August 13th, 2008
New Gpcode (encryption) ransomware speading via botnet
There are confirmed reports on a new version of the Gpcode ransomware being spread via a botnet.
According to Vitaly Kamluk of Kaspersky Lab (my employer), the Trojan encrypts files on an infected machine (AES-256) and leaves a text file named crypted.txt with a ransom note demanding $10 to decrypt the files. It also changes the desktop wallpaper with a skull/crossbones image that contains a URL, an ICQ number and an e-mail address to contact the author.
[ SEE: Blackmail ransomware returns with 1024-bit encryption key ]
Kamluk provided a Russian-to-English translation of the text in the crypted.txt file but notes that the encryption claims are unconfirmed at this time.
We’re are analyzing the encryption algorithm in search of ways to crack the encryption and restore files. In the meantime, if you’ve been attacked by this latest Gpcode variant, try we suggest that victims attempt to restore their files using the methods described here to restore your files. We already have confirmed reports from victims have reported that this method does partially restore encrypted files.
Earlier this year, a variant of the Gpcode ransomeware was using the RSA encryption algorithm(1024-bit key), making it impossible to crack without the author’s key.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
