Gpcode – here we go again

Today we heard a disturbing rumor about a new version of Gpcode. We immediately began talking to victims and trawling the Internet for samples.

After some digging, we found a sample that answers the descriptions victims have given us. The program’s currently being spread via a botnet (name withheld for security purposes).

Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author’s contact details: an email address, an ICQ number and a URL. The web page page contains the following text in Russian:

Добрый день.

Для вас 3 новости, не очень хорошая и две очень хороших и Начнем мы с неочень хорошей.

Неочень хорошая новость заключается в том, что все ваши файлы зашифрованы современным алгоритмом AES-256.
В программе использован метод Открытых-закрытых ключей.
Используется 99999 клюей для шифрования, на каждой зараженной машине используется один ключ, повторов нет.

Перебор ключей к алгоритму AES-256 невозможен в ближайщие 1000 лет.

Надежды на Антивирусные компании – Нет.

Алгоритм AES-256 используют американские спец службы для шифрования своих документов.

И вот первая Хорошая новость:
Файлы можно дешифровать.

Вторая очень хорошая новость:
Для дешифрации необходимо заплатить всего-то – 10 долларов.

Translation: (the translation is pretty much word for word, and includes errors that are in the Russian text):

Good day

3 news items for you, 1 not very good and 2 very good and [we] Will begin with the notvery good.

The notvery good news is that all of your files are encrypted using the modern algorithm AES-256.
The program uses the method of Public and private keys.
There are 99999 keys used for encryption, and a unique key is used on each infected machine. There are no duplicates.

Brute-forcing the keys for the AES-256 is impossible within the next 1000 years.
Relying on the Antivirus companies – No.

The AES-256 algorithm is used by American special services for encrypting their documents.

And the first Good news: Files can be decrypted.
Second very good news: To decrypt your files it is necessary to pay only $10.

In addition to encrypting files and leaving the message shown above, Gpcode also changes the desktop wallpaper:

As we’ve said repeatedly in other posts – don’t pay the ransom. It’ll only encourage the author to continue producing new variants.

We’d also like to stress that the information in the message shown above about the encryption algorithm, the number of unique keys and the length of the key is unconfirmed at the time of writing.

We’re are analyzing the encryption algorithm in search of ways to crack the encryption and restore files. In the meantime, if you’ve been attacked by this latest Gpcode variant, we suggest that you attempt to restore your files using the methods described here. We already have confirmed reports that this method does partially restore encrypted files.

If you’re a victim, contact us on stopgpcode at kaspersky dot com. And of course, watch this space for updates.

Gpcode – here we go again

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox