Today we heard a disturbing rumor about a new version of Gpcode. We immediately began talking to victims and trawling the Internet for samples.
After some digging, we found a sample that answers the descriptions victims have given us. The program’s currently being spread via a botnet (name withheld for security purposes).
Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author’s contact details: an email address, an ICQ number and a URL. The web page page contains the following text in Russian:
Для вас 3 новости, не очень хорошая и две очень хороших и Начнем мы с неочень хорошей.
Неочень хорошая новость заключается в том, что все ваши файлы зашифрованы современным алгоритмом AES-256.
В программе использован метод Открытых-закрытых ключей.
Используется 99999 клюей для шифрования, на каждой зараженной машине используется один ключ, повторов нет.
Перебор ключей к алгоритму AES-256 невозможен в ближайщие 1000 лет.
Надежды на Антивирусные компании – Нет.
Алгоритм AES-256 используют американские спец службы для шифрования своих документов.
И вот первая Хорошая новость:
Файлы можно дешифровать.
Вторая очень хорошая новость:
Для дешифрации необходимо заплатить всего-то – 10 долларов.
Translation: (the translation is pretty much word for word, and includes errors that are in the Russian text):
3 news items for you, 1 not very good and 2 very good and [we] Will begin with the notvery good.
The notvery good news is that all of your files are encrypted using the modern algorithm AES-256.
The program uses the method of Public and private keys.
There are 99999 keys used for encryption, and a unique key is used on each infected machine. There are no duplicates.
Brute-forcing the keys for the AES-256 is impossible within the next 1000 years.
Relying on the Antivirus companies – No.
The AES-256 algorithm is used by American special services for encrypting their documents.
And the first Good news: Files can be decrypted.
Second very good news: To decrypt your files it is necessary to pay only $10.
In addition to encrypting files and leaving the message shown above, Gpcode also changes the desktop wallpaper:
As we’ve said repeatedly in other posts – don’t pay the ransom. It’ll only encourage the author to continue producing new variants.
We’d also like to stress that the information in the message shown above about the encryption algorithm, the number of unique keys and the length of the key is unconfirmed at the time of writing.
We’re are analyzing the encryption algorithm in search of ways to crack the encryption and restore files. In the meantime, if you’ve been attacked by this latest Gpcode variant, we suggest that you attempt to restore your files using the methods described here. We already have confirmed reports that this method does partially restore encrypted files.
If you’re a victim, contact us on stopgpcode at kaspersky dot com. And of course, watch this space for updates.
Gpcode – here we go again