Ransom Trojan returns for new encryption attack
Small-scale but very unpleasant
The creators of the deeply unpleasant GPCode Trojan have released a new version of the malware that encrypts victims’ data files and tries to extort money for the unlock key.
The major innovation this time compared to a version from November 2010 is that the criminals demand a slightly higher fee of $125 for the key paid through the Ukash payment pre-paid card site instead of using direct money transfer.
GpCode.bn, as it has been named by Kaspersky Lab, also throws up the same unmissable text message in uncertain English that takes up most of the desktop of anyone contracting it via a drive-by web download.
Related Articles on Techworld
“All your personal files were encrypted with a strong algorythm RSA-1024 (sic),“ it reads. According to an analysis by GpCode experts at Kaspersky Lab, the criminals use their own RSA 1024 key to encrypt a separate AES 256 key used to scramble the files on a user’s PC after infection.
“Remember don’t try to tell someone about this message if you want to get your files back! Just do all we told!,” the message continues, really a ploy by the criminals to buy time before antivirus suites notice the programme. Sadly, ‘telling’ someone about GpCode would be fruitless anyway – the encryption is strong enough that the only way to recover files is to resort to backups.
As with the November version, the user can limit the file-scrambling damage caused by the malware by turning off their PC at the point they see the desktop message, before turning and booting from a recovery disk.
“Don't hesitate to turn off your PC or pull out the power cable if this is fastest!,” recommend Kaspersky researcher, Nicolas Brulez.
GpCode is a Trojan that just won’t go away and has re-emerged at longish intervals since first appearing in 2004. It could be a proof-of-concept Trojan if it weren’t for the fact that the malware proved its effectiveness long ago.
The malware seems to be designed to harvest modest amounts of money from a small number of victims in an attempt to stay below the radar of researchers. Because it is fairly easy to create a signature to detect GpCode once noticed, the malware creators need it to operate using a low profile for as long as possible.