ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

GpCode ransomware returns, with stronger encryption

By | November 29, 2010, 10:20am PST

Summary: A new version of the dangerous GpCode ransomware has been detected, using RSA-1024 and AES-256 as crypto-algorithms.

A new version of the dangerous GpCode ransomware has been detected, using RSA-1024 and AES-256 as crypto-algorithms.

According to Vitaly Kamluk of Kaspersky Lab (disclosure: my employer), the latest iteration of this malware is stronger than ever.

GpCode is back and it is stronger than before. Unlike the previous variants, it doesn’t delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

follow Ryan Naraine on twitter

Once a machine is infected with GpCode, the malware encrypts files and opens a ransom note in Notepad demanding a $120 fee to retrieve the files.  It also changes the desktop wallpaper with a message (see image above).

Kamluk offers some advice for any Windows user that sees this ransom warning after an infection:

If you think you are infected, we recommend that you do not change anything on their systems as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven’t seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

People who are not should be aware of the problem and should recognize GpCode from the first second when the warnings appears on your screen. Pushing Reset/Power button on your desktop may save a significant amount of your valuable data!

ALSO SEE:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Malware, Encryption, GpCode, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
41
Comments
Add Your Opinion

Join the conversation!

Just In

RE: GpCode ransomware returns, with stronger encryption
lovedong 12th Sep
I'm glad you think they turned out ok! grin chanel bags
View in thread
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Al_nyc 29th Nov 2010
if you pay the ransom, do you get your files unencrypted?
0 Votes
+ -
yeah, right...
cornpie 29th Nov 2010
@Al_nyc ....give them your credit card number. That's probably what they really wanted in the first place.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@cornpie

actually, looking at the details gleaned from the perpetrator's attempt to sell a decryptor to Kaspersky, he doesn't want the CC # at all, and in fact is pushing the transactions through a service that makes it impossible to get the CC # or the user's identity through this transaction. he really only wants the money, as untraceable as possible.

it has also proven difficult to trace the money... we can only guess how many "mules" transfer the money deeper than we can currently see
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
lovedong 12th Sep
I'm glad you think they turned out ok! grin chanel bags
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
t.vinson.biz@... 29th Nov 2010
A: How is this iteration of the malware transmitted?
B: Will Kaspersky Internet Security prevent infection?
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
omb00900@... 29th Nov 2010
What good is this article? No mention of how the malware is distributed - is it via a web site, e-mail attachment, etc; no mention of whether any of the current virus programs can or can't catch it; no mention of where the vulnerability lies, or if and when we can expect a patch to close the hole.

If you're going to write about something, why not do some proper research, instead of just phoning it in?

With that said, I would assume that the extortion fee is paid via credit card (something else the author could have researched for us), so that begs the question as to how these thieves get away with their thievery.

Short of making the "drop" at the trash receptacle at Fourth and Main, wouldn't it be pretty easy to track down these people and bring them to justice simply by following the money?

Is global law enforcement just that incompetent, are they corrupted and sharing in the booty, or do they just don't care?

I suppose that the thieves depend on all three!
0 Votes
+ -
Good Point
jacquesdebois 4th Dec 2010
@omb00900@...

excellent point.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@omb00900@...

p2p networks and malicious websites, i would venture that Kaspersky can catch it as they are announcing it, it isn't necessarily a vulnerability so much as a user error (DON'T RUN UNTRUSTED PROGRAMS!!) since it is listed as a trojan.

the ransom fee is paid via services like e-gold, making it extremely difficult to trace the money, and the thief is specifically refusing CC, etc which are much more easily traceable. and after that, we have no guess yet as to how many "mules" transfer the money deeper
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
jamesm@... 29th Nov 2010
Since all money is traceable, as to some extent are IP addresses, there is no way for a ransom to be completely untraceable by an agency with resources.

It behooves the US goverment to identify the criminals, drop a special ops team on their heads (with the cooperation of the local goverment). Then take control of the servers (where ever they may be) and the unlock codes so data can be recovered. Last turn the criminals in to the local goverment for persecution and prosecution.

This is why we need special ops teams, to protect us. We spend billions of dollars chasing round Iraq and Afghanistan, we can spend a few taking out these chaps.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Knowles2 29th Nov 2010
@jamesm@... Except it not that easy, the money it probably paid to some account in a tax haven or somewhere far away from the hacker, secondary the servers are probably not people computers which have been taken over by hackers an use remotely.
Thirdly the hackers probably keep the codes on a secure server in an entirely different from which they are base in an are most likely regularly move to different servers.

