Security software firm Kaspersky Lab has reported a new and
dangerous
blackmailing virus.
Kaspersky Lab is alerting users about a new variant of
Gpcode,
a dangerous encryptor virus.
The
Virus.Win32.Gpcode.ak
malware encrypts users' files with various extensions, including
.doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more, using an RSA
encryption algorithm with a 1024-bit key.
Kaspersky Lab itself added a virus signature to block
Virus.Win32.Gpcode.ak earlier this week.
Kaspersky Lab says it has succeeded in thwarting previous
variants of Gpcode by cracking the private key held by the
attackers.
But the author of the new Gpcode variant has taken two years to
improve the virus. Previous errors have been fixed and the key has
been lengthened to 1024 bits instead of the original 660, which was
crackable.
"At the time of writing we are unable to decrypt files encrypted
by Gpcode.ak since the key is 1024 bits long, and we have not found
any errors in implementation yet. So the only way to decrypt the
encrypted files is to use the private key which only the author
has," said Kaspersky.
After Gpcode.ak encrypts files on the victim's machine, it
changes the extension of these files to ._CRYPT, and places a text
file named !_READ_ME_!.txt in the same folder.
In the text file the criminal tells the victims that the file
has been encrypted and offers to sell them a decryptor:
"Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com"
Kaspersky is still working on a way to recover data that has
been encrypted without having to use the criminal's decryptor.