English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

GpCode-like Ransomware Is Back

VitalyK
Kaspersky Lab Expert
Posted November 29, 15:33  GMT
Tags: Ransomware, Gpcode
0.8
 

We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008.

GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.

As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.

Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte.

The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

People who are not should be aware of the problem and should recognize GpCode from the first second when the warnings appears on your screen. Pushing Reset/Power button on your desktop may save a significant amount of your valuable data! Please remember this and tell your friends that if you see a sudden popup of notepad with text like this:

Don't hesitate and turn off your PC, pull out the power cable if this is fastest!

Another sign of infection is immediate change of the Desktop background to something like this:

Gpcode desktop message 1

We will keep posting more information and screenshots as we continue our investigation.


56 comments

Oldest first
Threaded view
 

srdjan

2010 Nov 30, 12:12
0
 

nice text

tnx for info bro :)

Reply    

Mihai Barbulescu

2010 Dec 01, 12:12
0
 

Good description

Thank you for the good initial warning and description.

Reply    

David

2010 Dec 02, 00:26
0
 

Question

How does the PC get infected? I have a client that said she doesn't know what she clicked to get the ransomware. Is it an email attachment? Does it come from a website? Is there user interaction to start the process before encryption?

Reply    

sudh82

2010 Dec 06, 15:45
0
 

Re: Question

I got it as a random drive-by download in possibly pdf format. Since I was already downloading a pdf document at the same time, I opened the infected file, which then proceeded to encrypt all my files.

Reply    

adbc

2010 Dec 02, 17:40
0
 

Same question as David

How does the PC get infected ?

Reply    

Jack McElwee

2010 Dec 03, 12:06
0
 

GP Ransom gets in through delivery emails

I heard that if you get an email from UPS, FedX or some other legit delivery service firm saying that something you ordered could not be delivered to you w/o additional information. Then it has a link that tells you to click it for additional data info. If you do Bam! as Emeril say- you have let GP Ransomware into your system. It's going to be tough to keep it out especially in the holidy season when everyone is ordering stuff over the web. Like Pete at EONS CT IS group says 'Don't click on anything unless you're more than 100% sure what it is and who sent it!' An ounce of prevention's worth more than a pound of cure in this case guys. Take care and good luck- K K

Reply    

David

2010 Dec 04, 02:02
0
 

Question - Followup

After further review of this particular PC, I have found the website that my client was on. However, this was not a link in an email. This was a link to a .pdf file that she visits from a known website frequently. It must have been some type of redirect. The website ends in .ru and has a link to the .pdf. I might try to hook up a dummy PC and try to click the link and see what happens.

Reply    

Tony

2010 Dec 05, 05:14
0
 

I have it!

Just this morning I got what looks like this exact new virus. Does anyone have any steps to help with this? I can't even access the Windows Restore. Any help will be greatly appreciated!

Reply    

adbc

2010 Dec 05, 12:10
0
 

http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware
This is a link I found about removal, don't understand a word of it but maybe you do .....
Good luck.

Reply    

sudh82

2010 Dec 06, 15:46
0
 

Re:

That is for another ransoware virus. Related but not the same.

Reply    

sudh82

2010 Dec 06, 14:54
0
 

Help

Anyone with solutions to recovering encrypted files yet? All my files have been encrypted and I cannot access them.

Reply    

L F

2010 Dec 07, 08:14
0
 

Trojan Ransom.Win32.GpCode.ax ... HELP

Got hit with this nasty trojan on Saturday. Is there any way to clean / remove it AND retrieve encrypted data ?

Many thx

Reply    

jrchan

2011 Mar 27, 14:04
0
 

Re: Trojan Ransom.Win32.GpCode.ax ... HELP

I was also hit by this trojan RSA 1024 . It is fairly harmless. Remove as follows:
1.Right click on monitor screen, click on properties, select desktop.
2.Click on desktop, new wallpaper program appears. Click on browse to show the program. Right click on all the items, select delete. Reinstall your wallpaper. Done!

