New GPCode ransomware encrypts files, demands $125 for decryption

Researchers from Kaspersky Lab have intercepted a new variant of the GPCode ransomware.

Got backups?

Researchers from Kaspersky Lab have intercepted a new variant of the GPCode ransomware. Upon execution, it encrypts popular file extensions and demands a ransom payment for the decryption program. "The encrypted files cannot be recovered because of the strong cryptography employed", according to Kaspersky.

The message reads:

Attention!!! All your personal files (photo, documents, texts, databases, certificates, video) have been encrypted by a very strong cypher RSA-1024. The original files were deleted. You can check - just look for files in all folders. There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anobody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 125$ via ukash/psc pre-paid cards. And remember, any harmful or bad words to our side will be reason for ignoring your message and nothing will be done. For details you have to send your requests on this email (attach to message a full serial key shown below in this ' how to..' file on desktop.

Targeted file extensions:

*.jpg; *.jpeg *.psd *.cdr *.dwg *.max *.mov *.m2v *.3gp *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.rar *.zip *.mdb *.mp3 *.cer *.p12 *.pfx *.kwm *.pwm *.txt *.pdf *.avi *.flx *.lnk *.bmp *.1cd *.md *.odt *.vob *.ifo *.mpeg *.mpg

This sampled ransomware campaign is an example of a -- thankfully -- badly structured campaign from a monetization perspective. In the past cybercriminals were slowly but evidently switching their payment methods to include the so called micro-payments using SMS messages, to that of the original GPCode demanding payment in virtual currency such as Liberty Reserve and E-gold. The use of pre paid cards will definitely make it harder if not impossible for some users to timely comply with their demands, thankfully demotivating them from doing so.

Whatever you do, do not pay the cybercriminals and look for fresh backups of your affected files.

See also: