The Wayback Machine - https://web.archive.org/web/20080803000014/http://blogs.zdnet.com:80/security/?p=1251
BNET Business Network:
BNET
TechRepublic
ZDNet

June 6th, 2008

Blackmail ransomware returns with 1024-bit encryption key

Posted by Ryan Naraine @ 8:29 am

Categories: Hackers, Microsoft, Rootkits, Vulnerability research, Spam and Phishing, Spyware and Adware, Exploit code, Viruses and Worms, Privacy, Passwords, Yahoo!, Complex Attacks

Tags: Encryption, Private Key, File, Key, Cyberthreats, Viruses And Worms, Security, Ryan Naraine

Virus analysts at Kaspersky Lab (my employer) have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data.

Ransomware returns with 1024-bit encryption key

The biggest change in this variant of the ransomeware is the use of RSA encryption algorithm with a 1024-bit key, making it impossible to crack without without the author’s key.   Here’s the explanation:

We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can’t currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.

The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.

After Gpcode encrypts files on the victim machine, it adds ._CRYPT to the extension of the encrypted files and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a “decryptor”:

«Your files are encrypted with RSA-1024 algorithm.

To recovery your files you need to buy our decryptor.

To buy decrypting tool contact us at: ********@yahoo.com»

There are three Yahoo e-mail addresses associated with the new version of the ransomware.

For more on this story, see Slashdot, Network World and Viruslist.com.  Here’s background on the earlier version of GPcode.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world.

See his full profile and disclosure of his industry affiliations. Send tips, ideas and feedback to naraine SHIFT 2 gmail.com

For daily updates on Ryan's activities, follow him on Twitter.

  • Talkback
  • Most Recent of 64 Talkback(s)
RE: Blackmail ransomware returns with 1024-bit encryption key
I would suggest a simple solution,
nowadays the computers are cheap,
so you can have a cheap desktop in the house as a storage solution and keep a copy of important directories there.
also a ... (Read the rest)
Posted by: zhim57@... Posted on: 06/21/08 You are currently: Logged In | Log out
Which files are encrypted? SAZMD   | 06/06/08
Plenty klumper   | 06/07/08
Yar seanferd   | 06/07/08
Re: Yar FateJHedgehog@...   | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key pueblonative   | 06/08/08
Yahoo account recipients? internot   | 06/09/08
Yahoo e-mail registered to John Doe ni Andromeda cluster tikigawd   | 06/09/08
Not in the US doesn't mean they can't be caught... devlin_X   | 06/09/08
and again richvball44   | 06/10/08
Re: and again FateJHedgehog@...   | 06/10/08
It sounds like the decrypting tool buys you; not the other way around. HypnoToad   | 06/08/08
RE: Blackmail ransomware returns with 1024-bit encryption key richvball44   | 06/08/08
Western Union homant@...   | 06/10/08
duh restore from backups scott1329   | 06/09/08
duh restore from backups wthomson   | 06/09/08
Thanks for the alert kcredden2   | 06/09/08
a thought richvball44   | 06/09/08
Hahaha CreepinJesus   | 06/09/08
RE: Blackmail ransomware returns with 1024-bit encryption key dynabase@...   | 06/09/08
Kill the messenger... arminw   | 06/10/08
Good news / Bad news EJHonda   | 06/09/08
LOL (nt) Real World   | 06/09/08
Message has been deleted. Ethical_Loner   | 06/09/08
How do they get payment? rzrwire@...   | 06/09/08
e-gold genericman   | 06/09/08
Block access to e-gold . . . bob@...   | 06/10/08
All that does is keep people from ever being able to recover data. Joel R   | 06/19/08
What if a thief stole the computer, or it was damaged in a fire? DrMa   | 06/20/08
RE: Blackmail ransomware returns with 1024-bit encryption key madrucke@...   | 06/09/08
Military action... um... nope thinker999   | 06/10/08
Better way that can circumvent national boundaries mtwk2001   | 06/16/08
Pay the ransom, get the key zdnet.blogs@...   | 06/09/08
The same way the police do it. Species8472   | 06/09/08
Three Words dndgeek   | 06/09/08
The same way the police do it!! Defiledmoose   | 06/09/08
Let's just step back... thx-1138_@...   | 06/09/08
That is why contacting authorities FIRST is important. bob@...   | 06/10/08
Not practical for two reasons bmerc   | 06/10/08
Any Business that... arminw   | 06/10/08
Competency of "authorities" thinker999   | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key drchips   | 06/09/08
RE: Blackmail ransomware returns with 1024-bit encryption key gpreston@...   | 06/09/08
Very very vicious virus chaz15   | 06/09/08
I hate to be the one to break it to you the_hunteroz   | 06/09/08
Ghost homant@...   | 06/10/08
I found that Acronis True Image is nice JT82   | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key joe.smetona@...   | 06/09/08
RE: Blackmail ransomware returns with 1024-bit encryption key owlfeather_z   | 06/09/08
Plan first, think before responding . . . bob@...   | 06/09/08
Too bad... epcraig   | 06/09/08
Yes, I know chaz15   | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key ed056@...   | 06/10/08
I could settle for that . . . bob@...   | 06/10/08
RE: Blackmail ransomware...(NSFC) bfilipiak@...   | 06/10/08
Abe Lincoln re Tar and Feathers willytc1066@...   | 06/10/08
This is what open source does. Spiritusindomit@...   | 06/10/08
open source bad? gcsmi@...   | 06/10/08
Lets start the blame game!!! pawan@...   | 06/11/08
Anyone actually been infected? ekcj   | 06/10/08
Except In The Original Article Cardhu   | 06/11/08
RE: Blackmail ransomware returns with 1024-bit encryption key treading   | 06/10/08
RE: Blackmail ransomware returns with 1024-bit encryption key Chiatzu   | 06/11/08
RE: Blackmail ransomware returns with 1024-bit encryption key hellam.horror@...   | 06/15/08
RE: Blackmail ransomware returns with 1024-bit encryption key zhim57@...   | 06/21/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1251

advertisement

Recent Entries

Recommended

advertisement

Archives

ZDNet Blogs

advertisement
Click Here