• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Virus Variant Extorts You by Encrypting Your Files

June 10, 2008

Views: 12,941

[ad]

Malware authors are getting sneaky again, in the latest turn of events they have started encrypting your files and holding them at ransom!

You have to pay up to get the ‘decryptor’ and get access to your files again. This is pretty dangerous…and cunning too. It’s not easily broken either, they are using RSA 1024-bit encryption!

Kaspersky Lab found a new variant of Gpcode, a dangerous encryptor virus has appeared, – Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.

Kaspersky Lab succeeded in thwarting previous variants of Gpcode when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis. Their researchers have to date been able to crack keys up to 660 bits. This was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

It’s pretty smart going after the files that users are most likely to value, I was surprised to see .cpp and .h in there, but I guess the malware being written by programmers they would see those files as valuable too.

I wonder if Kasperky will be able to bust open this 1024-bit private key, so far they haven’t and honestly – I’m not hopeful.

At the time of writing, Kaspersky researchers are unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and they have not found any errors in implementation yet. Thus, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.

So watch out (not that I need to tell you guys) and make sure your non-savvy friends understand the dangers of surfing carelessly and downloading nonsense without checking the source properly.

Having your important files end up in an encrypted container isn’t pretty…yes you could have some back-up system in place, but what’s the chance of you spotting the files before your backup runs? After that you are just backing up the encrypted files anyway..

Source: Net Security

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Exploits/Vulnerabilities, Malware, Spammers & Scammers Tagged With: encryption, extortion, malware, scammers, Social Engineering, trojans, viruses



Reader Interactions

Comments

  1. Bogwitch says

    June 10, 2008 at 1:47 pm

    Kaspersky have asked for volunteers to assist in the decryption process, sort of Kaspersky@home.
    They have also asked for someone to code an application to do this. rather than develop one themselves. I’m not sure how I feel about that.

    WRT backups, if grandfather, father, son backups are taken, there should not be too much loss, especially if incremental backups are taken. Thanksfully, the file extensions are being changed.

    There is much discussion on the Kaspery forum as to whether file recovery will pull the files back, I will watch with anticipation – I suspect it will depend on several factors such as filesystem and free space.

  2. Navin says

    June 10, 2008 at 3:00 pm

    “Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.”

    Does this mean tht even C++ coded files will be “virologically” encrypted?? If yes then its absolutely brilliant!! But more details are needed on this encryption!!

  3. razta says

    June 10, 2008 at 7:30 pm

    How do you pay the virus author when your files have been encrypted?

    Paypal? Bank transfer? by post?

    The payment method should be traceable, wouldn’t it?

  4. the BMX guy says

    June 10, 2008 at 9:37 pm

    “Holy cow!” is the only thing that comes to my mind. But if they can steal your car and sell it back to you what stops them to steal your data in the same fashion – but if it is software it can be hacked, even if it is malware. Wonder how many levels of this we’ll get “hack a hacked program hack derived from a program hack”?

  5. Pantagruel says

    June 11, 2008 at 9:55 am

    @Navin
    Basically means getting a backup done on tamper proof media (cd/dvd/bd) pronto and be sure to keep your AV software up to date.

    @razta
    Several blogs/pages mention the extortion sum to be payed through an egold account. You’re advised to pay (for now) but also notify the tech. dept/customers service (be it egold,paypal,whatever) so they can track/trace the transaction and will be able to hunt down the villain old style.

    @the BMX guy
    There have been many variant of other mans work in the field of computer virii. Have a look at some of the viral dev kits you can find/acquire, usually ancient stuf
    This encryption virus is more advanced because it uses a stronger encryption than before, making a crack down too lengthy (30 year as DarkNet mentions) for any home user to perform (a nice option to speed things up might be this home made Helmer cluster helmer.sfe.se )

    The Kaspersky@home routine may back fire. What if the purp doesn’t have the private key used for encryption? It might just as well be someone else’s key he abuses. What if he is using a
    ‘ root signing key’, ‘certificate authority’ of some bank. This well meant effort could amount to big trouble and substantial losses.

