You’ve probably heard of trojans and malwares but there’s this fairly new and less known classification of malicious program called ransomware. The mode of attack of this so-called ransomware is that it will encrypt specific data from your computer then generate a message in notepad telling you to send pre-paid cash vouchers to a payment gateway specified by the creator. If not, say goodbye to your data. Nasty huh?
The first attacks by the new GPCode variant were detected in late March this year. The malware itself was first discovered in 2004 and appeared again on the threat landscape in late 2010.
According to Kaspersky Lab senior malware researcher Nicolas Brulez, the new GPcode variant is an obfuscated or encoded executable, which makes it difficult to initially identify as a malware. It infects computers using drive-by downloads (downloads by visiting infected websites without you knowing) that occur when an infected website is visited.
The Trojan then starts running in the system, encrypting data without the user’s knowledge. It will then open a text file-based ransom message to the PC user, warning the user that if ransom is not paid, the encrypted key will not be sent to the victim and the file will be deleted. This is the message which is displayed on the PC screen:
At this point, the hard drives are being scanned for files to encrypt. The file extensions used to determine whether a file is to be encrypted or not are kept in an encrypted configuration file. This means the GPCode Ransomware Trojan is easily updated with a new configuration file.
Brulez said that while a victim could possibly give in to the demands of the file hostage taker, he recommends not changing anything on the system as it may prevent potential data recovery later on. He added that one of the quickest ways to prevent malware damage is turn off the PC or simply pulling out the power plug.
There is almost no way to recover the encrypted file and the best way to prevent any more damage is to simply make backups the next time.
“œWe haven’t seen any evidence of a time-based file deleting mechanism despite claims by the malware writer that files are deleted after “˜N’ number of days,” says Brulez. “œNevertheless, it is better to avoid any changes that could be made to the file system which, for example, may be caused by rebooting the computer.”