The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Friday, June 06, 2008

A rising new threat: ransom-ware

Reported the other day by Kapersky Lab: A new variant of Gpcode, known as Virus.Win32.Gpcode.ak has been classified.

This virus selects some files on the victim's computer, encrypts them, and then offers to sell the decryption program for a price.

The Gpcode virus is not new, but previous versions had used a weak enough encryption that it could be broken. The new version uses a 1024-bit key and fixes previous flaws in the encryption althorithm.

For obvious reasons, victims are strongly encouraged not to pay the ransom or otherwise deal with extortionists.

The best defenses are good preventative measures. Back up your files regularly. Run anti-virus software. Don't run Windows operating systems (that part was my idea).

If infected, Kapersky makes the following recommendations: DO NOT RESTART or POWER DOWN the potentially infected machine (presumably to give experts a chance to analyze the infection.) Contact Kapersky at with the following information included in the email:

  • Date & Time of infection
  • Everything done on the computer in the 5 minutes before the machine was infected, including:
    • Programs executed
    • Websites visited
Kapersky says they'll try to help recover your encrypted data.

Personally, I'm not sure what they can do to help without the extortionist's private key. Your best bet is to hope the person gets caught, in which case they'll presumably be forced to cough up the key. Helping Kapersky analyze the virus is your best course of action.

Ransom-ware is not a new concept, of course. The Kapersky Lab article mentions that the Gpcode virus is two years old at present. There have been other forms of ransom-ware as well; two years ago I wrote that the FTC was coming down on Sanford Wallace for infecting users' computers with spyware, and then offering to sell them the tool to remove it.


Post a Comment

<< Home