Trojan holds victim's files for ransom
"He [the author] makes an encrypted copy of the files and deletes the original files," Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, told SCMagazineUS.com on Friday. "All that's left on the user's machine is an encrypted version of the files."
Experts first spotted this malware about three years ago, when the author used 660-bit encryption to hold victim's files -- including MP3s, photos, documents -- hostage until the user paid up, Schouwenberg said.
However, the Kaspersky team was able to crack the encryption and offer the key to its users; this time, the malware author is using a 1,024-bit RSA key, he said. It is unclear how widespread the infection rate is.
"The major difference between back then and now is that the author has seemed to learn from his mistakes," he said. "It's almost impossible to crack this key. We have been unable to track down any implementation errors."
In addition, the author is employing a number of different variants of Gpcode, each responding to a different public and private key, Schouwenberg said. That rules out the possibility of using brute force as a way to crack the key.
Researchers are unsure exactly how attackers seed the victim's machine with the trojan -- social engineering is the likeliest technique -- but users are encouraged to keep their anti-virus signatures up to date.
Schouwenberg warned, though, that if the attacker uses a yet-to-be-detected variant of the malware, only making regular backups will prevent the files from being harmed.
"The reason we are making such a big fuss about this is because if you don't have any recent backups, you basically can consider your files lost," he said.
That is, unless you agree to pay for the private key -- around $100 -- although that is no guarantee the files will be safe, Schouwenberg said.