Back in November 2010, we wrote a blog post about a new variant of the Gpcode Ransomware.
Kaspersky lab discovered a new variant today, in the form of an obfuscated executable. Please review the technical details for further information. The threat was detected automatically thanks to the Kaspersky Security Network as UDS:DangerousObject.Multi.Generic.
Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn
The infection occurs when a malicious website is visited. (drive by download)
Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:
It’s important to notice that, unlike the sample from last November, they are asking for payment through Ukash pre-paid cards. On a side note, the Ransomware we discovered yesterday, that was disguising as a notice from the federal German police was also asking for Ukash coupons.
It seems the criminals are moving away from the old money transfer, and preferring the pre paid cards instead. the price increased from 120 to 125 dollars.
At the very same time, the Desktop background is changed to tell the user they have been infected, and that a ransom should be paid:
At this point, the hard drives are being scanned for files to encrypt. The file extensions used to determine whether a file is to be encrypted or not are provided inside of an encrypted configuration file. It means the GPCode Ransomware can be easily updated with a new configuration file. It also includes the ransom letter as well as the public RSA 1024 key from the criminals.
Technical details:
The sample discovered in November 2010 was compressed with UPX. In the sample discovered today, UPX is still used, but not by itself. In fact, the criminals are using a custom file protector to slow down analysis and Reverse Engineering. Here is what it looks like at the packed entry point:
It would take too long to describe the full unpacking process, but obfuscation and standard techniques found in modern malicious packers are used to protect this Ransomware.
Once unpacked, the sample is very similar to the one we had in November. The resource section of the file embeds an encrypted config file. Here is how it looks once decrypted:
The “N” parameter has been blurred. The parameter is a 1024 bit number.It’s important to note that it is different from last November.
And finally, here is a capture around the unpacked entry point, where the call to Key generation is done:
What should I do in case of infection?
If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days – we haven’t seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.
People should be aware of the problem and should recognize GpCode from the first second that the warnings appears on your screen. Pushing the Reset/Power button on your desktop may save a significant amount of your valuable data!
Don’t hesitate to turn off your PC or pull out the power cable if this is fastest!
The encrypted files cannot be recovered because of the strong cryptography employed.
The only way to recover your files is to use backups.
Ransomware: GPCode strikes back