  6. Bogwitch says

    June 11, 2008 at 12:29 pm

    @Pantagruel,

    I like the way your mind works. Truly evil.

    I had not thought of the possibility of the perp using someone elses public key for encryption but that does mean that paying him for the key will result in no decryption until the key is exposed.

    That said, if a victim does pay, surely the victim would publish the decrytion key themselves?

  7. Pantagruel says

    June 11, 2008 at 3:40 pm

    @Bogwitch

    LOL 3\/1L ;)

    I personally think the ‘what-if’ of someone else’s public key is pure theory. My best guess is that they will generate a fresh public key for each victim (or at least have some 100 to 500 which they will recycle) making exposure of a hand full of keys not really harm their business model. Or they will simply ‘patch’ their encryption for a new set of key’s if too much data is published.

    According to Dancho Danchev

    ddanchev.blogspot.com/2008/06/whos-behind-gpcode-ransomware.html

    the perp’s are Russian teens with pimples.

    @DarkNet, an ‘Edit’ option seems handy from time to time.

  8. Darknet says

    June 11, 2008 at 5:16 pm

    Obtjvgpu: Irel srj crbcyr unir vaperzragny naq ebyyvat qnvyl/zbaguyl/jrrxyl/vasvavgr onpxhcf – rira gubhtu fgbentr vf purnc rabhtu gb qb vg.

    Aniva: Lrf P++ pbqrf ner rapelcgrq!

    enmgn: Sebz jung V’ir urneq vg’f ol Jrfgrea Havba juvpu vf abg genprnoyr.

    Cnagntehry: V’yy ybbx vagb gur rqvgvat bcgvba, unir gubhtu nobhg vg orsber.

    Seen as though this post is about encryption my above comment is encrypted for those of you l33t enough with ultra 1024 bit cryptanalysis skills

  9. Pantagruel says

    June 11, 2008 at 6:25 pm

    LOL, easy

    *spoiler*

    pantagruel: i

  10. Navin says

    June 12, 2008 at 7:14 pm

    @ pantagruel

    U’re right… as discussed in the kaspersky subforum, it is a unique key for each encrypted system.So if u got 2 computers infected, even if in the same network, you gotta pay 2X ransom amount. Russian teens with pimples?? I don’t think so…Russian maybe..but teens who specialize in 1024-bit encryption/decryption?? they’re Good……and now very rich I guess!! :)

  11. Bogwitch says

    June 13, 2008 at 12:26 pm

    I was wondering how a unique key could be issued to each computer, but now I see it has a pseudo-randomly generated portion that is included in the README. That’s pretty sly, but it means that, once the algorithm is properly analysed, there is only one root key to be discovered.

    @Darknet,
    It is my experience that most larger-than-average organisations will make suitable backups however, your home users and SMEs are far less likely to do so despite, as you say, storage being so cheap.

  12. JaMeS says

    June 16, 2008 at 1:11 pm

    :O
    this is HARSH to say the least!
    kudos to the guy who thought of it though!
    but yeah, i hope i never get this …
    dam dodgey porn sites!!!
    :P

    JaMeS
    -CoD4-

  13. chevalier3as says

    June 16, 2008 at 8:43 pm

    If the key pass is generated randomly or based on the signature of the victim, I think that focusing on the way these keys are generated is easier than decrypting a 1042 bit RSA code, noting that ( according to my last info) the American government uses a 512 bit RSA encryption!

    Reverse engineering virus is not that easy either, especially if the attacker used techniques used by programming engineers to hide their code, hopefully the code would be smaller so less demanding.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 292

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 587

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 555

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 589

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 449

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 675

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,297,466)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,102)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,637)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,691)
  • Password List Download Best Word List – Most Common Passwords (933,520)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,168)
  • Hack Tools/Exploits (673,297)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,182)

Search

Recent Posts

  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy