Revision as of 00:07, 8 September 2018 edit InternetArchiveBot (talk \| contribs) Bots, Pending changes reviewers 5,691,145 edits Rescuing 1 sources and tagging 2 as dead. #IABot (v2.0beta9) ← Previous edit		Revision as of 16:11, 28 September 2018 edit undo GreenC bot (talk \| contribs) Bots 3,057,219 edits Rescued 3 archive links; remove 2 links; reformat 1 link. Wayback Medic 2.1 Next edit →
Line 16: == Efforts to combat the trojan == While a few Gpcode variants have been successfully implemented,<ref>{{cite web\|url=http://www.kaspersky.com/news?id=207575651\|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus\|date=2008-06-09}}</ref> many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web\|url=http://www.viruslist.com/en/analysis?pubid=189678219\|title=Blackmailer: the story of Gpcode\|date=2006-07-26\|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file, and this allows an [[undeletion\|undeletion utility]] to recover some of the files. Once some [[known-plaintext attack\|encrypted+unencrypted pairs]] have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web\|url=http://support.kaspersky.com/faq/?qid=208279822\|title=Utilities which fight Virus.Win32.Gpcode.ak\|date=2008-06-25\|publisher=Kaspersky Lab}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187531\|title=Restoring files attacked by Gpcode.ak\|publisher=Kaspersky Labs\|date=2008-06-13\|access-date=2008-09-30\|archive-url=https://web.archive.org/web/20090713204125/http://www.viruslist.com/en/weblog?weblogid=208187531\|archive-date=2009-07-13\|dead-url=yes\|df=}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187538\|archive-url=https://archive.is/20130209010757/http://www.viruslist.com/en/weblog?weblogid=208187538\|dead-url=yes\|archive-date=2013-02-09\|title=Another way of restoring files after a Gpcode attack\|date=2008-06-26~~}}{{Dead link\|date=September 2018 \|bot=InternetArchiveBot \|fix-attempted=yes~~ }}</ref> Variant Gpcode.am uses [[symmetric-key algorithm\|symmetric encryption]], which made key recovery very easy.<ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187565\|archive-url=https://archive.is/20120918142720/http://www.viruslist.com/en/weblog?weblogid=208187565\|dead-url=yes\|archive-date=2012-09-18\|title=New Gpcode - mostly hot air\|date=2008-08-14\|publisher=Kaspersky Labs~~}}{{Dead link\|date=September 2018 \|bot=InternetArchiveBot \|fix-attempted=yes~~ }}</ref> In late November 2010, a new version called Gpcode.ax<ref>{{cite web\|url=http://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\|title=GpCode Ransomware 2010 Simple Analysis\|publisher=Xylibox\|date=2011-01-30}}</ref> was reported. It uses stronger encryption (RSA-1024 and AES-256) and physically overwrites the encrypted file, making recovery nearly impossible.<ref>{{cite web\|url=http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back\|title=GpCode-like Ransomware Is Back\|date=2010-11-29\|publisher=Kaspersky Labs}}</ref> Line 29: [http://forum.kaspersky.com/index.php?showforum=91 Kaspersky Lab forum dedicated to GPCode] [http://www.viruslist.com/en/find?search_mode=virus&words=Gpcode&x=9&y=5 Kaspersky Lab virus descriptions] ** [https://web.archive.org/web/20081003174725/http://downloads1.kaspersky-labs.com/utils/stopgpcode/ StopGPCode trojan removal utilities]~~{{dead link\|date=March 2018 \|bot=InternetArchiveBot \|fix-attempted=yes }}~~ * Other virus description databases ** [http://www.f-secure.com/v-descs/gpcode.shtml F-Secure]

PGPCoder: Difference between revisions