMalware. You can purchase it or download a free scanner by clicking the link below.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience