Monday, June 09, 2008

Virus.Win32.Gpcode.ak Ransomware On The Loose

Kaspersky Lab has issued a security alert following the detection of a particularly malicious piece of "ransomware." Kaspersky researchers were the first to detect and issue warnings that a new, stronger version of the Gpcode virus was on the loose.

The new new malware variant employs RSA 1,024-bit encryption to encrypt nearly every type of file on a victim's hard drive, including .doc, .txt, .pdf, .xls, .png and .jpg. The "ransomeware" contains a ransom note offering a decryption key to the user for a price.

Kaspersky is urging Net users to take extra precautions, make sure they are running the latest versions of anti-malware solutions and back up their data regularly, making sure to disconnect storage devices as soon as the back-up process is completed to avoid infection. If infected, do not power down or restart your PC, the company advises.

Kaspersky also urges victims not to succumb to the ransom threat and instead report details of infection to their security providers, Kaspersky and law enforcement authorities.

Detection to Prevention

So far Kaspersky researchers have not been able to crack the viruses encryption, making it nearly impossible to remove. Therefore the only known solution is to complete erase an infected drive. Users can and should take steps to avoid infection, don't download any suspicious files, update all you anti-virus/anti-malware programs ect.

Fortunately the virus can be detected providing users at least a little protection.

"We can detect it, and we have shared this internationally so that [system administrators and e-mail service providers] can also protect their users, but the most reliable method is creating back-ups of external media, which of course should be disconnected after the back-up procedure. If you leave the external hard drive running, Gpcode will infect the external hard drive and equipment. It's just good back-up practice in any case," Schouwenberg advised.

What to Do If Infected
Kaspersky explains, "After Gpcode.ak encrypts files on the victim machine, it adds '._CRYPT' to the extension of the encrypted files and places a text file named '!_READ_ME_!.txt' in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a 'decryptor.'"

Kaspersky is offering to help victims trying to recover their data. If infected, Kaspersky urges victims to e-mail the labs at and include the following information in the e-mail:

  • Date and time of infection,
  • Everything done on the computer in the five minutes before the machine was infected, including programs executed and Web sites visited.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you