On TV.com: 2009's Most PIRATED TV Show
BNET Business Network:
BNET
TechRepublic
ZDNet

June 6th, 2008

Blackmail ransomware returns with 1024-bit encryption key

Posted by Ryan Naraine @ 8:29 am

Categories: Complex Attacks, Exploit code, Hackers, Microsoft, Passwords, Privacy, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Yahoo!

Tags: Encryption, Private Key, File, Key, Cyberthreats, Viruses And Worms, Security, Ryan Naraine

Virus analysts at Kaspersky Lab (my employer) have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data.

Ransomware returns with 1024-bit encryption key

The biggest change in this variant of the ransomeware is the use of RSA encryption algorithm with a 1024-bit key, making it impossible to crack without without the author’s key.   Here’s the explanation:

We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can’t currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.

The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.

After Gpcode encrypts files on the victim machine, it adds ._CRYPT to the extension of the encrypted files and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a “decryptor”:

«Your files are encrypted with RSA-1024 algorithm.

To recovery your files you need to buy our decryptor.

To buy decrypting tool contact us at: ********@yahoo.com»

There are three Yahoo e-mail addresses associated with the new version of the ransomware.

For more on this story, see Slashdot, Network World and Viruslist.com.  Here’s background on the earlier version of GPcode.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 66 Talkback(s)
Clever People
There are so many rules and exemptions that will allow companies to not do anything but host, secure data, and provide it to local authoirities.

Even if you find the ISP, people are clever and ... (Read the rest)
Posted by: smitheo1@... Posted on: 12/02/09 You are currently: a Guest | | Terms of Use
Which files are encrypted?  SAZMD | 06/06/08
Plenty  klumper | 06/07/08
Yar  seanferd | 06/07/08
Re: Yar  FateJHedgehog@... | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key  pueblonative | 06/08/08
Yahoo account recipients?  internot | 06/09/08
Yahoo e-mail registered to John Doe ni Andromeda cluster  tikigawd | 06/09/08
Not in the US doesn't mean they can't be caught...  devlin_X | 06/09/08
and again  richvball44 | 06/10/08
Re: and again  FateJHedgehog@... | 06/10/08
It sounds like the decrypting tool buys you; not the other way around.  HypnoToad | 06/08/08
RE: Blackmail ransomware returns with 1024-bit encryption key  richvball44 | 06/08/08
Western Union  homant@... | 06/10/08
duh restore from backups  scott1329 | 06/09/08
duh restore from backups  wthomson | 06/09/08
Thanks for the alert  kcredden2 | 06/09/08
a thought  richvball44 | 06/09/08
Hahaha  CreepinJesus | 06/09/08
RE: Blackmail ransomware returns with 1024-bit encryption key  dynabase@... | 06/09/08
Kill the messenger...  arminw | 06/10/08
Clever People  smitheo1@... | 12/02/09
Good news / Bad news  ejhonda | 06/09/08
LOL (nt)  Real World | 06/09/08
Message has been deleted.  Ethical_Loner | 06/09/08
How do they get payment?  rzrwire@... | 06/09/08
e-gold  genericman | 06/09/08
Block access to e-gold . . .  bob@... | 06/10/08
All that does is keep people from ever being able to recover data.  Joel R | 06/19/08
What if a thief stole the computer, or it was damaged in a fire?  DrMa | 06/20/08
RE: Blackmail ransomware returns with 1024-bit encryption key  madrucke@... | 06/09/08
Military action... um... nope  thinker999 | 06/10/08
Better way that can circumvent national boundaries  mtwk2001 | 06/16/08
Pay the ransom, get the key  zdnet.blogs@... | 06/09/08
The same way the police do it.  Species8472 | 06/09/08
Three Words  dndgeek | 06/09/08
The same way the police do it!!  Defiledmoose | 06/09/08
Let's just step back...  thx-1138_@... | 06/09/08
That is why contacting authorities FIRST is important.  bob@... | 06/10/08
Not practical for two reasons  bmerc | 06/10/08
Any Business that...  arminw | 06/10/08
Competency of "authorities"  thinker999 | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key  drchips | 06/09/08
RE: Blackmail ransomware returns with 1024-bit encryption key  gpreston@... | 06/09/08
Very very vicious virus  chaz15 | 06/09/08
I hate to be the one to break it to you  the_hunteroz | 06/09/08
Ghost  homant@... | 06/10/08
I found that Acronis True Image is nice  JT82 | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key  joe.smetona@... | 06/09/08
RE: Blackmail ransomware returns with 1024-bit encryption key  owlfeather_z | 06/09/08
Plan first, think before responding . . .  bob@... | 06/09/08
Too bad...  epcraig | 06/09/08
Yes, I know  chaz15 | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key  esalkin | 06/10/08
I could settle for that . . .  bob@... | 06/10/08
RE: Blackmail ransomware...(NSFC)  bfilipiak@... | 06/10/08
Abe Lincoln re Tar and Feathers  willytc1066@... | 06/10/08
This is what open source does.  Spiritusindomit@... | 06/10/08
open source bad?  gcsmi@... | 06/10/08
Lets start the blame game!!!  pawan@... | 06/11/08
Anyone actually been infected?  ekcj | 06/10/08
Except In The Original Article  Cardhu | 06/11/08
RE: Blackmail ransomware returns with 1024-bit encryption key  treading | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key  Chiatzu | 06/11/08
RE: Blackmail ransomware returns with 1024-bit encryption key  hellam.horror@... | 06/15/08
RE: Blackmail ransomware returns with 1024-bit encryption key  zhim57@... | 06/21/08
RE: Blackmail ransomware returns with 1024-bit encryption key  smitheo1@... | 12/02/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here