Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Police 'find' author of notorious virus

Gpcode author still at large, however.

Article comments

The infamous GpCode 'ransomware' virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.

Initially sceptical, the company was able to verify that the individual was the author of the latest GpCode attack - and probably earlier attacks in 2006 and 2007 - using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.

The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private 'master' key and must therefore be genuine.

Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the US, which pointed to the fact that GpCode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines.

Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.

To date, it is not clear what if any action the authorities plan to take.

For its part, Kaspersky Lab confirmed that it had been contact with a dozen victims from Russia, Hungary and Slovakia, at whose populations the program appears to have been primarily aimed. GpCode has since struck further afield, hitting a medical institution in Cuba and, unconfirmed rumours claim, government offices in the US.

Gpcode has appeared in a number of variants since 2006, each using ever-stronger encryption. The program's approach is direct and frightening. Once on a system, it sets about encrypting all data files it finds with any one of 143 file extension types, rendering them inaccessible. Victims are then told they can recover the files by paying a ransom to the author, reachable through a Yahoo email account.

The innovation of the latest GpCode attack was that it generated keys to the RC4 stream cipher using 1024-bit RSA, a much higher bit length than previous versions, which made it, to all practical intents and purposes, uncrackable.

Luckily, on this occasion, GpCode's author had made a number of more basic programming errors that allowed researchers to construct a method for recovering files. It turned out that while encrypting data, the original files had been 'deleted' using the Windows file system. This meant that although invisible to the operating system, the files were still on the disk and could be recovered using available tools.

One thing GpCode has made clear is that technology alone can't now defend against this type of malware. Once on an undefended PC, reversing its effects depends on having access to the private RSA key, and that means tracking down the author.

According to Kaspersky, stopping ransomware-based malware in the future will require more effective law enforcement, the use of forensic software analysis to tie suspects to their malevolent creations, and possibly building restrictions into the Windows cryptographic software libraries used to create Gpcode itself.

Despite its frightening reputation, ransomware is still, thankfully, a rare phenomenon. There are various theories as to why this is the case, ranging from the complexity of the software itself to the difficulty of setting up a reliable channel through which to accept 'ransom' payments from victims. Other, easier types of malware might just be more profitable to criminals.


More from Techworld

More relevant IT news


Adam said: Like so many have already posted just backup your files In response to the encrypt then vanish thing Why not just wipe the original file with 0s1s or noise If the aim was just destruction wiping is way more effective than encryption There is no profit hereStill a backup would be unaffected

Thomas J. said: It isnt fun to get infected but it is the cost of running MS Windows The blame rests largely on Microsoft for making installing random software simple for the average user- even automatic at times ActiveX is an old example but a good one A typical user should not be able to easily install random software that has not been verified by a third party agency The blame also lies largely on Microsoft for its bad default security configurations It is also responsible for many vulnerabilities in the wild and failure to provide timely fixes-and a means to easily apply and reverse these fixes as needed While GNULinux distributions have faults- for the most part they do have a white list of sorts and acceptable default security policies It isnt perfect system but a system typical users wont get into trouble using nearly as easily We need to stop thinking about security as passing laws and eliminating the bad guys That doesnt work in the real world

sylvie chen said: A more disturbing conclusion would be when a similar high encryption virus is used to encode the data and then self destruct No ransom just someone who hates electronics

James said: Hi John can you please quote Kasperskys statement regarding building restrictions into the Windows cryptographic software libraries that were used to create Gpcode What kind of restrictions were they referring to

Steve said: Whats wrong with backing up data This is no worse than a hard disk crash

Lars Friend said: Plus restricting the crypto library wont stop anybody because any fool can write their own implementation of any of several well-known cryptographic functions with just a little bit of programming know-how and a decent text book

martin d. said: Well If people just backed up their files a normal restore should solve the problem

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *