New GpCode Variant Demanding Cash For Decryption Key

ID THREATPOST:109C073962E2490047173650809FCDB7
Type threatpost
Reporter Dennis Fisher
Modified 2015-04-13T17:40:00


RansomwareThere’s a new version of the venerable GpCode ransomware attack making the rounds right now, demanding payments of $120 in order to decrypt files on infected PCs. This version, which has been active for several days now, is different from previous variants in that it overwrites the original files, preventing recovery of the data.

GpCode is one of the older pieces of ransomware and has been infecting machines since at least 2004. Its sole reason for being is to extract a payment from victims in return for a key to decrypt the files that the malware has encrypted. Once the victim sees a dialog box warning that his data has been encrypted, the malware has already encrypted the files in a number of directories using AES 256 or RSA 1024. Previous versions of GpCode simply took a file and created an encrypted copy of it, enabling victims to potentially recover the original file with special tools.

However, the new version of GpCode encrypts the original file, making data recovery much more difficult, if not impossible, according to security researchers who have seen the new malware.

“As we explained before, this type of malware is very dangerous because
the chances of getting your data back are very low. It is almost the
same as permanent removal of the data from your hard drive. If you think you are infected, we recommend that you do not change
anything on their systems as it may prevent potential data recovery if
we find a solution. It is safe to shutdown the computer or restart it
despite claims by the malware writer that files are deleted after N days
– we haven’t seen any evidence of time-based file deleting mechanism.
But nevertheless, it is better to stay away from any changes that could
be made to the file system which, for example, may be caused by computer
restart,” Vitaly Kamluk, of Kaspersky Lab’s security research team in Japan, wrote in an analysis of the new GpCode variant.

“People who are not should be aware of the problem and should
recognize GpCode from the first second when the warnings appears on your
screen. Pushing Reset/Power button on your desktop may save a
significant amount of your valuable data!”

Victims whose machines are infected with GpCode may see a Wordpad window open with the text of the ransom demand, which is written in classic malware-writer English.

“Attention!!! All your personal files (photos, documents, texts, databases, certificates, kwm-files, videos) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself–just look for files in all folders.”

Ransomware like GpCode has been around for several years now, and most variants are fairly straightforward and simply demand a payment in exchange for the decryption key. Researchers have found some methods for recovering data compromised in these attacks, but the newest variant of GpCode seems to eliminate that possibility.