-------------------------------------------------------------------------------------
ENCRYPTION:
Spora (Contains RSA Key A2 Public)
|
|_> aes_b = encrypt_with_RSA_A2(generate(AES_KEY_B))
|
|_> encrypt_with_aes_b(generate(PRIVATE_RSA_KEY_C1))
|_> rsa_c2 = generate(PUBLIC_RSA_KEY_C2)
|
|_> aes_key_f1 = encrypt_with_rsa_c2(generate(AES_KEY_F1))
|_> encrypt_key_file(aes_key_f1, file)
|_> aes_key_f2 = encrypt_with_rsa_c2(generate(AES_KEY_F2))
|_> encrypt_lst_file(aes_key_f2, file)
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
DECRYPTION:
<--: In order to decrypt this key
[Contains] [Contains] [Contains] [Only Malware Authors Have Access]
First File: AES_KEY_F1<--PRIVATE_RSA_KEY_C1<--AES_KEY_B<--[RSA_A2_PRIVATE_MASTER_KEY]
[Contains] [Contains] [Contains] [Only Malware Authors Have Access]
Second File: AES_KEY_F2<--PRIVATE_RSA_KEY_C1<--AES_KEY_B<--[RSA_A2_PRIVATE_MASTER_KEY]
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Result:
The master key (RSA A1 Private) isn't exposed, the decrypter works for only one user.
If the RSA A1 Private is leaked, every victim can decrypt the files.
-------------------------------------------------------------------------------------
https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware