Blackmail ransomware returns with 1024-bit encryption key
Summary: Virus analysts at Kaspersky Lab (my employer) have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data.The biggest change in this variant of the ransomeware is the use of RSA encryption algorithm with a 1024-bit key, making it impossible to crack without without the author's key.
Virus analysts at Kaspersky Lab (my employer) have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data.
The biggest change in this variant of the ransomeware is the use of RSA encryption algorithm with a 1024-bit key, making it impossible to crack without without the author's key. Here's the explanation:
We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can't currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.
The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.
After Gpcode encrypts files on the victim machine, it adds ._CRYPT to the extension of the encrypted files and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a "decryptor":
«Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com»
There are three Yahoo e-mail addresses associated with the new version of the ransomware.
For more on this story, see Slashdot, Network World and Viruslist.com. Here's background on the earlier version of GPcode.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Which files are encrypted?
I was wondering the best way to backup data to recover from this. Would data need to be backed up on a different hard drive? Internal or external?
Data is so important, it would be a scary thing to have happen.
Plenty
--- --- + --- ---
[i]Hello, your files are encrypted with RSA-4096 algorithm.
You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: xxxxxxx@xxxxx.com [/i]
--- --- + --- ---
The A-V labs have always been successful in finding appropriate decryption keys for files encrypted by previous versions of Gpcode. However, and just as Ryan states, the days of quick and painless decryption may be over, as the use of a strong 1024 bit encryption algorithm cannot be reversed without the original key (so far to date anyway, short of perhaps some overlooked technical weakness or unforeseen flaw).
Moreover, the Gpcode virus presence is hard to detect because it attempts to self destruct after encrypting the target files. You must admit though, it is very thoughtful to go the extra mile and clean up after itself. :)
Moral of the story: Keep your browsing guard up, to include your firewall, your OS core, malware and A-V programs up to date, your scans regular, and => [i]your off disk backups as current as possible.[/i]
Yar
Files: It would be encrypting your user files. If it encrypted system files, it would tend to make your system unable to boot, making it hard for you to pay ransom and decrypt your files (defeating the purpose of "hostage taking").
Re: Yar
RE: Blackmail ransomware returns with 1024-bit encryption key
It seems to encrypt user files based on the file extension. The system files are left so you can boot your computer to read the message and connect to pay the ransom.
One site mentioned that it did scan files on all attached drives including USB flash drives so use an external drive connected only during the backup and then disconnected for hard drive based backups.
My preference is 3 drives used in sequence but that's my paranoia after having a hard drive crash during a backup that damaged the backup as well. A set of 2TB drives with enclosures is pretty affordable these days compared to the cost of an attempted data recovery on a crashed hard drive.
RE: Blackmail ransomware returns with 1024-bit encryption key
Yahoo account recipients?
has there been any documented recording of extorted funds to prove that a solution for the encryption really does get sent?
if so, there's a transmission trail attached to the solution, no?
Yahoo e-mail registered to John Doe ni Andromeda cluster
They probably don't live in the US, so even if you knew who the real people were you couldn't do anything about it.
Not in the US doesn't mean they can't be caught...
<br><br>Interpol's page on Financial & High-Tech Crimes:<br>http://www.interpol.int/Public/FinancialCrime/Default.asp
and again
Re: and again
It sounds like the decrypting tool buys you; not the other way around.
RE: Blackmail ransomware returns with 1024-bit encryption key
sorry, i dont know how criminals thinks
Western Union
I would be nice if they accepted Money Orders. Then I could list a PSP on Craigs list, collect the fake MOs, then send those to the ransomers.
duh restore from backups
duh restore from backups
Thanks for the alert
- Kc
a thought
or am i missing something?
RE: Blackmail ransomware returns with 1024-bit encryption key
**person opinion warning**
i think it's a scam to steal the credit card number or the victim's identity.
Hahaha