Incidents

Multiple Gpcode variants

In the last 24 hours we’ve detected five new versions of Virus.Win32.GPcode. This virus is interesting as it encrypts users’ files – with whoever is sending the virus out asking for money to decrypt the files. The virus encrypts files, deletes itself from the victim machine, and also deletes all information which might give a clue how the virus penetrated the system.

The first variants we detected were spreading around the world. The latest version is mainly affecting Russian users. This illustrates the fact that cyber criminals are starting to target their attacks and spamming of malicious programs more precisely.

To date, we haven’t established exactly how GPcode infects computers. However, it seems to be spreading either by exploiting a vulnerability in the operating system, or by a botnet.

A lot of users haven’t contacted antivirus companies, but have instead contacted the authors or users of this malicious program. This will simply encourage the evolution of this virus as it makes it clear that there are potential gains to be made.

In order to protect their machines, users should make sure that they have installed all the latest patches, and keep their antivirus programs up to date. Once the virus is cleaned from encrypted files, they are restored to their original condition.

Multiple Gpcode variants

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox