Who's behind the GPcode ransomware?

Who's behind the GPcode ransomware?

Summary: In one of these moments when those who are supposed to know, don't know, and those who don't realize what they know aren't reaching the appropriate parties, it's time we get back to the basics - finding out who's behind GPcode, and trying to tip them on the consequences of their blackmailing actions in between collecting as much actionable intelligence as possible using OSINT (open source intelligence) and CYBERINT (cyber intelligence practices).

SHARE:
TOPICS: Malware
26

In one of these moments when those who are supposed to know, don't know, and those who don't realize what they knowGpcode Decryptor aren't reaching the appropriate parties, it's time we get back to the basics - finding out who's behind GPcode, and trying to tip them on the consequences of their blackmailing actions in between collecting as much actionable intelligence as possible using OSINT (open source intelligence) and CYBERINT (cyber intelligence practices).

Great situational awareness on behalf of Kaspersky Labs who were the first to report that a new version of GPcode (also known as PGPCoder) is in the wild, this time with a successful implementation of RSA 1024-bit encryption. However, aiming to crack the encryption could set an important precedent, namely using distributed computing to fight the effect of cyber criminal's actions. Theoretically, the next time they'll introduce even stronger encryption, which would be impossible to crack unless we want to end up running a dedicated BOINC project cracking ransomware in the future. Are there any other more pragmatic solutions to dealing with cryptoviral extortion? It's all a matter of perspective. More info on the Stop GPcode initiative, seeking and receiving the collective intelligence of independent researchers in this blog post :

"Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key. Of course, we don't have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem. So we're calling on you: cryptographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations. Here are the public keys used by the authors of Gpcode."

Despite that GPcode indeed got the encryption implementation right this time, it's only weakness remains the way it simply deletes the files it has just encrypted, next to securely wiping them out - at least according to a single sample obtained. Consequently, just like a situation where your files are encrypted with strong encryption and virtually impossibe to crack, but the original files  Moreover, instead of trying to crack an algorithm that's created not to be cracked at least efficiently enough to produce valuable results by have the encrypted data decrypted, why not buy a single copy of the decryptor and start analyzing it? It also appears that the decryptor isn't universal, namely they seem to be building custom decryptors once the public key used to encrypt the data has been provided to them.

So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them : content715@yahoo .com saveinfo89@yahoo .com cipher4000@yahoo .com decrypt482@yahoo .com

Virtual currency accounts used by the malware authors : Liberty Reserve - account U6890784 E-Gold - account - 5431725 E-Gold - account - 5437838

Sample response email : "Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the  directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 : "The price of decryptor is 200 USD. For  payment you may use one of following variants: 1. Payment  to E-Gold account 5437838 (www.e-gold.com). 2. Payment  to  Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

This incident is a great example of targeted cryptoviral extortion attacks, namely, it's not efficiency centered and the core distribution method remains unknown for the time being. Analysis and investigation is continuing. If you're affected, look for backups of your data, or try restoring the deleted files, don't stimulate blackmailing practices by paying them.

Topic: Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Any way we can perform

    a distributed computing for cracking these keys? like folding at home? (ps. make it proxy compaitble.)
    mtgarden
    • Re: Any way we can perform

      BOINC would be the perfect and most reputable solution :

      http://en.wikipedia.org/wiki/BOINC

      However, the idea would never scale, for instance, how would you prioritize which files to decrypt first? This is among the key points that I tried to emphasize on in the post, namely, that such an initiative is futile since the next time they'll introduce stronger encryption, making it impossible to decrypt.
      ddanchev
  • even better

    arrest the scumbags and put them in jail until they release the code and any extorted money.
    Just track the damn funds and grab the croks!
    Cracking the key would merely make them release a version with different keys.
    Linux Geek
    • Re: even better

      "Cracking the key would merely make them release a version with different keys."

      It seems that the decryptor isn't universal, and that they're building a custom decryptor once the victim has provided them with the pubic key the data got encrypted with. Anyway, directly attacking the encryption, at least efficiently is a bit of futile attempt to deal with this.
      ddanchev
    • Putting them in jail and waiting..

