GpCode ransomware returns, with stronger encryption

GpCode ransomware returns, with stronger encryption

Summary: A new version of the dangerous GpCode ransomware has been detected, using RSA-1024 and AES-256 as crypto-algorithms.

TOPICS: Malware, Security

A new version of the dangerous GpCode ransomware has been detected, using RSA-1024 and AES-256 as crypto-algorithms.

According to Vitaly Kamluk of Kaspersky Lab (disclosure: my employer), the latest iteration of this malware is stronger than ever.

GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

follow Ryan Naraine on twitter

Once a machine is infected with GpCode, the malware encrypts files and opens a ransom note in Notepad demanding a $120 fee to retrieve the files.  It also changes the desktop wallpaper with a message (see image above).

Kamluk offers some advice for any Windows user that sees this ransom warning after an infection:

If you think you are infected, we recommend that you do not change anything on their systems as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

People who are not should be aware of the problem and should recognize GpCode from the first second when the warnings appears on your screen. Pushing Reset/Power button on your desktop may save a significant amount of your valuable data!


Topics: Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: GpCode ransomware returns, with stronger encryption

    if you pay the ransom, do you get your files unencrypted?
    • yeah, right...

      @Al_nyc ....give them your credit card number. That's probably what they really wanted in the first place.
      • RE: GpCode ransomware returns, with stronger encryption


        actually, looking at the details gleaned from the perpetrator's attempt to sell a decryptor to Kaspersky, he doesn't want the CC # at all, and in fact is pushing the transactions through a service that makes it impossible to get the CC # or the user's identity through this transaction. he really only wants the money, as untraceable as possible.

        it has also proven difficult to trace the money... we can only guess how many "mules" transfer the money deeper than we can currently see
  • RE: GpCode ransomware returns, with stronger encryption

    A: How is this iteration of the malware transmitted?
    B: Will Kaspersky Internet Security prevent infection?
  • RE: GpCode ransomware returns, with stronger encryption

    What good is this article? No mention of how the malware is distributed - is it via a web site, e-mail attachment, etc; no mention of whether any of the current virus programs can or can't catch it; no mention of where the vulnerability lies, or if and when we can expect a patch to close the hole.

    If you're going to write about something, why not do some proper research, instead of just phoning it in?

    With that said, I would assume that the extortion fee is paid via credit card (something else the author could have researched for us), so that begs the question as to how these thieves get away with their thievery.

    Short of making the "drop" at the trash receptacle at Fourth and Main, wouldn't it be pretty easy to track down these people and bring them to justice simply by following the money?

    Is global law enforcement just that incompetent, are they corrupted and sharing in the booty, or do they just don't care?

    I suppose that the thieves depend on all three!
    • Good Point


      excellent point.
    • RE: GpCode ransomware returns, with stronger encryption


      p2p networks and malicious websites, i would venture that Kaspersky can catch it as they are announcing it, it isn't necessarily a vulnerability so much as a user error (DON'T RUN UNTRUSTED PROGRAMS!!) since it is listed as a [i]trojan[/i].

      the ransom fee is paid via services like e-gold, making it extremely difficult to trace the money, and the thief is specifically refusing CC, etc which are much more easily traceable. and after that, we have no guess yet as to how many "mules" transfer the money deeper
  • RE: GpCode ransomware returns, with stronger encryption

    Since all money is traceable, as to some extent are IP addresses, there is no way for a ransom to be completely untraceable by an agency with resources.

    It behooves the US goverment to identify the criminals, drop a special ops team on their heads (with the cooperation of the local goverment). Then take control of the servers (where ever they may be) and the unlock codes so data can be recovered. Last turn the criminals in to the local goverment for persecution and prosecution.

    This is why we need special ops teams, to protect us. We spend billions of dollars chasing round Iraq and Afghanistan, we can spend a few taking out these chaps.
    • RE: GpCode ransomware returns, with stronger encryption

      @jamesm@... Except it not that easy, the money it probably paid to some account in a tax haven or somewhere far away from the hacker, secondary the servers are probably not people computers which have been taken over by hackers an use remotely.
      Thirdly the hackers probably keep the codes on a secure server in an entirely different from which they are base in an are most likely regularly move to different servers.

