Life Of Navin

Random Musings, Random Bullshit.


Viruses Move Towards Blackmail!!

Virus writers are at it again!! In the latest turn of events they have started encrypting your files and holding them at ransom!!

Kaspersky Lab has found a new variant of the dangerous encryptor virus, Gpcode - The new variant, Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including .doc, .txt, .pdf, .xls, .jpg, .png, .cpp and .h using an RSA encryption algorithm with a 1024-bit key!! So that simply means most media, documents, code files ( ask any coder how important these are), will all be encrypted by an almost unbreakable-by-most-computers code. This type of virus has led to a new subgroup of malware being named- Ransomware!!

Below is an example of a pop-up message on an infected computer asking for the ransom:
Incase you can't read it, the popup titled "ATTENTION!" reads

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********

I guess the bad english shows that the virus has, perhaps Russian origins. The fact that this variant was first discovered by Kaspersky, a Russian company, further supports my theory. Anyway, if affected, You have to pay up $$$ to get the ‘decryptor’ which will decrypt your files, giving you access to your files again. Why don't we just buy one key and use it to decrypt "all" encrypted files?? Well simply because the decryption key is system-specific. So even if you have 2 computers infected, you'll have to pay twice the "ransom" amount. To stress on the power of a 1024-bit key, get a hang of this..... Kaspersky Lab themselves have been unable to crack 1024 bit keys till date. As of today, only keys with upto 660-bit encryption have been cracked by them.

That too was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take a normal PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

So pretty much, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has. Kaspersky has set up a special forum for victims but at the time of writing, the posts are all non-english!!

So watch out, not that I need to tell you guys, and make sure your non-savvy friends understand the dangers of surfing carelessly and downloading nonsense without checking the source properly.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor -- Kaspersky Labs



Finally after all these years, here's to the beginning of what was there, what is there and hopefully what will remain!! So here are my thoughts & words -Online!!

Blog Archive