English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

GpCode-like Ransomware Is Back

VitalyK
Kaspersky Lab Expert
Posted November 29, 15:33  GMT
Tags: Ransomware, Gpcode
0.8
 

We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008.

GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.

As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.

Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte.

The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

People who are not should be aware of the problem and should recognize GpCode from the first second when the warnings appears on your screen. Pushing Reset/Power button on your desktop may save a significant amount of your valuable data! Please remember this and tell your friends that if you see a sudden popup of notepad with text like this:

Don't hesitate and turn off your PC, pull out the power cable if this is fastest!

Another sign of infection is immediate change of the Desktop background to something like this:

Gpcode desktop message 1

We will keep posting more information and screenshots as we continue our investigation.


56 comments

Newest first
Table view
 

Julie Dennis

2011 Apr 01, 17:29
0
 

Re: Re: Re: Re: Re: Re: How to rid ransomware GpCode

Your files are gone. Just take it as a lesson learned, and move on. Harsh but also reality.

I recommend using a good backup service from now on as well as a good virus program. Get them both in place asap so you won't have to go through this again.

Reply    

Karla

2011 Mar 31, 20:59
0
 

Re: ur pc is attacked with the same nasty trojan

Did norton recovered your files?

Reply    

Karla

2011 Mar 31, 20:59
0
 

Re: Re: Re: Re: Re: How to rid ransomware GpCode

For me it sounds weird... I am not worried about removing the virus but I would like to recover my files...

Edited by Karla, 2011 Mar 31, 22:17

Reply    

Biswa Pratim Sinha

2011 Mar 31, 08:10
0
 

ur pc is attacked with the same nasty trojan

Try norton internet security 2011 or norton 360 version 5.0. see how virus removes from the computer swiftly and securely by the power of norton

Reply    

Julie Dennis

2011 Mar 31, 01:37
0
 

Re: Re: Re: Re: How to rid ransomware GpCode

I don't see anything different in monitor properties or desktop options. It sounded to me like jrchan was saying to delete every folder in the system.

Reply    

Karla

2011 Mar 30, 19:46
0
 

Re: Re: Re: How to rid ransomware GpCode

Yeah,me too... But jrchan's method seems so easy and effective. Have you tried it? Is there anything different in your Monitor - Properties - Desktop screen options? ... haven't tried it because I don't want to restart my computer...

Reply    

Julie Dennis

2011 Mar 30, 16:27
0
 

Re: Re: How to rid ransomware GpCode

For me, it's this one:
http://www.securelist.com/en/blog/6165/Ransomware_GPCode_strikes_back

Reply    

Mister X

2011 Mar 28, 22:50
0
 

Re: Infected!

If you have no backups you are really SOL
You can trying paying, I personally think they won't send the decoder

Reply    

Mister X

2011 Mar 28, 22:38
0
 

BOOOOO YAA

We also got hit with this 3-25-2011
This is a new variant of the virus.

I found and took a sample of the virus and submitted it to over 10 different vendors, so expect a signature very soon.

Thank god for backups.

Good breakdown of an old variant here

http://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html

Here is a current scan as of 3-28-2011

http://bit.ly/gTFiiR

Real link below, if used edit the spaces out if copied and pasted

http://www.virustotal.com/file-scan/report.html?id=832863ece8c7eced9395b8929b1557 297feab33f8912210e8ff870ed849b aab2-1301335072

So yeah if you don't have any backups of your data you are SOL.

Boo yaa Virus, he will craft it again im sure.

Edited by Mister X, 2011 Mar 28, 23:29

Reply    

Karla

2011 Mar 28, 22:22
0
 

Re: How to rid ransomware GpCode

Was your computer infected with win32.ax? or other ransom?

Reply    

Karla

2011 Mar 28, 20:47
0
 

Infected!

My computer is infected since Friday... Is anyone trying to find out how to recover files? I am using a second computer know but my information is very important. I have been tempted to pay!!! But I know it is wrong... Is this thing about the desktop true?

Reply    

Julie Dennis

2011 Mar 27, 20:04
0
 

More help?

I'm using Windows 7. I right-clicked, went to Personalize and am looking at the Desktop Background options. Is that where I should be?

When I click Browse, it just brings up my folder list. More help please?

Reply    

jrchan

2011 Mar 27, 14:04
0
 

Re: Trojan Ransom.Win32.GpCode.ax ... HELP

I was also hit by this trojan RSA 1024 . It is fairly harmless. Remove as follows:
1.Right click on monitor screen, click on properties, select desktop.
2.Click on desktop, new wallpaper program appears. Click on browse to show the program. Right click on all the items, select delete. Reinstall your wallpaper. Done!

