Kaspersky Lab reports a new and dangerous blackmailing virus

05 Jun 2008
Virus News

Kaspersky Lab, a leading developer of secure content management systems, has informed the public that a new variant of Gpcode, a dangerous encryptor virus has appeared, - Virus.Win32.Gpcode.ak.

Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key. Kaspersky Lab added a signature for Virus.Win32.Gpcode.ak on June 4, 2008.

Kaspersky Lab succeeded in thwarting previous variants of Gpcode, (see Blackmailer: the story of Gpcode on viruslist.com) when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis.

Kaspersky Lab virus researchers have to date been able to crack keys up to 660 bits. This was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key. The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660.

At the time of writing we are unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and we have not found any errors in implementation yet. Thus, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has.

After Gpcode.ak encrypts files on the victim machine it adds ._CRYPT to the extension of the newly-created encrypted files and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com

In this case, we recommend that victims try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine. Write to Kaspersky at: stopgpcode@kaspersky.com with the following information included in the email:

  • Date & time of infection
  • Everything done on the computer in the 5 minutes before the machine was infected, including:
    • Programs executed
    • Websites visited

Kaspersky Lab will try to help recover any encrypted data.

Kaspersky Lab analysts are continuing to analyze the virus code in search of a way to decrypt the files without having the private key. In the meantime, we recommend that everyone sets their anti-malware solutions to maximum security and takes extra care while browsing the Internet and reading email. If the above messages appear on your machine please contact us immediately as per instructions above.

We urge infected users not to yield to the blackmailer, but to contact us and your local cyber crime law enforcement units. Yielding to blackmailers only continues the cycle.