They also probably got smart accounts on stand to launder the money away an make it untracable.

That would be how I would manage such a scheme an I am sure these guy cleverer than I am.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
branman23@... 29th Nov 2010
@jamesm@...
The problem is, you would have to be able to trust the government to shut the servers down, not use them themselves.
0 Votes
+ -
Police inaction
chaz15 29th Nov 2010
Unfortunately it costs up to $5000 or more to trace something across the Internet, so unless you were to get stung for this much, it is unlikely the authorities would even consider pursuing matters. All the more reason to run a good firewall and very good anti-virus program and keep the anti-virus definitions updated daily!
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
jimfrost 29th Nov 2010
@chaz15

Mostly you can track stuff "across the internet" entirely by yourself, for free, if you just know where to look. I once tracked down some hate mail sent from my sister's yahoo account to the locked door of her ex-boss that way, for instance.

Now, prosecuting them once you find them ... that's another thing entirely. Her ex-boss got away with it because it was too expensive to subpoena log files from yahoo, and since there was no financial gain or loss the FBI wasn't interested even though several federal statutes had been violated. We surely scared the hell out of him when we hauled him into court on stalking charges though.

One of my favorite hacks back a decade or so ago was to automatically backtrack people who were trying to break into my server, then ping their hosts with a payload of "+++ATH0+++". At the time the Flex56 chipsets were common and most people used dialup, so this caused their modem to disconnect and drop them off the net. Much hilarity for the 6 to 8 months it took before people caught on. Broadband negated that particular approach, alas, although there are some slightly more sophisticated approaches that do still work. These days, though, it's easiest to just blackhole their IP address at the firewall.

jim frost
jimf@frostbytes.com
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@jimfrost

i can tell you've never done a forensic analysis on a sophisticated attack.

just off the top of my head from what i remember about this, they have found that zombied computers in the United States and servers in China have been used.

do you seriously think any malware writer is going to include logging as part of the zombie program?

i do really like the simplicity you used on the modem attackers though, that is priceless happy
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
silentlennie 29th Nov 2010
@chaz15 For my work (and ISP) I run a number of mailservers, I _know_ that even though we get anti-virus definitions updates every 15 minutes, it stilll isn't enough to catch all the variants. If you rely on just anti-virus you are doomed, anti-virus is already useless. They only detect what they know and variants are created faster then they can add them.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@chaz15

and do protected backups!
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
dev/null 29th Nov 2010
Make backups, lots of backups. If you get hit, make an image and use another computer until this gets solved. I like Acronis myself, use whatever suits you but use something and use it often. Drives are cheap - data may not be.
0 Votes
+ -
There's a number of free tools out there
nix_hed 30th Nov 2010
like SystemRescueCD, which is free and makes a clone of the partition in full. You can also have a friend with a Mac or Linux box clone your drive to an image file.

The simple fact of the matter is that backups are your friend. Backup to an external drive often, back up to DVD once a month.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@nix_hed

automated daily/weekly/monthly/yearly rotated backups to an isolated system, personally i use ssh tunneled rsync to a host that only allows ssh through it's firewall, and the server controls the backup path based on time/date and connecting host
0 Votes
+ -
shut down? not so fast...
qbicdesign 29th Nov 2010
Just wanted to challenge the advice to shutdown the PC as a method of safeguarding your PC's current state. Since many systems are set to install Windows updates at shutdown I strongly advice again that advice, as it could in fact render your file irretrievable depending on your WUS settings. Yes of course shutdown, but make sure you don't let windows do any updates in that process...
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Jimster480 29th Nov 2010
@qbicdesign That's why he said to push the reset button. It's instant, unlike shutdown
0 Votes
+ -
The perfect answer
HugoM 29th Nov 2010
Send in Team America: World Police. That will sort it all out!
0 Votes
+ -
**** YEAH!!!!!!!
Cylon Centurion 29th Nov 2010
Lol
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
rhonin 29th Nov 2010
@HugoM

or at the very least we get a good laugh!
0 Votes
+ -
RE: The perfect answer
rtk 1st Dec 2010
@HugoM