Reply    

jrchan

2011 Mar 27, 10:19
0
 

How to rid ransomware GpCode

It is a lot of hot air and easily deleted. Take the following steps:
1. Right click on monitor screen. Click on properties.
2. Select desktop.
3. A new item displaying message appears under 'select background'
4.Click 'Browse'. Right click on all items appearing on the screen and select 'delete'
DONE! CURED!

Reply    

Julie Dennis

2011 Mar 26, 21:53
0
 

Giving This Thread a Bump

My pc was infected with this same nasty Trojan yesterday. Giving this thread a bump in hopes of finding a solution. Please???

Reply    

Al

2011 Feb 06, 23:57
0
 

Any solution?

So is there any solution for this attack?
Can you inform us, please...
If there is no solution yet, can you give us an idea about when there will be such a solution (in a month, in a year, or maybe never)?
Thank you in advance....

Reply    

L F

2011 Feb 05, 23:21
0
 

Re: still need a fix

Thx for the link to the analysis. Wish there was a fix for this malware. Computer has been down for 6 weeks - no need to turn it on if it can't be fixed.

Reply    

Steven K

2011 Jan 30, 17:01
0
 

GpCode Ransomware 2010 Simple Analysis
http://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html

not really advanced stuff but...

Reply    

L F

2011 Jan 18, 20:21
0
 

ANY update, Kaspersky ?

Hey Kaspersky gurus, any update on a fix / clean / restore for this nasty trojan ?

Really need help now! THX

Reply    

L F

2010 Dec 31, 20:30
0
 

Re:

Yes, Dan, let's keep in touch via this site and post any updates. RE: ESET I have bought and used their security products for years and have generally been very pleased. They totally dropped the ball with this trojan. No solution. Little effort to find one. No customer support. ESET has gotten the last $$ out of me. Very disappointing.

Here's hoping a solution is found quickly for this mess and that the jackasses who spread this malware get incurable rashes!

Happy New Year !

Reply    

wunder_1990

2010 Dec 31, 13:25
0
 

My PC is infected!

Hallo everyone!

My pc was infected by that virus...

Will there be any solution anytime???

I haven't done a backup or something like that, and i've got a lot of important e-Mails, pics, etc....

Greeting
George

Reply    

Dan

2010 Dec 31, 07:46
0
 

Thanks for effectively warning me LF. I was going to go to ESET to use them as a second helper in this issue but no point I guess.

We need to band together in dealing with this encryption issue. Keep in touch?

Reply    

L F

2010 Dec 29, 20:15
0
 

REALLY need a fix for this trojan

ESET has been worthless in defending this malware and offering any hope of a solution. Hope Kaspersky is able to find something.

What say you, good people of Kaspersky ?

Reply    

Dan

2010 Dec 25, 09:45
0
 

Any updates on the progress of the investigation into this virus?

Reply    

john

2010 Dec 16, 20:40
0
 

Hello

Send me the (Trojan-Ransom.Win32.GpCode.ax) on my e-mail adress (jean.bart33@hotmail.fr)

I need the virus to make the analysis, it's very important for the cryptographic analise

Best regards
John (Virus analyst)

Reply    

L F

2010 Dec 16, 02:18
0
 

ANY update on a fix for this mess ?

Hey Kaspersky gurus, any update on a fix for this horrible malware ?

Thx Hurry !

Reply    

john

2010 Dec 14, 01:18
0
 

Re: raymondbaij and others

The .PDF send by raymondbaij is a PDF EXPLOIT and not contain the virus body, this .Pdf document download the virus on a web site, this link is disabled now !

Send me the (Trojan-Ransom.Win32.GpCode.ax) on my e-mail adress (jean.bart33@hotmail.fr)

I need the virus to make the analysis

Best regards
John (Virus analyst)

Reply    

L F

2010 Dec 13, 23:46
0
 

Re: Trojan-Ransom.Win32.GpCode.ax

Thanks, John, for any help you can offer with this problem ... much appreciated.

Reply    

john

2010 Dec 13, 21:43
0
 

Trojan-Ransom.Win32.GpCode.ax

I am going to analyze the virus, I inform you most fast

Best regards
John (Virus analyst)

Reply    

john

2010 Dec 13, 20:40
0
 

Ok, raymondbaij

Yes, give me all that you can on my e-email.

Send-me the link on my e-mail adress (jean.bart33@hotmail.fr)

Let's go

Best regards
John (Virus analyst)

Reply    

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog

Alerts