New Variant of GPcode Trojan: Should You Pay The Ransom

About GPcode

Gpcode is a trojan that encrypts files with certain extensions on local and remote drives and then asks a user to contact its author to buy a decryption solution. And now Kaspersky Labs report that a new version of GPcode (also known as PGPCoder) is in the wild, this time with a successful implementation of RSA 1024-bit encryption.

New Variant

With implemention of RSA 1024-bit key, new variant of GPcode will give a real test for antivirus vendor. Researchers estimate it would take around 15 million modern computers, running for about a year, to crack such a key. Will be a huge challenge isn't it?

Here are the public keys used by the authors of Gpcode.

The first is used for encryption in Windows XP and higher.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:

The second is used for encryption in versions of Windows prior to XP.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:

The RSA exponent for both keys is 0x10001 (65537).

For your information :

Kaspersky Lab virus researchers have to date been able to crack keys up to 660 bits

What about 1024 bits?

Until today Kaspersky not yet able to crack key up to 1024 bits. Yeah, it means they are still working hard to find a better way to cure your computer system from this trojan.

Ask for a Ransom

Just like previous variants, the author of new GPcode trojan also will offer the infected users for a ransom by buying they decryptor. It because the only way to decrypt the encrypted files is to use the private key which only the author has. In READ ME file they tell the infected users to contact them using e-mail. And if  the infected users respond the email, then they will asking for sum money.


Should you pay the ransom?

If you are one of the victim of this trojan, Kaspersky suggest you to :

In this case, we recommend that victims try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.
Write to Kaspersky at: with the following information included in the email:

  • Date & time of infection
  • Everything done on the computer in the 5 minutes before the machine was infected, including:
    • Programs executed
    • Websites visited

Kaspersky Lab will try to help recover any encrypted data.

They are urging the infected users not to yield to
the blackmailer, but to contact them immediately.

So, you don't have to pay the ransom. If you do that then the cycle will never stop, they will find other infected users, do the same thing and probably they will create more stronger encryption, which would be impossible to crack.


The content of this field is kept private and will not be shown publicly.
If you have a Gravatar account, used to display your avatar.
  • Lines and paragraphs break automatically.

More information about formatting options

This blog uses the CommentLuv Drupal plugin which will try and parse your sites feed and display a link to your last post, please be patient while it tries to find it for you.
Jawab pertanyaan ini untuk membedakan apakah anda pengunjung atau spam.
2 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.