Blackmail ransomware returns with 1024-bit encryption key

Blackmail ransomware returns with 1024-bit encryption key

Summary: Virus analysts at Kaspersky Lab (my employer) have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data.The biggest change in this variant of the ransomeware is the use of RSA encryption algorithm with a 1024-bit key, making it impossible to crack without without the author's key.

SHARE:
TOPICS: Security
73

Virus analysts at Kaspersky Lab (my employer) have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data.

Ransomware returns with 1024-bit encryption key

The biggest change in this variant of the ransomeware is the use of RSA encryption algorithm with a 1024-bit key, making it impossible to crack without without the author's key.   Here's the explanation:

We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can't currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.

The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.

After Gpcode encrypts files on the victim machine, it adds ._CRYPT to the extension of the encrypted files and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a "decryptor":

«Your files are encrypted with RSA-1024 algorithm.

To recovery your files you need to buy our decryptor.

To buy decrypting tool contact us at: ********@yahoo.com»

There are three Yahoo e-mail addresses associated with the new version of the ransomware.

For more on this story, see Slashdot, Network World and Viruslist.com.  Here's background on the earlier version of GPcode.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

73 comments
Log in or register to join the discussion
  • Which files are encrypted?

    Is it just the user folders? Or all files on the hard drive?

    I was wondering the best way to backup data to recover from this. Would data need to be backed up on a different hard drive? Internal or external?

    Data is so important, it would be a scary thing to have happen.
    SAZMD
    • Plenty

      The Gpcode trojan (aka PGPCoder) basically takes user's files as hostages and asks for a ransom to "liberate" them. Everything from doc to txt, pdf, xls, jpg, png, htm, pst, xml, zip, rar and additional file extensions in between. A typical message you can expect to find will read like this:
      --- --- + --- ---
      [i]Hello, your files are encrypted with RSA-4096 algorithm.

      You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

      To decrypt your files you need to buy our software. The price is $300.

      To buy our software please contact us at: xxxxxxx@xxxxx.com [/i]
      --- --- + --- ---
      The A-V labs have always been successful in finding appropriate decryption keys for files encrypted by previous versions of Gpcode. However, and just as Ryan states, the days of quick and painless decryption may be over, as the use of a strong 1024 bit encryption algorithm cannot be reversed without the original key (so far to date anyway, short of perhaps some overlooked technical weakness or unforeseen flaw).

      Moreover, the Gpcode virus presence is hard to detect because it attempts to self destruct after encrypting the target files. You must admit though, it is very thoughtful to go the extra mile and clean up after itself. :)

      Moral of the story: Keep your browsing guard up, to include your firewall, your OS core, malware and A-V programs up to date, your scans regular, and => [i]your off disk backups as current as possible.[/i]
      klumper
    • Yar

      Backup: I'd suggest backup on external media of your choice, if a hard drive, it should only be connected during backup or restore operations.

      Files: It would be encrypting your user files. If it encrypted system files, it would tend to make your system unable to boot, making it hard for you to pay ransom and decrypt your files (defeating the purpose of "hostage taking").
      seanferd
      • Re: Yar

        That makes it a difficult hostage program, but wouldn't that also make it a disastrous system crasher. At the worst, it'd just have to drop something that manipulates files already in use on logout, after they're freed-up, and then you're essentially locked-out of your OS next time. On Linux, I suppose this would just be a user files problem, and the UAC might sound the alarm, but older non-user-segregated PCs would feel the real risk of that.
        FateJHedgehog@...
    • RE: Blackmail ransomware returns with 1024-bit encryption key

      @SAZMD

      It seems to encrypt user files based on the file extension. The system files are left so you can boot your computer to read the message and connect to pay the ransom.

      One site mentioned that it did scan files on all attached drives including USB flash drives so use an external drive connected only during the backup and then disconnected for hard drive based backups.

      My preference is 3 drives used in sequence but that's my paranoia after having a hard drive crash during a backup that damaged the backup as well. A set of 2TB drives with enclosures is pretty affordable these days compared to the cost of an attempted data recovery on a crashed hard drive.
      DNSB
  • RE: Blackmail ransomware returns with 1024-bit encryption key

    So these morons gave out their Yahoo e-mail addresses with this little extortion scheme? What, didn't give out their addresses as well?
    pueblonative
    • Yahoo account recipients?

      wouldn't the first step be for Kaspersky Labs (et al) to send the addresses and details of what is clearly a Yahoo TOS violation to Yahoo to immediately disable those email accounts and reveal the IDs of the parties associated with those accounts?

      has there been any documented recording of extorted funds to prove that a solution for the encryption really does get sent?

      if so, there's a transmission trail attached to the solution, no?
      internot
      • Yahoo e-mail registered to John Doe ni Andromeda cluster

        So Yahoo tells you who the address is registered to. Big whoop. They don't call it anonymous e-mail addresser for nothing.

        They probably don't live in the US, so even if you knew who the real people were you couldn't do anything about it.
        tikigawd
        • Not in the US doesn't mean they can't be caught...

          <i>"They probably don't live in the US, so even if you knew who the real people were you couldn't do anything about it. "</i><br><br>Depending on where outside the US, arrest and prosecution is still possible thanks to the international police organization called "Interpol". How do you think we get some of the criminals from other countries?<br><br>Interpol's homepage:<br>http://www.interpol.int/Public/ICPO/default.asp
          <br><br>Interpol's page on Financial & High-Tech Crimes:<br>http://www.interpol.int/Public/FinancialCrime/Default.asp
          devlin_X
        • and again

          if you pay the extortion fee to get the decryption code there will be a paper trail of who is actually receiving the payment
          richvball44
          • Re: and again

            Has anyone actually gone through with it and bought the key? It's probably just another means of exploit - this time, with your money - but there may no longer be a decryption key to give.
            FateJHedgehog@...
  • It sounds like the decrypting tool buys you; not the other way around.

    Nice to see the filth getting ahead of official encryption entities, by a factor of 4... (not really)
    HypnoToad
  • RE: Blackmail ransomware returns with 1024-bit encryption key

    if one were to be highjacked and decided to pay for the decryption, how is that done? by paypal? by mail, in person? or do you give them cc# in the email? which still leaves a cyber trail going somewhere? if it directs you pay by cc# over the internet it will have an ip address right? wont you then know the admin of such a site and arrest them??

    sorry, i dont know how criminals thinks
    richvball44
    • Western Union

      I believe that is still the preferred method of receiving payment by scammers.

      I would be nice if they accepted Money Orders. Then I could list a PSP on Craigs list, collect the fake MOs, then send those to the ransomers.
      Gritztastic
  • duh restore from backups

    This is lame - who wouldn't just restore your backups? Oh, yeah, people don't do backups. They're going to make a -LOT- of money. But not from me.
    scott1329
    • duh restore from backups

      scott1329 = Captain Obvious.
      wthomson
  • Thanks for the alert

    I also said pretty much, keep your data backed up and restore it after the virus is erased. How many think they malware writers will send the key after you pay them anyway?

    - Kc
    kcredden2
    • a thought

      i suppose if one were to be highjacked with this extortion you could contact the authorities, fbi, polie, whomever. have them set up a credit card account in your name for the "purchase" of the key to unlock. then you follow the bank transactions as to who is getting the $$$. voila. you make the arrest

      or am i missing something?
      richvball44
    • RE: Blackmail ransomware returns with 1024-bit encryption key

      @kcredden2

      **person opinion warning**

      i think it's a scam to steal the credit card number or the victim's identity.
      erik.soderquist
  • Hahaha

    A useful virus!
    CreepinJesus