New Variant of GPcode Trojan: Should You Pay The Ransom
Gpcode is a trojan that encrypts files with certain extensions on local and remote drives and then asks a user to contact its author to buy a decryption solution. And now Kaspersky Labs report that a new version of GPcode (also known as PGPCoder) is in the wild, this time with a successful implementation of RSA 1024-bit encryption.
With implemention of RSA 1024-bit key, new variant of GPcode will give a real test for antivirus vendor. Researchers estimate it would take around 15 million modern computers, running for about a year, to crack such a key. Will be a huge challenge isn't it?
Here are the public keys used by the authors of Gpcode.
The first is used for encryption in Windows XP and higher.
RSA exponent: 00010001
The second is used for encryption in versions of Windows prior to XP.
RSA exponent: 00010001
The RSA exponent for both keys is 0x10001 (65537).
For your information :
Kaspersky Lab virus researchers have to date been able to crack keys up to 660 bits
What about 1024 bits?
Until today Kaspersky not yet able to crack key up to 1024 bits. Yeah, it means they are still working hard to find a better way to cure your computer system from this trojan.
Ask for a Ransom
Just like previous variants, the author of new GPcode trojan also will offer the infected users for a ransom by buying they decryptor. It because the only way to decrypt the encrypted files is to use the private key which only the author has. In READ ME file they tell the infected users to contact them using e-mail. And if the infected users respond the email, then they will asking for sum money.
Should you pay the ransom?
If you are one of the victim of this trojan, Kaspersky suggest you to :
In this case, we recommend that victims try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.
Write to Kaspersky at: with the following information included in the email:
- Date & time of infection
- Everything done on the computer in the 5 minutes before the machine was infected, including:
- Programs executed
- Websites visited
Kaspersky Lab will try to help recover any encrypted data.
They are urging the infected users not to yield to
the blackmailer, but to contact them immediately.
So, you don't have to pay the ransom. If you do that then the cycle will never stop, they will find other infected users, do the same thing and probably they will create more stronger encryption, which would be impossible to crack.
- roemasa's blog
- Add new comment
- 807 reads