That'd be like 911 times a thousand.
0 Votes
+ -
40 common antivirus
janitorman 29th Nov 2010
engines BLOCK this code already. Be sure your antivirus is up to date.
Also, this is a VERY limited infection, only targeted at a few computers. It's highly unlikely if you haven't seen it already that you'll get it.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Goldie07 29th Nov 2010
ah backup anyone?
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Jimster480 29th Nov 2010
How can you get it? And it would take a very long time to encrypt the filesystem. So its not like this can happen instantly.
0 Votes
+ -
noobz
Jimster480 29th Nov 2010
Their crappy English and noob threats shows that they are nothing but a batch of noobs using encryption with simple functions. Sooner or later they are going to mess with the wrong person and then they will get owned.
0 Votes
+ -
Ok, get off of XP, please!
Cylon Centurion 29th Nov 2010
What does this do to x64 versions of Vista and 7? XP is ancient history!
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
nfiertel 29th Nov 2010
Questions that ought to be answered ASAP. How does it propagate? Can an external drive with startup system control the computer so that one can delete the files that carry the encoding software that encrypted the data files and if so, can it be ordered to unencrypt these files and if not, how can one keep it from spreading within one's system or LAN and so forth. There is only a scare here and no bones in the reported malware monster.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
paulomunir 29th Nov 2010
is it meant to believe on?
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
randmart 29th Nov 2010
What was this? Other than an ad for GpCode ransomware?
It contained no useful info except shut down your computer.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
trm1945 29th Nov 2010
This probably isn't a Mac, PC issue but my Mac side runs two hard drives called "Primary" and "Secondary". The Secondary drive is a bit copy of the Primary and that copy process is run twice a week on a regular basis. It didn't start as a backup because of any malware but rather I'd toss out something that I shouldn't or more commonly, I'd try a new software version that I didn't like or it didn't the work way I wanted. The older version was still on Secondary. If this attack were to take place on this Mac, the Secondary drive would be brought online as the startup drive and the contents of Primary would be restored. My PC runs easily replaced programs and the data isn't saved beyond a paper design. If it were compromised, a reload would fix the problem. In either case, backup your software. If you're like me, I fear me more than "them".
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Dave_ew 30th Nov 2010
Here's a surefire way of avoiding this:
1. Backup your personal documents.
2. Format your hard disk.
3. Install MacOS.
4. Send smug response to Talkback. wink
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
fatman65535 30th Nov 2010
@Dave_ew

I would change only item #3 to

3. Install Linux.
0 Votes
+ -
Once again it is time to ditch XP
Cylon Centurion 30th Nov 2010
So far using the Wikipedia entry, all I can find is that this baddie can only infect Windows from 95 to XP, I can find no mention of Vista or Se7en.

I guess this will be XP's legacy then. The OS that we'll all remember as being the most insecure thing to run. Funny cus people seem to love it so much, causing this crap to stick around.

http://en.wikipedia.org/wiki/Gpcode
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@Cylon Centurion 0005

unfortunately the page you reference is woefully lacking in technical details...

however: based on the information we have, this is a win32 compiled trojan. logically it would operate on any system capable of correctly executing a win32 binary, this includes windows 7 64 bit.

the security access needed is only user security, as it is reading, encrypting, and overwriting the user's files. system files are not targeted, only the data files.

the trojan distrubutes through p2p networks (warez and illegal music/movies would be my primary bet) and malicious websites. it could easily masquerade as a movie player, a codec, a hacked copy of XYZ program, etc, needing only the user to execute it.

after it runs, it leaves its message and purges itself to make it more difficult to get a sample and reverse engineer it.

based on it being a win32 executable, the only 'protection' i can think of (aside from anti-malware that detects it) would be to disable the win32 compatibility on a 64 bit system.

also, this means it is a user security issue (DON'T RUN UNKNOWN PROGRAMS!!) rather than an OS security issue
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
Dekkerfan 7th Dec 2010
I'm working on a laptop with this on it now. It downloaded the virus through a pdf file from this site:
updtsforsoft.ru - a Russian website. It does encode the main user files. I'm about ready to just reformat and reinstall Windows XP on this laptop.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
@Dekkerfan

i'd like to know if you could deliberately re-download the trojan. it would be very interesting to see what security access it does or doesn't ask for on a Windows 7 system

i'd also like to know if Linux systems with WINE installed and working would also be susceptible to this.
0 Votes
+ -
RE: GpCode ransomware returns, with stronger encryption
erik.soderquist 12th Jan 2011
rotating drives on a remote computer connected via ssh tunneled rsync is my preferred home backup, using another remote process to flag if "too much" changed so i can look at the reported changes and see if it really is an issue or if i was just really busy that day

regarding the key recovery... if they managed to capture a sample of the malware and extract its half of the key pair, how many computers running in parallel would it take to brute force the key in a reasonable amount of time?

and is it likely that there is some portion of the key stored somehow on the infected machine to allow each machine to require a unique key?

i could see brute forcing randsomware keys as a great "seti-at-home" styled project that a lot of people would very enthusiastically donate computer cycles to

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix