TDR, Phishing

Trojan holds victim’s files for ransom

June 6, 2008
Researchers at Kaspersky Lab have identified a new and improved variantof the blackmailing Gpcode trojan, which encrypts files on a victim'scomputer and then demands payment in exchange for the keys.

"He [the author] makes an encrypted copy of the files and deletes theoriginal files," Roel Schouwenberg, a senior anti-virus researcher atKaspersky, told SCMagazineUS.com on Friday. "All that's left on theuser's machine is an encrypted version of the files."

Experts first spotted this malware about three years ago, when theauthor used 660-bit encryption to hold victim's files -- including MP3s,photos, documents -- hostage until the user paid up, Schouwenberg said.

However, the Kaspersky team was able to crack the encryption and offerthe key to its users; this time, the malware author is using a1,024-bit RSA key, he said. It is unclear how widespread the infectionrate is.

"The major difference between back then and now is that the author hasseemed to learn from his mistakes," he said. "It's almost impossible tocrack this key. We have been unable to track down any implementationerrors."

In addition, the author is employing a number of different variants ofGpcode, each responding to a different public and private key,Schouwenberg said. That rules out the possibility of using brute forceas a way to crack the key.

Researchers are unsure exactly how attackers seed the victim's machinewith the trojan -- social engineering is the likeliest technique -- butusers are encouraged to keep their anti-virus signatures up to date.

Schouwenberg warned, though, that if the attacker uses ayet-to-be-detected variant of the malware, only making regular backupswill prevent the files from being harmed.

"The reason we are making such a big fuss about this is because if youdon't have any recent backups, you basically can consider your fileslost," he said.

That is, unless you agree to pay for the private key -- around $100 --although that is no guarantee the files will be safe, Schouwenberg said.
prestitial ad