Friday, April 8, 2011

New reports of GPCode “Ransomware”

April 8, 2011 by Pjb1500

Executive summary: An automatic, up-to-date backup is your best protection against computer trouble. Next is up-to-date antivirus software. If you’re infected with GPCode and you don’t have a good backup you’re screwed.

One of my clients was infected with this virus this week. It apparently comes in through a PDF (Adobe Reader File) that looks authentic. I've read that it may come in looking like a message from UPS or Fex-Ex, to be safe please don't open any unknown pdf's. there is NO FIX for this virus yet. This is the third revision of this virus, known as gpcode or drive-by Gpcode Ransomware. As of March 28th, 2011 Kapersky is calling this virus PGPCODER. As of April 1st Kapersky was adding this virus to its Anti Virus definitions.


A typical scenario:

You’re browsing the Internet, on web sites that never caused any trouble before. Then your hard drive starting working…and working….and working…and you see a message like this:

Attention!!! All your personal files (photo, documents, texts, databases, certificates, video)
have been encrypted by a very strong cypher RSA-1024. The original files were deleted. You
can check - just look for files in all folders. There is no possibility to decrypt these files
without a special decrypt program!
Nobody can help you - even don’t try to find another method or tell anobody. Also after n days
all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 125$ via ukash/psc pre-paid cards. And remember, any harmful
or bad words to our side will be reason for ignoring your message and nothing will be done.
For details you have to send your requests on this email (attach to message a full serial key
shown below in this ‘ how to..’ file on desktop.

And your desktop background changes to this:
Gpcode desktop message 1

Uh-oh. When you see this screen the program is in the process of encrypting your files so that they can’t be read by normal means. Normally encryption is a good thing because it lets you (and only you) see the files. In this case the nasties give you no way of seeing or recovering your files.

Unlike many of the previous versions of these, the new GPCode virus will encrypt your files in-place, meaning that the old tricks we’d use to recover most of the data won’t work.

The instructions usually say to send $125 in prepaid cash cards.

  1. This is for real. If you’ve got this variant, the files on your system are encrypted and nearly impossible to decrypt.
  2. I have heard no reports of success by paying. Even if you DID try to pay it would take several days for your payment to reach the nasty guys in eastern Europe. I also suspect that they restore your files in parcels, you have to pay repeated times to get the whole of your data recovered if at all, though this is just speculation on my part based on they serial code they supply in their text message.
  3. As of now (April, 2011) there is no good method for recovering these files. Because of the unknown method of encryption used it’s very, very difficult to plan a recovery. The encryption used is RSA 1024 which is notoriously difficult to crack if not almost impossible. Kapersky engineers are currently working to on a decryption code. I will update this blog as I learn more information about any solutions.

What to do?

  1. Back up your system.
  2. Run a modern, up-to-date antivirus.
  3. Quick shut-down. If you see the desktop background change to something like I’ve shown above, shut your computer down. Unplug it or press and hold the power button for five seconds. It will take the virus several minutes to find, process, and encrypt your files. You may lose a few things but you can save most of your information if you shut down immediately.
  4. General good habits. Don’t open e-mail from anyone you don’t know. Don’t open attachments, even from people you do know, unless you’re expecting them. Don’t go to web site links in e-mail. Keep Windows and Adobe Flash up to date. Avoid using Facebook Apps, and don’t click on anything that gets downloaded from Facebook.

Does your business need help avoiding such a tech disaster? Please contact us at 978-895-8436 or pjb1500@gettechwise.com

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)