By John E. Dunn
30 September 2008
The infamous Gpcode 'ransomware' virus that hit computers in July was
the work of a single person who is known to the authorities, a source
close to the hunt for the attacker has told Techworld.
The individual is believed to be a Russian national, and has been in
contact with at least one anti-malware company, Kaspersky Lab, in an
attempt to sell a tool that could be used to decrypt victims' files.
Initially sceptical, the company was able to verify that the individual
was the author of the latest Gpcode attack - and probably earlier
attacks in 2006 and 2007 - using a variety of forensic evidence, not
least that he was able to provide a tool containing the RC4 key able to
decrypt the work of the malware on a single PC.
The 128-bit RC4 keys, used to encrypt the user's data, are unique for
every attack. The part that had stymied researchers was that this key
had, in turn, been encrypted using an effectively unbreakable 1024-bit
RSA public key, generated in tandem with the virus author's private key.
But the tool did at least prove that the individual had access to the
private 'master' key and must therefore be genuine.
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!