Hard Drive Kidnapping – GpCode Ransomware On The Attack Again!

imageWhen we think of kidnapping, extortion, or blackmail, I think it’s safe to say, not many of us would consider our computer files being a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a particular vicious form of malware – malware that encrypts the victim’s files, and then demands a monetary ransom to decrypt those kidnapped files.

Once again the Ransomware Trojan Gpcode, first encountered some years back by Kaspersky Lab, is on the loose. This is the fourth release of GpCode that we’ve covered here in the last few years, and as expected, this version continues to use RSA-1024 and AES-256 encryption.

As opposed to past variants though, this time around GpCode doesn’t delete files after encryption. Instead, to make it more difficult for a victim to recover from the attack – files are overwritten.

Once GpCode has finished its nasty work, the victim is presented with the following Desktop message.

Followed by a ransom note via Notepad, which is launched automatically by GpCode. The ransom note demands payment of a $120 fee.


Preliminary indications are; the attack vector is a malicious PDF which when opened, downloads and installs, the ransomware.

Vitaly Kamluk over at Kaspersky Lab’s Securelist site, offers the following advice – “If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution.

It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days – we haven’t seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart”.

Reduce the possibilities of infection by this and other malware, by taking the following precautions:

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data. If you are infected this may be your only solution

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

Don’t store critical data on the system partition

Let me reemphasize – Make regular backups of critical data. If you become infected, this may be your only recovery option.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.


Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Safety, internet scams, Internet Security Alerts, Malware Advisories, Ransomware, Windows Tips and Tools

3 responses to “Hard Drive Kidnapping – GpCode Ransomware On The Attack Again!

  1. Pingback: Tweets that mention Hard Drive Kidnapping – GpCode Ransomware On The Attack Again! | Bill Mullins' Weblog – Tech Thoughts -- Topsy.com

  2. Ranjan

    Another ridiculous tactic by those crooks… I remember i also saw another variant of ransomware which overwrites your mbr and encrypts file and require either a password or hefty payment to restore the original mbr.
    Another good reason as why to adopt the habit of making regular backups…