A new variant of the troublesome and harmful GpCode trojan has been detected by Kaspersky Lab. Tagged as Trojan-Ransom.Win32.GpCode.ax this trojan, which spreads via malicious websites and P2P networks, encrypts files on the infected computer and then asks for money in order to decrypt the files. Such trojans are of known as ransomware or cryptovirology.
The original version of this trojan called Trojan.PGPCoder or Virus.Win32.Gpcode was isolated back in 2005 and variations have been appearing almost yearly. However this new manifestation has some troubling improvements.
In the past some of the variants had a weakness where the encrypted file was written to a new location on the disk (as a new file) and the old file deleted. This meant that the old (unencrypted) version of the file could be recovered using an undelete tool. However this new variant directly overwrites data in the file, which makes it impossible to use data-recovery tools.
The program uses either RSA-1024 or AES-256 encryption and then demands $120, to be paid by direct bank transfer, to decrypt the files. As with all blackmailers there is a warning not to tell the police or other authorities: “And remember: any harmful or bad words to our side will be a reason for ignoring your message and nothing will be done”.
Since the trojan searches your hard disk and starts encrypting the files sequentially, it is suggested that if you know your computer is infected then resetting it immediately might offer a way of possibly stopping the encryption before too much data has been made unrecoverable.
On top of up-to-date anti-virus software and a firewall, the best defence against this type of malware is to have good and frequent backups of your data.