Reply    

sudh82

2010 Dec 07, 09:19
0
 

Recovering Deleted Data

Hi, I was googling at options to recover data from the gpcode attack and came across this solution to recover data deleted by the virus.

http://support.kaspersky.com/faq/?qid=208279822

Can anyone please advise whether this solution will work for the latest version of the gpcode ransomware virus?? It says it cannot de-encrypt the data, but attemps to recover the original files deleted by the virus. Anyone, help!?

Reply    

pbmgmbh

2010 Dec 07, 17:22
0
 

Re: Recovering Deleted Data

As VitalyK told us in the above article, this solution won't do the trick, because the new version of the virus doesn't copy the encoded file to disk and deletes the original, but writes directly into the file itself.
We have to wait, until a lot of infected and uninfected (e.g from backups) pendants are collected and analysed, to possibly generate an algorythm for decrypting. We have to be patient!

Reply    

L F

2010 Dec 09, 22:14
0
 

Re: Re: Recovering Deleted Data

Sure wish a solution to this horrible malware could be found soon. Thx Kaspersky for your hard work.

Anxiously awaiting a fix . . .

Reply    

Gene Basler

2010 Dec 10, 01:58
0
 

Has anyone succeeded in recovering files?

Thanks for investigating this. Is there a record of ANYONE recovering his or her files? My data loss is HUGE. Feeling your pain LF

Reply    

Gene Basler

2010 Dec 10, 01:59
0
 

Happened to me on Saturday, too

LF, It happened to me on Saturday, too. And I wasn't even looking at porn, dammit!

Reply    

L F

2010 Dec 10, 16:17
0
 

Re: Happened to me on Saturday, too

This damn malware has ruined my Holidays .. what sick, twisted jerk creates this stuff? Wonder if the good folks at Kaspersky will be able to find a fix ... for the sake of your porn needs, sure hope so ;-D

Would suspect all updates will be posted to this site ?

Reply    

Gene Basler

2010 Dec 10, 16:56
0
 

L F

I have been absolutely sick about all the photos that are lost. I had just connected to my pocket hard drive to do a backup, so it encrypted that whole drive, too. (Speaking of porn, of course that was my company's IT department's default accusation. My thanks/punishment for doing work-related stuff so late on a Saturday)So glad to be able to point them to someone who contracted the virus on the same day as me.

Reply    

L F

2010 Dec 11, 01:30
0
 

Re: L F

I too was catching up on work on Saturday ... updating a client's Facebook page. Damn hackers. There's a place in hell for them: on the back row, near the furnace.

Fingers crossed that some geek genius can overcome their evil.

Reply    

raymondbaij

2010 Dec 10, 18:42
0
 

Happened to me since Monday

I am wondering if there is a fix for this new virus as yet. I've lost a lot of important files as the virus infected the SERVER! I am wondering if there is a tool to remove the file extension .ENCODED from all files on the hard disk. Hopefully I can open up some of them. For instance some kind of batch file.

Reply    

L F

2010 Dec 11, 01:31
0
 

Re: Happened to me since Monday

Feel your pain ....

Reply    

Gene Basler

2010 Dec 11, 22:25
0
 

How about a reward

LF and raymondbaij. I have a total of 27.2 GB of files that are corrupted. Is that too big for a zip file? I was thinking of offering a reward to whoever successfully recovers the files. What do you guys think?

Reply    

L F

2010 Dec 13, 00:52
0
 

Re: How about a reward

Was hoping that Kaspersky or ESET would have figured this mess out by now. Whoever does it first will get my $ for anti-virus / anti-malware protection.

Not certain if you can zip a file that big (27.2 GB), but I definitely feel your pain.

Have not turned on my computer that got hit with that trojan since it happened ... awaiting a solution.

Oh, and to the pencil dicks who put out this junk, grow up and grow a pair.

Reply    

john

2010 Dec 13, 16:22
0
 

Analysis for solution

Please send-me the virus sample in file archive .Zip or .Rar with password.

----Send me the virus on my E-mail (jean.bart33@hotmail.fr)----

I am going to study the virus to try to find a solution to decode files.

Please, Send me the virus ""Trojan-Ransom.Win32.GpCode.ax"" on my E-mail (jean.bart33@hotmail.fr)

I am going to work to find a solution

Best regards
John (Virus analyst)

Reply    

raymondbaij

2010 Dec 13, 19:17
1
 

Re: John

Hi John I can send you the link to where it was infected not the actual virus. I have it in my internet explorer history; does this John person soung legit??

