GPCODE Malware uses RSA-1024 and AES-256 Encryption

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Kaspersky Labs is reporting a return of GPCODE trojan attacks with greatly improved encryption. These attacks are called ransomware as they require infected users to pay for an encryption key (that may not work anyway). Not only should users avoid potential attacks but they should also fully backup their PCs and have a data recovery strategy formulated to minimize potential loss of information.

GPCODE Malware uses RSA-1024 and AES-256 Encryption
http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware
http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back

QUOTE: We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008. GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.

As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.

Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte. The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

Posted: Nov 30 2010, 02:13 PM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.