Monday, April 18, 2011

Kaspersky Lab Warns About the Return of Ransomware called GPCode

Important information for all of us who often visit various websites. This is a verified article as I got this from the PR company that represents Kaspersky Lab in the Philippines.

Press Release:

A new variant of the malicious program GPCode, classified as ransomware, has been found and identified by content security and threat management developer Kasperky Lab as Its mode of attack is by encrypting specific data on an infected computer and generating a message on notepad threatening to delete the encrypted file unless the computer user pays the ransomware’s creator US$125 in equivalent vouchers to the international payment gateway Ukash.

The first attacks by the new GPCode variant were detected in late March this year. The malware itself was first discovered in 2004 and appeared again on the threat landscape in late 2010.

According to Kaspersky Lab senior malware researcher Nicolas Brulez, the new GPcode variant is an obfuscated or encoded executable, which makes it difficult to initially identify as a malware. It infects computers using drive-by downloads that occur when an infected website is visited.

The Trojan then starts running in the system, encrypting data without the user’s knowledge. It will then open a text file-based ransom message to the PC user, warning the user that if ransom is not paid, the encrypted key will not be sent to the victim and the file will be deleted. This is the message which is displayed on the PC screen:

At this point, the hard drives are being scanned for files to encrypt. The file extensions used to determine whether a file is to be encrypted or not are kept in an encrypted configuration file. This means the GPCode Ransomware Trojan is easily updated with a new configuration file.

Brulez also noted that cybercriminals are veering away from traditional payment modes such as direct money transfer. He said they now prefer prepaid cards or vouchers instead, which lessens the chances of them being followed or captured.

Brulez said that while a victim could possibly give in to the demands of the file hostage taker, he recommends not changing anything on the system as it may prevent potential data recovery later on. He added that one of the quickest ways to prevent malware damage is turn off the PC or simply pulling out the power plug.

There is almost no way to recover the encrypted file and the best way to prevent any more damage is to simply make backups the next time.

“We haven't seen any evidence of a time-based file deleting mechanism despite claims by the malware writer that files are deleted after ‘N’ number of days,” says Brulez. “Nevertheless, it is better to avoid any changes that could be made to the file system which, for example, may be caused by rebooting the computer.”

No comments:

Related Posts with Thumbnails