When we think of kidnapping, extortion, or blackmail, I think it’s safe to say, not many of us would consider our computer files being a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.
Ransomware is a particular vicious form of malware – malware that encrypts the victim’s files, and then demands a monetary ransom to decrypt those kidnapped files.
Once again the Ransomware Trojan Gpcode, first encountered some years back by Kaspersky Lab, is on the loose. This is the fourth release of GpCode that we’ve covered here in the last few years, and as expected, this version continues to use RSA-1024 and AES-256 encryption.
As opposed to past variants though, this time around GpCode doesn’t delete files after encryption. Instead, to make it more difficult for a victim to recover from the attack – files are overwritten.
Once GpCode has finished its nasty work, the victim is presented with the following Desktop message.
Followed by a ransom note via Notepad, which is launched automatically by GpCode. The ransom note demands payment of a $120 fee.
Preliminary indications are; the attack vector is a malicious PDF which when opened, downloads and installs, the ransomware.
Vitaly Kamluk over at Kaspersky Lab’s Securelist site, offers the following advice – “If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution.
It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days – we haven’t seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart”.
Reduce the possibilities of infection by this and other malware, by taking the following precautions:
Don’t open unknown email attachments
Don’t run programs of unknown origin
Disable hidden filename extensions
Keep all applications (including your operating system) patched
Turn off your computer or disconnect from the network when not in use
Disable scripting features in email programs
Make regular backups of critical data. If you are infected this may be your only solution
Make a boot disk in case your computer is damaged or compromised
Turn off file and printer sharing on the computer
Install a personal firewall on the computer
Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
Ensure your anti-virus software scans all e-mail attachments
Don’t store critical data on the system partition
Let me reemphasize – Make regular backups of critical data. If you become infected, this may be your only recovery option.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.