Tag Archives: Gpcode

Hard Drive Kidnapping – GpCode Ransomware On The Attack Again!

imageWhen we think of kidnapping, extortion, or blackmail, I think it’s safe to say, not many of us would consider our computer files being a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a particular vicious form of malware – malware that encrypts the victim’s files, and then demands a monetary ransom to decrypt those kidnapped files.

Once again the Ransomware Trojan Gpcode, first encountered some years back by Kaspersky Lab, is on the loose. This is the fourth release of GpCode that we’ve covered here in the last few years, and as expected, this version continues to use RSA-1024 and AES-256 encryption.

As opposed to past variants though, this time around GpCode doesn’t delete files after encryption. Instead, to make it more difficult for a victim to recover from the attack – files are overwritten.

Once GpCode has finished its nasty work, the victim is presented with the following Desktop message.

Followed by a ransom note via Notepad, which is launched automatically by GpCode. The ransom note demands payment of a $120 fee.

image

Preliminary indications are; the attack vector is a malicious PDF which when opened, downloads and installs, the ransomware.

Vitaly Kamluk over at Kaspersky Lab’s Securelist site, offers the following advice – “If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution.

It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days – we haven’t seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart”.

Reduce the possibilities of infection by this and other malware, by taking the following precautions:

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data. If you are infected this may be your only solution

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

Don’t store critical data on the system partition

Let me reemphasize – Make regular backups of critical data. If you become infected, this may be your only recovery option.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Advertisements

3 Comments

Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Safety, internet scams, Internet Security Alerts, Malware Advisories, Ransomware, Windows Tips and Tools

Gpcode Trojan Ransomeware Kidnapping Again!

Have you ever considered your computer files as a victim of kidnapping, extortion, or blackmail? Hard to believe; right? Well believe it! Ransomware is a vicious form of malware, taking into account that it encrypts the victim’s files, after which the cyber-criminal demands a monetary ransom to decrypt the kidnapped files.

Trend Micro Advanced Threats Researcher, Ivan Macalintal, recently reported that Gpcode ransomware is loose on the Internet once again. Regular readers of this Blog will remember two previous articles in which this virulent malware was discussed.

First encountered two years ago by Kaspersky Lab, Gpcode has undergone several incarnations, with this latest version being identified by Trend Micro as TROJ_RANDSOM.A

Reportedly, Gpcode is now using a 1,024 bit encryption key, as opposed to 660 bits in an early variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password.

According to Trend Micro TROJ_RANDSOM.A:

Can be downloaded from remote site(s) by other malware

May be dropped by other malware

May be downloaded unknowingly by a user when visiting malicious Web site(s)

(Fake error message upon malware execution. Courtesty Trend Micro)

As with previous versions of this malware, after installation, the victim is informed that the computer’s files have been encrypted and a decrypting tool must be purchased, for US $307, from the cyber-criminal, in order to decrypt the affected files. Email addresses are included in order to facilitate this fraudulent purchase.

Affected systems: Windows 98, ME, NT, 2000, XP, and Server 2003.

(Process illustration courtesty of Trend Micro)

If you should become infected by this Trojan your best course of action, assuming your installed malware scanners cannot remove the infection, is to take advantage of the multiple online scanners offered by the major anti-malware software developers.

For a review and list of online malware scanners please read “Free Online Spyware/Virus Scanners – Multiply Your Protection”, on this site.

References: Trend Micro

While it has been established how Gpcode infects the victim’s machine with the Trojan, none-the-less, the following precautions are critical to the security of your system.

Most importantly – make regular backups of critical data. If you are infected this may be your only solution

Don’t store critical data on the system partition

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable scripting features in email programs

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

2 Comments

Filed under Don't Get Hacked, Freeware, Interconnectivity, Internet Safety, internet scams, Malware Advisories, Online Safety, Online Spyware/Virus Scanners, System Security, trojans, Viruses, Windows Tips and Tools

Kidnapped! – Gpcode Ransomware – Deja Vue All Over Again

When we think of kidnapping, extortion or blackmail, I think it’s safe to say, not many of us would consider our computer files as a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a vicious form of malware, considering that it encrypts the victim’s files, and then demands a monetary ransom to decrypt the kidnapped files.

Once again the Ransomware Trojan, Gpcode/PGPCoder is on the loose. First encountered two years ago by Kaspersky Lab, this updated version of Gpcode/PGPCoder has returned, but in a much more advanced form.

Gpcode/PGPCoder is now using a 1,024 bit encryption key, as opposed to 660 bits in its last variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password. Following the encryption of the target files the virus self destructs in order to evade detection.

More than 80 file-types on the PC including doc, txt, pdf, xls, jpg, png, htm, pst, xml, zip, and rar, are targeted for encryption, then the original files are deleted from the disk and replaced by an encrypted copy.

An attempt to open an encrypted file on an infected machine will produce a message similar to the following.

Hello, your files are encrypted with RSA-4096 algorithm.

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: – – – –

It has not yet been determined how Gpcode/PGPCoder infects the victim’s machine with the Trojan, so the following precautions are critical to the security of your system.

  • Don’t open unknown email attachments
  • Don’t run programs of unknown origin
  • Disable hidden filename extensions
  • Keep all applications (including your operating system) patched
  • Turn off your computer or disconnect from the network when not in use
  • Disable Java, JavaScript, and ActiveX if possible
  • Disable scripting features in email programs
  • Make regular backups of critical data. If you are infected this may be your only solution
  • Make a boot disk in case your computer is damaged or compromised
  • Turn off file and printer sharing on the computer
  • Install a personal firewall on the computer
  • Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
  • Ensure your anti-virus software scans all e-mail attachments
  • Don’t store critical data on the system partition

5 Comments

Filed under Email, Encryption, Interconnectivity, internet scams, Malware Advisories, System File Protection, System Security, Windows Tips and Tools

Online Extortion – Gpcode Ransomware Returns

When we think of kidnapping, extortion or blackmail, I think it’s safe to say, not many of us would consider our computer files as a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a particular vicious form of malware, considering that it encrypts the victim’s files, and then demands a monetary ransom to decrypt the kidnapped files.

Once again the Ransomware Trojan, Gpcode/PGPCoder is on the loose. First encountered two years ago by Kaspersky Lab, this updated version of Gpcode/PGPCoder has returned, but in a much more advanced form.

Gpcode/PGPCoder is now using a 1,024 bit encryption key, as opposed to 660 bits in its last variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password. Following the encryption of the target files the virus self destructs in order to evade detection.

More than 80 file-types on the PC including doc, txt, pdf, xls, jpg, png, htm, pst, xml, zip, and rar, are targeted for encryption, then the original files are deleted from the disk and replaced by an encrypted copy.

An attempt to open an encrypted file on an infected machine will produce a message similar to the following:

Hello, your files are encrypted with RSA-4096 algorithm.

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: – – – –

It has not yet been determined how Gpcode/PGPCoder infects the victim’s machine with the Trojan, so the following precautions are critical to the security of your system.

  • When surfing the web: Stop. Think. Click
  • Don’t open unknown email attachments
  • Don’t run programs of unknown origin
  • Disable hidden filename extensions
  • Keep all applications (including your operating system) patched
  • Turn off your computer or disconnect from the network when not in use
  • Disable Java, JavaScript, and ActiveX if possible
  • Disable scripting features in email programs
  • Make regular backups of critical data. If you are infected this may be your only solution.
  • Make a boot disk in case your computer is damaged or compromised
  • Turn off file and printer sharing on the computer.
  • Install a personal firewall on the computer.
  • Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
  • Ensure the anti-virus software scans all e-mail attachments

6 Comments

Filed under Encryption, Interconnectivity, Internet Safety, internet scams, Malware Advisories, Online Safety, Safe Surfing, Spyware - Adware Protection, System Security, Windows Tips and Tools