Reply    

john

2010 Dec 13, 20:40
0
 

Ok, raymondbaij

Yes, give me all that you can on my e-email.

Send-me the link on my e-mail adress (jean.bart33@hotmail.fr)

Let's go

Best regards
John (Virus analyst)

Reply    

john

2010 Dec 13, 21:43
0
 

Trojan-Ransom.Win32.GpCode.ax

I am going to analyze the virus, I inform you most fast

Best regards
John (Virus analyst)

Reply    

L F

2010 Dec 13, 23:46
0
 

Re: Trojan-Ransom.Win32.GpCode.ax

Thanks, John, for any help you can offer with this problem ... much appreciated.

Reply    

john

2010 Dec 14, 01:18
0
 

Re: raymondbaij and others

The .PDF send by raymondbaij is a PDF EXPLOIT and not contain the virus body, this .Pdf document download the virus on a web site, this link is disabled now !

Send me the (Trojan-Ransom.Win32.GpCode.ax) on my e-mail adress (jean.bart33@hotmail.fr)

I need the virus to make the analysis

Best regards
John (Virus analyst)

Reply    

L F

2010 Dec 16, 02:18
0
 

ANY update on a fix for this mess ?

Hey Kaspersky gurus, any update on a fix for this horrible malware ?

Thx Hurry !

Reply    

john

2010 Dec 16, 20:40
0
 

Hello

Send me the (Trojan-Ransom.Win32.GpCode.ax) on my e-mail adress (jean.bart33@hotmail.fr)

I need the virus to make the analysis, it's very important for the cryptographic analise

Best regards
John (Virus analyst)

Reply    

Dan

2010 Dec 25, 09:45
0
 

Any updates on the progress of the investigation into this virus?

Reply    

L F

2010 Dec 29, 20:15
0
 

REALLY need a fix for this trojan

ESET has been worthless in defending this malware and offering any hope of a solution. Hope Kaspersky is able to find something.

What say you, good people of Kaspersky ?

Reply    

Dan

2010 Dec 31, 07:46
0
 

Thanks for effectively warning me LF. I was going to go to ESET to use them as a second helper in this issue but no point I guess.

We need to band together in dealing with this encryption issue. Keep in touch?

Reply    

L F

2010 Dec 31, 20:30
0
 

Re:

Yes, Dan, let's keep in touch via this site and post any updates. RE: ESET I have bought and used their security products for years and have generally been very pleased. They totally dropped the ball with this trojan. No solution. Little effort to find one. No customer support. ESET has gotten the last $$ out of me. Very disappointing.

Here's hoping a solution is found quickly for this mess and that the jackasses who spread this malware get incurable rashes!

Happy New Year !

Reply    

wunder_1990

2010 Dec 31, 13:25
0
 

My PC is infected!

Hallo everyone!

My pc was infected by that virus...

Will there be any solution anytime???

I haven't done a backup or something like that, and i've got a lot of important e-Mails, pics, etc....

Greeting
George

Reply    

L F

2011 Jan 18, 20:21
0
 

ANY update, Kaspersky ?

Hey Kaspersky gurus, any update on a fix / clean / restore for this nasty trojan ?

Really need help now! THX

Reply    

Steven K

2011 Jan 30, 17:01
0
 

GpCode Ransomware 2010 Simple Analysis
http://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html

not really advanced stuff but...

Reply    

L F

2011 Feb 05, 23:21
0
 

Re: still need a fix

Thx for the link to the analysis. Wish there was a fix for this malware. Computer has been down for 6 weeks - no need to turn it on if it can't be fixed.

Reply    

Al

2011 Feb 06, 23:57
0
 

Any solution?

So is there any solution for this attack?
Can you inform us, please...
If there is no solution yet, can you give us an idea about when there will be such a solution (in a month, in a year, or maybe never)?
Thank you in advance....

Reply    

Julie Dennis

2011 Mar 26, 21:53
0
 

Giving This Thread a Bump

My pc was infected with this same nasty Trojan yesterday. Giving this thread a bump in hopes of finding a solution. Please???

Reply    

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog

Alerts