Our StopGpcode project has attracted a lot of attention from individual researchers and organizations who are interested in solving the puzzle of the blackmailing virus. Thanks for all the feedback.
Among other things, we’ve been asked a lot about how the virus propagates. Having analyzed a number of infected computers we’ve come to the conclusion that the virus gets onto the victim machine with the help of another malicious program – a bot with Trojan-Downloader functionality. The victim machines had been infected with this malicious program well before Gpcode appeared on them; and the bot downloaded a whole range of other Trojan programs in addition to the Gpcode virus.
The RSA private key hasn’t been found, but some interesting ideas have surfaced. For instance, a detailed analysis of the algorithm used by Gpcode has shown that the author of the virus made an error which makes it possible (under certain circumstances) to decrypt encrypted files without the private key.
This method restores from 0% to 98% of all encrypted files on the computer. The results depend on a number of factors, beginning with the system that was attacked. At the moment it’s impossible to give an average number of files that could be recovered from a ‘typical’ computer.
Kaspersky Lab researchers are currently working on creating a file restoration utility that will utilize this new method.