New GPCode ransomware encrypts files, demands $125 for decryption

New GPCode ransomware encrypts files, demands $125 for decryption

Summary: Researchers from Kaspersky Lab have intercepted a new variant of the GPCode ransomware.

TOPICS: Malware, Security

Got backups?

Researchers from Kaspersky Lab have intercepted a new variant of the GPCode ransomware. Upon execution, it encrypts popular file extensions and demands a ransom payment for the decryption program. "The encrypted files cannot be recovered because of the strong cryptography employed", according to Kaspersky.

The message reads:

Attention!!! All your personal files (photo, documents, texts, databases, certificates, video) have been encrypted by a very strong cypher RSA-1024. The original files were deleted. You can check - just look for files in all folders. There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anobody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 125$ via ukash/psc pre-paid cards. And remember, any harmful or bad words to our side will be reason for ignoring your message and nothing will be done. For details you have to send your requests on this email (attach to message a full serial key shown below in this ' how to..' file on desktop.

Targeted file extensions:

*.jpg; *.jpeg *.psd *.cdr *.dwg *.max *.mov *.m2v *.3gp *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.rar *.zip *.mdb *.mp3 *.cer *.p12 *.pfx *.kwm *.pwm *.txt *.pdf *.avi *.flx *.lnk *.bmp *.1cd *.md *.odt *.vob *.ifo *.mpeg *.mpg

This sampled ransomware campaign is an example of a -- thankfully -- badly structured campaign from a monetization perspective. In the past cybercriminals were slowly but evidently switching their payment methods to include the so called micro-payments using SMS messages, to that of the original GPCode demanding payment in virtual currency such as Liberty Reserve and E-gold. The use of pre paid cards will definitely make it harder if not impossible for some users to timely comply with their demands, thankfully demotivating them from doing so.

Whatever you do, do not pay the cybercriminals and look for fresh backups of your affected files.

See also:

Topics: Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • WIN PC users - amazing

    You guys put up with a lot to use WIN PC's ...
    • It happens when you're using the best

      everone's out to get you.
      Nobody wants to steal, or race against, a jalopy! :)
      John Zern
      • With Linux, there's no worry about this

        Unless you're dumb enough to send them a credit card number.
    • RE: New GPCode ransomware encrypts files, demands $125 for decryption

      @jbelkin - If there were more people using Macs or Linux machines, the payoff for thieves like this would make writing malware for them more lucrative. Your false sense of superiority is only a sign that you've picked a niche OS.
      • A niche OS...

        that, by your on admission, makes you less of a target for ransomware. Hmmm
        Richard Flude
    • How would we know?

      No mention of the targeted OS in the article, a surprising omission. I'm left wondering which one it could be;-)
      Richard Flude
      • Might I suggest following the link contained within the article?

        @Richard Flude
        The code analysis and API usage should reveal the target platform... in case you haven't already guessed ;-)
      • RE: New GPCode ransomware encrypts files, demands $125 for decryption

        @Richard Flude


        Specific detection has been added and the threat is now detected as

        The infection occurs when a malicious website is visited. (drive by download)

        Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal?s public RSA 1024 key to encrypt it.

        I'll hazard a guess it only affects MS Windows.
  • I actually hope a few fall for this...

    maybe the people responsible will spring for a copy of Rosetta Stone
    • RE

      @SonofaSailor THAT was awesome
  • Stupid Question

    So don't pay them and if you are some dumb bass who doesn't have backups your method of file recovery is....pray?
    • Preserve the hard drive until someone cracks the encryption?

      @m0o0o0o0o<br>I've no idea when we can reasonably expect a properly implemented 1024 bit cypher to be considered "crackable".

      Or maybe the deleted original files can be recovered using computer forensics?
  • Not on a mac baby!

  • LOL!!! HAHAHA!!!

    Is that a Windows Desktop I see!!......Of course it is!!!!
  • RE: New GPCode ransomware encrypts files, demands $125 for decryption

    Message has been deleted.
  • RE: New GPCode ransomware encrypts files, demands $125 for decryption

    Well done! Thank you very much for professional templates and community edition
    <a href="" title="seslichat">sesli chat</a> <a href="" title="seslisohbet">sesli sohbet</a>
  • I found it

    It is exactly about my confusion. I am very thankful to the writer who has resolved my matter through this writing piece.<a href="">Obiee Online Training</a>