Researchers have found a new version of the virulent GPCode ransomware that infects users’ machines and then encrypts their hard drives. The new version uses AES encryption and demands payment in the form of Ukash cards in exchange for the key to decrypt the files.
The new iteration of GPCode popped up late last week and researchers soon discovered that the attackers behind it had made some key modifications.
“Upon execution, the GPCode Ransomware will generate an AES 256 bit
key (Using the Windows Crypto API), and use the criminal’s public RSA
1024 key to encrypt it. The encrypted result will then be dropped on the
Desktop of the infected computer, inside of the ransom text file,” Kaspersky Lab malware researcher Nicolas Brulez said in his analysis on the new variant of GPCode.
The new version asks for a payment of $125 for the key to decrypt the files, a slight increase over the $120 that previous variants demanded. The GPCode infection occurs via a drive-by download on an infected Web site, and once the malware executes, it begins scanning the machine for files that it can encrypt. Once the encryption routine runs, the user is in the position of either paying the attackers the ransom or trying–almost certainly unsuccessfully–to recover the files on his own.
In addition to the price hike and change in encryption routine, the new GPCode variant includes a custom file protection mechanism that Brulez says is designed to make reverse engineering and analysis by researchers more difficult. And, as Brulez points out, there is no way to recover the files once they’ve been encrypted. Backups are your only hope at that point.