      They also probably got smart accounts on stand to launder the money away an make it untracable.

      That would be how I would manage such a scheme an I am sure these guy cleverer than I am.
    • RE: GpCode ransomware returns, with stronger encryption

      The problem is, you would have to be able to trust the government to shut the servers down, not use them themselves.
  • Police inaction

    Unfortunately it costs up to $5000 or more to trace something across the Internet, so unless you were to get stung for this much, it is unlikely the authorities would even consider pursuing matters. All the more reason to run a good firewall and very good anti-virus program and keep the anti-virus definitions updated daily!
    • RE: GpCode ransomware returns, with stronger encryption


      <snork> Mostly you can track stuff "across the internet" entirely by yourself, for free, if you just know where to look. I once tracked down some hate mail sent from my sister's yahoo account to the locked door of her ex-boss that way, for instance.

      Now, prosecuting them once you find them ... that's another thing entirely. Her ex-boss got away with it because it was too expensive to subpoena log files from yahoo, and since there was no financial gain or loss the FBI wasn't interested even though several federal statutes had been violated. We surely scared the hell out of him when we hauled him into court on stalking charges though.

      One of my favorite hacks back a decade or so ago was to automatically backtrack people who were trying to break into my server, then ping their hosts with a payload of "+++ATH0+++". At the time the Flex56 chipsets were common and most people used dialup, so this caused their modem to disconnect and drop them off the net. Much hilarity for the 6 to 8 months it took before people caught on. Broadband negated that particular approach, alas, although there are some slightly more sophisticated approaches that do still work. These days, though, it's easiest to just blackhole their IP address at the firewall.

      jim frost
      • RE: GpCode ransomware returns, with stronger encryption


        i can tell you've never done a forensic analysis on a sophisticated attack.

        just off the top of my head from what i remember about this, they have found that zombied computers in the United States and servers in China have been used.

        do you seriously think any malware writer is going to include logging as part of the zombie program?

        i do really like the simplicity you used on the modem attackers though, that is priceless :)
    • RE: GpCode ransomware returns, with stronger encryption

      @chaz15 For my work (and ISP) I run a number of mailservers, I _know_ that even though we get anti-virus definitions updates every 15 minutes, it stilll isn't enough to catch all the variants. If you rely on just anti-virus you are doomed, anti-virus is already useless. They only detect what they know and variants are created faster then they can add them.
    • RE: GpCode ransomware returns, with stronger encryption


      and do protected backups!
  • RE: GpCode ransomware returns, with stronger encryption

    Make backups, lots of backups. If you get hit, make an image and use another computer until this gets solved. I like Acronis myself, use whatever suits you but use something and use it often. Drives are cheap - data may not be.
    • There's a number of free tools out there

      like SystemRescueCD, which is free and makes a clone of the partition in full. You can also have a friend with a Mac or Linux box clone your drive to an image file.

      The simple fact of the matter is that backups are your friend. Backup to an external drive often, back up to DVD once a month.
      • RE: GpCode ransomware returns, with stronger encryption


        automated daily/weekly/monthly/yearly rotated backups to an isolated system, personally i use ssh tunneled rsync to a host that only allows ssh through it's firewall, and the server controls the backup path based on time/date and connecting host
  • shut down? not so fast...

    Just wanted to challenge the advice to shutdown the PC as a method of safeguarding your PC's current state. Since many systems are set to install Windows updates at shutdown I strongly advice again that advice, as it could in fact render your file irretrievable depending on your WUS settings. Yes of course shutdown, but make sure you don't let windows do any updates in that process...
    • RE: GpCode ransomware returns, with stronger encryption

      @qbicdesign That's why he said to push the reset button. It's instant, unlike shutdown