10 June 2008 | 12,720 views

Virus Variant Extorts You by Encrypting Your Files

Prevent Network Security Leaks with Acunetix

Malware authors are getting sneaky again, in the latest turn of events they have started encrypting your files and holding them at ransom!

You have to pay up to get the ‘decryptor’ and get access to your files again. This is pretty dangerous…and cunning too. It’s not easily broken either, they are using RSA 1024-bit encryption!

Kaspersky Lab found a new variant of Gpcode, a dangerous encryptor virus has appeared, – Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.

Kaspersky Lab succeeded in thwarting previous variants of Gpcode when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis. Their researchers have to date been able to crack keys up to 660 bits. This was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

It’s pretty smart going after the files that users are most likely to value, I was surprised to see .cpp and .h in there, but I guess the malware being written by programmers they would see those files as valuable too.

I wonder if Kasperky will be able to bust open this 1024-bit private key, so far they haven’t and honestly – I’m not hopeful.

At the time of writing, Kaspersky researchers are unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and they have not found any errors in implementation yet. Thus, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.

So watch out (not that I need to tell you guys) and make sure your non-savvy friends understand the dangers of surfing carelessly and downloading nonsense without checking the source properly.

Having your important files end up in an encrypted container isn’t pretty…yes you could have some back-up system in place, but what’s the chance of you spotting the files before your backup runs? After that you are just backing up the encrypted files anyway..

Source: Net Security



Recent in Exploits/Vulnerabilities:
- Microsoft Schannel Vulnerabilty – Patch It NOW
- Serious Linux/UNIX FTP Flaw Allows Command Execution
- Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

Related Posts:
- Bot Herders Go After MS06-40 Exploit
- the Art of Virology 02h
- the Art of Virology 03h

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 228,153 views
- AJAX: Is your application secure enough? - 119,185 views
- eEye Launches 0-Day Exploit Tracker - 85,082 views

Advertise on Darknet

13 Responses to “Virus Variant Extorts You by Encrypting Your Files”

  1. Bogwitch 10 June 2008 at 1:47 pm Permalink

    Kaspersky have asked for volunteers to assist in the decryption process, sort of Kaspersky@home.
    They have also asked for someone to code an application to do this. rather than develop one themselves. I’m not sure how I feel about that.

    WRT backups, if grandfather, father, son backups are taken, there should not be too much loss, especially if incremental backups are taken. Thanksfully, the file extensions are being changed.

    There is much discussion on the Kaspery forum as to whether file recovery will pull the files back, I will watch with anticipation – I suspect it will depend on several factors such as filesystem and free space.

  2. Navin 10 June 2008 at 3:00 pm Permalink

    “Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.”

    Does this mean tht even C++ coded files will be “virologically” encrypted?? If yes then its absolutely brilliant!! But more details are needed on this encryption!!

  3. razta 10 June 2008 at 7:30 pm Permalink

    How do you pay the virus author when your files have been encrypted?

    Paypal? Bank transfer? by post?

    The payment method should be traceable, wouldn’t it?

  4. the BMX guy 10 June 2008 at 9:37 pm Permalink

    “Holy cow!” is the only thing that comes to my mind. But if they can steal your car and sell it back to you what stops them to steal your data in the same fashion – but if it is software it can be hacked, even if it is malware. Wonder how many levels of this we’ll get “hack a hacked program hack derived from a program hack”?

  5. Pantagruel 11 June 2008 at 9:55 am Permalink

    @Navin
    Basically means getting a backup done on tamper proof media (cd/dvd/bd) pronto and be sure to keep your AV software up to date.

    @razta
    Several blogs/pages mention the extortion sum to be payed through an egold account. You’re advised to pay (for now) but also notify the tech. dept/customers service (be it egold,paypal,whatever) so they can track/trace the transaction and will be able to hunt down the villain old style.

