Virus Variant Extorts You by Encrypting Your Files

Malware authors are getting sneaky again, in the latest turn of events they have started encrypting your files and holding them at ransom!

You have to pay up to get the ‘decryptor’ and get access to your files again. This is pretty dangerous…and cunning too. It’s not easily broken either, they are using RSA 1024-bit encryption!

Kaspersky Lab found a new variant of Gpcode, a dangerous encryptor virus has appeared, – Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.

Kaspersky Lab succeeded in thwarting previous variants of Gpcode when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis. Their researchers have to date been able to crack keys up to 660 bits. This was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

It’s pretty smart going after the files that users are most likely to value, I was surprised to see .cpp and .h in there, but I guess the malware being written by programmers they would see those files as valuable too.

I wonder if Kasperky will be able to bust open this 1024-bit private key, so far they haven’t and honestly – I’m not hopeful.

At the time of writing, Kaspersky researchers are unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and they have not found any errors in implementation yet. Thus, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.

So watch out (not that I need to tell you guys) and make sure your non-savvy friends understand the dangers of surfing carelessly and downloading nonsense without checking the source properly.

Having your important files end up in an encrypted container isn’t pretty…yes you could have some back-up system in place, but what’s the chance of you spotting the files before your backup runs? After that you are just backing up the encrypted files anyway..

Source: Net Security

Posted in: Exploits/Vulnerabilities, Malware, Spammers & Scammers

, , , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

13 Responses to Virus Variant Extorts You by Encrypting Your Files

  1. Bogwitch June 10, 2008 at 1:47 pm #

    Kaspersky have asked for volunteers to assist in the decryption process, sort of Kaspersky@home.
    They have also asked for someone to code an application to do this. rather than develop one themselves. I’m not sure how I feel about that.

    WRT backups, if grandfather, father, son backups are taken, there should not be too much loss, especially if incremental backups are taken. Thanksfully, the file extensions are being changed.

    There is much discussion on the Kaspery forum as to whether file recovery will pull the files back, I will watch with anticipation – I suspect it will depend on several factors such as filesystem and free space.

  2. Navin June 10, 2008 at 3:00 pm #

    “Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.”

    Does this mean tht even C++ coded files will be “virologically” encrypted?? If yes then its absolutely brilliant!! But more details are needed on this encryption!!

  3. razta June 10, 2008 at 7:30 pm #

    How do you pay the virus author when your files have been encrypted?

    Paypal? Bank transfer? by post?

    The payment method should be traceable, wouldn’t it?

  4. the BMX guy June 10, 2008 at 9:37 pm #

    “Holy cow!” is the only thing that comes to my mind. But if they can steal your car and sell it back to you what stops them to steal your data in the same fashion – but if it is software it can be hacked, even if it is malware. Wonder how many levels of this we’ll get “hack a hacked program hack derived from a program hack”?

  5. Pantagruel June 11, 2008 at 9:55 am #

    Basically means getting a backup done on tamper proof media (cd/dvd/bd) pronto and be sure to keep your AV software up to date.

    Several blogs/pages mention the extortion sum to be payed through an egold account. You’re advised to pay (for now) but also notify the tech. dept/customers service (be it egold,paypal,whatever) so they can track/trace the transaction and will be able to hunt down the villain old style.

    @the BMX guy
    There have been many variant of other mans work in the field of computer virii. Have a look at some of the viral dev kits you can find/acquire, usually ancient stuf
    This encryption virus is more advanced because it uses a stronger encryption than before, making a crack down too lengthy (30 year as DarkNet mentions) for any home user to perform (a nice option to speed things up might be this home made Helmer cluster )

    The Kaspersky@home routine may back fire. What if the purp doesn’t have the private key used for encryption? It might just as well be someone else’s key he abuses. What if he is using a
    ‘ root signing key’, ‘certificate authority’ of some bank. This well meant effort could amount to big trouble and substantial losses.

  6. Bogwitch June 11, 2008 at 12:29 pm #


    I like the way your mind works. Truly evil.

    I had not thought of the possibility of the perp using someone elses public key for encryption but that does mean that paying him for the key will result in no decryption until the key is exposed.

    That said, if a victim does pay, surely the victim would publish the decrytion key themselves?

  7. Pantagruel June 11, 2008 at 3:40 pm #


    LOL 3\/1L ;)

    I personally think the ‘what-if’ of someone else’s public key is pure theory. My best guess is that they will generate a fresh public key for each victim (or at least have some 100 to 500 which they will recycle) making exposure of a hand full of keys not really harm their business model. Or they will simply ‘patch’ their encryption for a new set of key’s if too much data is published.

    According to Dancho Danchev

    the perp’s are Russian teens with pimples.

    @DarkNet, an ‘Edit’ option seems handy from time to time.

  8. Darknet June 11, 2008 at 5:16 pm #

    Obtjvgpu: Irel srj crbcyr unir vaperzragny naq ebyyvat qnvyl/zbaguyl/jrrxyl/vasvavgr onpxhcf – rira gubhtu fgbentr vf purnc rabhtu gb qb vg.

    Aniva: Lrf P++ pbqrf ner rapelcgrq!

    enmgn: Sebz jung V’ir urneq vg’f ol Jrfgrea Havba juvpu vf abg genprnoyr.

    Cnagntehry: V’yy ybbx vagb gur rqvgvat bcgvba, unir gubhtu nobhg vg orsber.

    Seen as though this post is about encryption my above comment is encrypted for those of you l33t enough with ultra 1024 bit cryptanalysis skills

  9. Pantagruel June 11, 2008 at 6:25 pm #

    LOL, easy


    pantagruel: i

  10. Navin June 12, 2008 at 7:14 pm #

    @ pantagruel

    U’re right… as discussed in the kaspersky subforum, it is a unique key for each encrypted system.So if u got 2 computers infected, even if in the same network, you gotta pay 2X ransom amount. Russian teens with pimples?? I don’t think so…Russian maybe..but teens who specialize in 1024-bit encryption/decryption?? they’re Good……and now very rich I guess!! :)

  11. Bogwitch June 13, 2008 at 12:26 pm #

    I was wondering how a unique key could be issued to each computer, but now I see it has a pseudo-randomly generated portion that is included in the README. That’s pretty sly, but it means that, once the algorithm is properly analysed, there is only one root key to be discovered.

    It is my experience that most larger-than-average organisations will make suitable backups however, your home users and SMEs are far less likely to do so despite, as you say, storage being so cheap.

  12. JaMeS June 16, 2008 at 1:11 pm #

    this is HARSH to say the least!
    kudos to the guy who thought of it though!
    but yeah, i hope i never get this …
    dam dodgey porn sites!!!


  13. chevalier3as June 16, 2008 at 8:43 pm #

    If the key pass is generated randomly or based on the signature of the victim, I think that focusing on the way these keys are generated is easier than decrypting a 1042 bit RSA code, noting that ( according to my last info) the American government uses a 512 bit RSA encryption!

    Reverse engineering virus is not that easy either, especially if the attacker used techniques used by programming engineers to hide their code, hopefully the code would be smaller so less demanding.