When we think of kidnapping, extortion or blackmail, I think it’s safe to say, not many of us would consider our computer files as a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.
Ransomware is a particular vicious form of malware, considering that it encrypts the victim’s files, and then demands a monetary ransom to decrypt the kidnapped files.
Once again the Ransomware Trojan, Gpcode/PGPCoder is on the loose. First encountered two years ago by Kaspersky Lab, this updated version of Gpcode/PGPCoder has returned, but in a much more advanced form.
Gpcode/PGPCoder is now using a 1,024 bit encryption key, as opposed to 660 bits in its last variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password. Following the encryption of the target files the virus self destructs in order to evade detection.
More than 80 file-types on the PC including doc, txt, pdf, xls, jpg, png, htm, pst, xml, zip, and rar, are targeted for encryption, then the original files are deleted from the disk and replaced by an encrypted copy.
An attempt to open an encrypted file on an infected machine will produce a message similar to the following:
Hello, your files are encrypted with RSA-4096 algorithm.
You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: – – – –
It has not yet been determined how Gpcode/PGPCoder infects the victim’s machine with the Trojan, so the following precautions are critical to the security of your system.
- When surfing the web: Stop. Think. Click
- Don’t open unknown email attachments
- Don’t run programs of unknown origin
- Disable hidden filename extensions
- Keep all applications (including your operating system) patched
- Turn off your computer or disconnect from the network when not in use
- Disable Java, JavaScript, and ActiveX if possible
- Disable scripting features in email programs
- Make regular backups of critical data. If you are infected this may be your only solution.
- Make a boot disk in case your computer is damaged or compromised
- Turn off file and printer sharing on the computer.
- Install a personal firewall on the computer.
- Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
- Ensure the anti-virus software scans all e-mail attachments
Bill Mullins' Weblog - Tech Thoughts 
Pingback: » Online Extortion - Gpcode Ransomware Returns
Pingback: wi fi n encryption
I have warned my readers about ransomware, and am glad to see that once again Mr. Mullins is giving his audience a heads up.
This form of attack is simply vile, and this type of cyber-criminal deserves a special brand of International justice.
Can it be that we will soon simply turn off the Internet because it is too dangerous?
Because we don’t know the attack vector, and because paying these creeps is not the right thing to do– the only real solution is to simply copy back your files from your backup copy.
You do have a backup copy stored on a disc.. right?
I think kaspersky is trying to run a seti like project to crack the ciphers
Pingback: am lab
Pingback: Your hard drive held hostage– Ransomware* « Tech–for Everyone