    @the BMX guy
    There have been many variant of other mans work in the field of computer virii. Have a look at some of the viral dev kits you can find/acquire, usually ancient stuf
    This encryption virus is more advanced because it uses a stronger encryption than before, making a crack down too lengthy (30 year as DarkNet mentions) for any home user to perform (a nice option to speed things up might be this home made Helmer cluster helmer.sfe.se )

    The Kaspersky@home routine may back fire. What if the purp doesn’t have the private key used for encryption? It might just as well be someone else’s key he abuses. What if he is using a
    ‘ root signing key’, ‘certificate authority’ of some bank. This well meant effort could amount to big trouble and substantial losses.

  6. Bogwitch 11 June 2008 at 12:29 pm Permalink

    @Pantagruel,

    I like the way your mind works. Truly evil.

    I had not thought of the possibility of the perp using someone elses public key for encryption but that does mean that paying him for the key will result in no decryption until the key is exposed.

    That said, if a victim does pay, surely the victim would publish the decrytion key themselves?

  7. Pantagruel 11 June 2008 at 3:40 pm Permalink

    @Bogwitch

    LOL 3\/1L ;)

    I personally think the ‘what-if’ of someone else’s public key is pure theory. My best guess is that they will generate a fresh public key for each victim (or at least have some 100 to 500 which they will recycle) making exposure of a hand full of keys not really harm their business model. Or they will simply ‘patch’ their encryption for a new set of key’s if too much data is published.

    According to Dancho Danchev

    ddanchev.blogspot.com/2008/06/whos-behind-gpcode-ransomware.html

    the perp’s are Russian teens with pimples.

    @DarkNet, an ‘Edit’ option seems handy from time to time.

  8. Darknet 11 June 2008 at 5:16 pm Permalink

    Obtjvgpu: Irel srj crbcyr unir vaperzragny naq ebyyvat qnvyl/zbaguyl/jrrxyl/vasvavgr onpxhcf – rira gubhtu fgbentr vf purnc rabhtu gb qb vg.

    Aniva: Lrf P++ pbqrf ner rapelcgrq!

    enmgn: Sebz jung V’ir urneq vg’f ol Jrfgrea Havba juvpu vf abg genprnoyr.

    Cnagntehry: V’yy ybbx vagb gur rqvgvat bcgvba, unir gubhtu nobhg vg orsber.

    Seen as though this post is about encryption my above comment is encrypted for those of you l33t enough with ultra 1024 bit cryptanalysis skills

  9. Pantagruel 11 June 2008 at 6:25 pm Permalink

    LOL, easy

    *spoiler*

    pantagruel: i

  10. Navin 12 June 2008 at 7:14 pm Permalink

    @ pantagruel

    U’re right… as discussed in the kaspersky subforum, it is a unique key for each encrypted system.So if u got 2 computers infected, even if in the same network, you gotta pay 2X ransom amount. Russian teens with pimples?? I don’t think so…Russian maybe..but teens who specialize in 1024-bit encryption/decryption?? they’re Good……and now very rich I guess!! :)

  11. Bogwitch 13 June 2008 at 12:26 pm Permalink

    I was wondering how a unique key could be issued to each computer, but now I see it has a pseudo-randomly generated portion that is included in the README. That’s pretty sly, but it means that, once the algorithm is properly analysed, there is only one root key to be discovered.

    @Darknet,
    It is my experience that most larger-than-average organisations will make suitable backups however, your home users and SMEs are far less likely to do so despite, as you say, storage being so cheap.

  12. JaMeS 16 June 2008 at 1:11 pm Permalink

    :O
    this is HARSH to say the least!
    kudos to the guy who thought of it though!
    but yeah, i hope i never get this …
    dam dodgey porn sites!!!
    :P

    JaMeS
    -CoD4-

  13. chevalier3as 16 June 2008 at 8:43 pm Permalink

    If the key pass is generated randomly or based on the signature of the victim, I think that focusing on the way these keys are generated is easier than decrypting a 1042 bit RSA code, noting that ( according to my last info) the American government uses a 512 bit RSA encryption!

    Reverse engineering virus is not that easy either, especially if the attacker used techniques used by programming engineers to hide their code, hopefully the code would be smaller so less demanding.