Malware descriptions

Gpcode: the return of the file encryptor

We’ve detected a new variant of Gpcode – a dangerous file-encryptor. It encrypts a whole variety of user files, targeting files with extensions such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. If you’re a regular visitor to Viruslist, you might remember reading about Gpcode a couple of years ago.

We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can’t currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.

The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program. As I’ve said above, we’ve come across Gpcode before (see Blackmailer for the full story). Two years ago we were able to get the private key by detailed analysis of the data at our disposal. However, the maximum RSA key length we’ve been able to ‘crack’ to date is 660 bits. We were able to do this as the author had made some mistakes when implementing the encryption algorithm.

The author has bided his time, waiting almost two years before creating a new, improved variant of this file encryptor. Gpcode.ak doesn’t not repeat the errors found in previous versions of the virus. Back in 2006 when we detected the first versions of Gpcode to use RSA, this sounded an alarm: we warned that we wouldn’t be able to help decrypt encrypted files if the virus writer implemented the RSA encryption algorithm correctly. It would be a case for law enforcement; encrypting files in this way is tantamount to a cybercriminal copying user files to his own machine, and deleting them from the user’s infected machine without consent – an illegal action.

Once the virus has encrypted a user’s files, it leaves the following text message along with the files it has encrypted:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********»

Unfortunately, at the time of writing it’s still not clear how the virus spreads. To protect your machine, you should enable all components of whatever anti-malware protection that you have installed.

ATTENTION! If you see the following message on your computer:

…Then, in all probability, you have been attacked by Gpcode.ak. In this case, try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.

Contact us by email and tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:

• which programs you have executed,
• which websites you have visited, etc.

We’ll try and help you recover any data that has been encrypted.

Our analysts are continuing to analyze the virus code in search of a way of decrypting files without having the private key. In the meantime, do take extra care as you surf and read email. And if you see the above messages…do follow our instructions.

We’ll be posting updates here when we have more news.

Gpcode: the return of the file encryptor

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox