New Variant of GPcode Trojan: Should You Pay The Ransom
About GPcode
Gpcode is a trojan that encrypts files with certain extensions on local and remote drives and then asks a user to contact its author to buy a decryption solution. And now Kaspersky Labs report that a new version of GPcode (also known as PGPCoder) is in the wild, this time with a successful implementation of RSA 1024-bit encryption.
New Variant
With implemention of RSA 1024-bit key, new variant of GPcode will give a real test for antivirus vendor. Researchers estimate it would take around 15 million modern computers, running for about a year, to crack such a key. Will be a huge challenge isn't it?
Here are the public keys used by the authors of Gpcode.
The first is used for encryption in Windows XP and higher.
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900a
ee78b4729668fc920ee15fe0b587d1b61894d1ee15f5793c18e2d2c8cc64b053
9e01d088e41e0eafd85055b6f55d232749ef48cfe6fe905011c197e4ac6498c0
e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85d
The second is used for encryption in versions of Windows prior to XP.
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe73560724
7cc9a5e0f936ed75c75ac7ce5c6ef32fff996e94c01ed301289479d8d7d708b2
c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced482939fc571514b8d7280a
b5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afb
The RSA exponent for both keys is 0x10001 (65537).
For your information :
Kaspersky Lab virus researchers have to date been able to crack keys up to 660 bits
What about 1024 bits?
Until today Kaspersky not yet able to crack key up to 1024 bits. Yeah, it means they are still working hard to find a better way to cure your computer system from this trojan.
Ask for a Ransom
Just like previous variants, the author of new GPcode trojan also will offer the infected users for a ransom by buying they decryptor. It because the only way to decrypt the encrypted files is to use the private key which only the author has. In READ ME file they tell the infected users to contact them using e-mail. And if the infected users respond the email, then they will asking for sum money.
Should you pay the ransom?
If you are one of the victim of this trojan, Kaspersky suggest you to :
In this case, we recommend that victims try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.
Write to Kaspersky at: with the following information included in the email:
- Date & time of infection
- Everything done on the computer in the 5 minutes before the machine was infected, including:
- Programs executed
- Websites visited
Kaspersky Lab will try to help recover any encrypted data.
They are urging the infected users not to yield to
the blackmailer, but to contact them immediately.
So, you don't have to pay the ransom. If you do that then the cycle will never stop, they will find other infected users, do the same thing and probably they will create more stronger encryption, which would be impossible to crack.
- roemasa's blog
- Add new comment
- 1079 reads
registry cleaner software
great experience, dude! thanks for this great post wow... it's very wonderful report.