      Would take too long. Shoot one person in front of the other for their stupidity and watch how fast the second person talks lol. People need to see and feel the consequences for their actions. The world may be better for it.
      lenohere
  • RE: Who's behind the GPcode ransomware?

    If they would do that it would be all over the news and other country's might think that all we care about is the money and getting the code. I think there might be another way to getting the GPcode.
    ashlieghe86307
  • RE: Real Bad Guys, -or-

    soon to be <i><b>realy</b> Dead Guys</i> if they hit the wrong machine network. These people are really playing with fire this time around, kiddie games are over. The ones behind this have to be some hard core bada$$es, or way in over their heads. Let's hope for all concerned, they see that the best way out is out now. -d
    dawgit
    • Ooops I didn't that was a KGB system!

      Yeah...

      Crash the wrong system and disappear forever after a *very* painful going away party....

      Or, we could offer a reward, as in the Old American West, Wanted Dead or Alive Cyber Extortionists...

      Could all contribute to the fund...

      Once it gets big enough...

      We'd have soldiers of fortune from everywhere looking for these @#$^&(*())

      Mike Sr.
  • RE: Who's behind the GPcode ransomware (Russians? Really?)

    Dancho, I didn't find any proof from the reading, that the pimpled russians are behind this. Any solid proof, please?
    wicked_estonian
    • RE: Who's behind the GPcode ransomware?

      Thanks!Good luck to you as well. :D <a href="http://www.replicawatchesonline.co.uk">uk replica watches</a>
      tank33
  • Disable Cryptographic services???

    I would assume that if it use the Windows cryptographic services component then one could just stop the service and disable it? The virus would then fail?
    There may be more proactive approaches such as running code which precludes the cryptographic service operating without a manually entered password?
    It seems there is little else we can do unless they finish roadrunner quickly and even then it is insufficient. The better course of action is to determine a way to prevent the damage from occuring, rather than everyone try and break RSA 1024, because they'll be back with 2048.
    I give them about two weeks before they're caught.
    topsecret@...
    • RE: Who's behind the GPcode ransomware?

      @topsecret@...

      they wrote and use their own crypto engine, and how do you catch them? a few rusians bouncing off (likely compromised) servers in china, and how many more bounces do we not know about yet?
      erik.soderquist
  • RE: Who is behind the GPcode ransomware

    Dancho,

    If the people behind this are indeed Russian, then I feel that a little Soviet era punishment is in order. Send them to a Gulag in Siberia for life. Maybe they will try to escape, and get shot for their efforts. In any event, these people need to be dealt with HARSHLY!!!
    fatman65535
  • Indeed, who?

    How exactly did we discover that it is a couple of Russian teens?

    Did the Chinese tell us that?
    Or maybe they're going by what the Liberty Reserve or E-Gold accounts are registered to...

    Either way, I don't see the solidity of that evidence.
    ZDNET_guest666
  • RE: Who's behind the GPcode ransomware?

    It's Niko... clearly... and his pal Roman. Using the Liberty
    City Reserve to transfer funs. Hold on to your balista
    compacts everyone... they are next.
    Capital_I
  • bad bad article

    After my first read I thought I had missed a page and read again.
    Where is the investigation ? How do you jump from chinese IP addresses to russian teens ? At least one sentence ("but the original files") has no end, wtf ? Come on Dancho, you can do _much_ better than that...
    m-s-p
  • RE: Who's behind the GPcode ransomware?

    If your drive is already PGP encrypted can it be re-encrypted?
    WiredToTheMax
    • Re-encryption

      Any file (or collection of files) can be encrypted. If your files are PGP encrypted and they are encrypted again the decryption will result in the PGP encrypted file.
      dickmac-zdnet@...
  • RE: Who's behind the GPcode ransomware?

    You bet. An encrypted file is still just a file.
    Larry the Security Guy
  • RE: Who's behind the GPcode ransomware?

    It's a non-issue, at least for me. I back up my important stuff, so it doesn't matter at all. Good luck to all the losers who leave their stuff just hangin' out there, blowing in the wind...

    Robert
    rmazzeo