By Gregg Keizer
July 16, 2007
"Ransomware" last seen in 2006 has reappeared and is trying to extort
$300 from users whose files the malware has encrypted, a Russian
security researcher said today.
GpCode, a Trojan horse which last made a run at users last summer, has
popped up again, said Aleks Gostev, senior virus analyst with
Moscow-based Kaspersky Lab Inc., in a posting to the research center's
Noting the long quiet time, Gostev added: "So you can imagine our
feelings this weekend, when some of our non-Russian users told us their
documents, photos, archive files etc. had turned into a bunch of junk
data, and a file called 'read_me.txt' had appeared on their systems."
The text file contained the "ransom" note.
"Hello, your files are encrypted with RSA-4096 algorithm. You will need
at least few years to decrypt these files without our software. All your
private information for last 3 months were collected and sent to us. To
decrypt your files you need to buy our software. The price is $300."
So-called ransomware typically follows the GpCode pattern: malware
sneaks onto a PC, encrypts files, and then displays a message demanding
money to unlock the data.
Gostev hinted that the blackmailer was likely Russian. "The e-mail
address is one that we've seen before in LdPinch and Banker [Trojan
horse] variants, programs which were clearly of Russian origin," he
The blackmailer's claim that the files were enciphered with RSA-4096 --
the RSA algorithm locked with a 4,096-bit key -- is bogus, said Gostev.
Another oddity, he added, was that the Trojan has a limited shelf life:
from July 10 to July 15.
"Why? We can only guess," said Gostev.
Kaspersky is working on a decryption scheme to recover the files; that
process has been the usual salvation -- and solution -- for users
attacked by ransomware. "[But] we'd just like to remind you, if you've
fallen victim to any type of ransomware, you should never pay up under
"Contact your anti-virus provider, and make sure you back up your data
on a regular basis."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com