Trojan-Ransom.Win32.Gpcode.ak

Technical Details

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 8030, bytes in size.

Payload

Once launched, the virus creates the following mutex in memory in order to flag its presence in the system: _G_P_C_.

The virus then starts consecutively scanning all logical disks for files to encrypt. The virus encrypts all user files with the extensions listed below:

The virus uses Microsoft Enhanced Cryptographic Provider v1.0 (built into Windows) to encrypt files. Files are encrypted using the RC4 algorithm. The encryption key is then encrypted using an RSA public key 1024 bits in length which is in the body of the virus.

The RSA encryption algorithm divides encryption keys into public and private. Only the public key is needed to encrypt messages. An encrypted message can be decrypted only using the private key.

The virus creates an encrypted copy of each original file. The encrypted copy retains the original file name, with _CRYPT being added to the end of the file name. Example:

WaterLilles.jpg — original file

WaterLilles.jpg._CRYPT — encrypted file

The original file will then be deleted.

The virus drops a file called "!_READ_ME_!.txt" to every directory which contains encrypted files. The file contains the following text:

Files located in the Program Files directory will not be encrypted. Additionally, the virus will not encrypt the following files:

With "system" and "hidden" attributes;

Less than 10 bytes in size;

Larger than 734003200 bytes in size

Once the virus has delivered its payload, it creates a VBS file which deletes the main body of the virus from the victim machine, and causes the following MessageBox to be displayed:

The virus does not register itself in the system registry.

Removal instructions

If you think your computer has been infected, contact us at stopgpcode@kaspersky.com. Include details about the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:

• which programs you ran,
• which websites you have visited, etc.

File Recovery

At the moment, it's not possible to decrypt files encrypted by Gpcode. However, you can use PhotoRec to recover your original files which were deleted by Gpcode after the virus created an encrypted version of the files.

The utility can be used to recover Microsoft Office documents, executable files, PDF and TXT documents, and also certain file archives. Here is a full list of supported file formats.

PhotoRec is part of the TestDisk package. The latest version of TestDisk, including PhotoRec, can be found here.

Below are detailed instructions on how to manually restore deleted files using PhotoRec:

1. Use a different, clean computer to download TestDisk, which includes PhotoRec.
2. Save PhotoRec to an external device, and connect this device to the infected machine (this does not pose any threat, as Gpcode.ak cannot spread independently and deletes itself after launching).
3. Run PhotoRec (the file is called photorec_win.exe, and it is located in the win directory of the TestDisk package):
   
4. Choose the target drive drive for PhotoRec to search for files, and press ENTER to continue:
   

   If you have several hard drives in your system, you should perfom this step for every hard drive (e.g. once you have recovered files from one drive, you should repeat the process for the next drive).

5. Select the partition table type (typically 'Intel') and press ENTER to continue.
   

6. Choose the partition you want to recover files from and press "Enter" to continue.

   

   If your disk has several partitions, you need to repeat this step for each one.

7. Choose the type of file system (Windows users should choose 'Other') and press ENTER to continue.

   

8. Choose where to search for deleted files and press ENTER to continue. Choose "Whole" to search the entire disk for deleted files.

   

9. PhotoRec will then ask you to specify a destination directory for restored files. Use the PhotoRec file browser to move to the root directory (by choosing ".." and pressing ENTER).

   The root directory shows which disks your system has. Choose the appropriate removable (or network) drive, and the folder in which you want to save recovered files. It is very important to choose an external drive (i.e. don't choose a drive on your infected machine, because deleted files could be damaged).

   Before recovering files, please make sure you have created a separate directory on the drive (e.g. "recovered") and choose to save recovered files to this directory, in order to prevent errors arising later in the recovery process. Once you have chosen the directory, press "Y".

   

   Once you have pressed "Y", you will see the file restoration process in action. Please be aware that this process may take a considerable length of time.

   

   Wait for scanning to finish before moving to the next step.

10. The recovered files are now on your chosen external drive. When you open the directory which contains the recovered files, you will notice that the file names do not correspond to the original names of the files on your hard disk.

    Your file names will look something like this:

    

    This is due to the way PhotoRec works, and you should not be alarmed. In addition, although the utility can restore the contents of files, it cannot establish their original location.

To complete the recovery process, we've created a free utility called StopGpcode that will sort and rename your restored files.

• On another computer, download the Stopgpcode utility and copy it to a USB flash drive.
• Put this flash drive into the infected computer and load the Windows Command Prompt by going to START | PROGRAMS | ACCESSORIES.
• Select your USB flash drive by typing the drive letter e.g. W:
• Then run the utility from the command line by typing the following:
  "STOPGPCODE -r -i -o
  
  e.g. STOPGPCODE -r W:\ RECOVERED -i С:\ -o W:\SORTED"

The utility will process the entire disk and compare the sizes of encrypted and recovered files. The program will use the file size as a basis for determining the original location and name of each recovered file.

The utility will try to determine the correct name and location for each file, recreating your original folders and file names within a folder called "sorted". If the utility cannot determine the original file name, the file will be saved to a folder called "conflicted".

You can download Stopgpcode here.

Decrypting files using StopGpcode2

Some of the files encrypted by Gpcode.ak can be decrypted without using the private RSA key. This is accomplished by using files where a non-encrypted version exists.

You need to take the following steps to decrypt files:

1. Find all encrypted files which have the ._CRYPT extension from the victim machine and copy them onto a portable data device into a folder named encrypted.

2. Follow the instructions above in ‘Restoring Files’ and save the restored files with the correct restored names onto the portable data device in a folder named ‘backup’.

3. Match unencrypted copies of the files with the encrypted versions in the ‘encrypted’ folder. You can find unencrypted versions of your files in your backup. If you've lost photos, you might have a good copy left on the memory card of your camera. Potentially you may have good copies of your encrypted files on network resources. These are the files you should look for and copy to the folder named ‘backup’.

   Important! You MUST sure that the files that you save to the backup folder have identical names to the files in the ‘encrypted’ folder – everything should be identical for except the extension ._CRYPT .

4. Create a folder named ‘decrypted’ where you will save the decrypted files. Download the free Stopgpcode2 tool from the Kaspersky website. This is used to decrypt your files.

5. Launch StopGpcode2 from the command prompt (Start > Run > cmd.exe ) – be sure to include the full path to the folders ‘encrypted’, ‘backup’ and ‘decrypted’. For instance, if the tool and the folders are located in the root of drive e: - then you need to execute:

   e:\stopgpcode2.exe e:\encrypted e:\backup e:\decrypted

   Once the program executes, you will see the tool starting to decrypt your files.

   

6. After the tool completes decrypting it will display a ‘Done’ message. Now you can open the ‘decrypted’ folder and check which files the tool was able to decrypt.