PGPCoder: Difference between revisions

'''PGPCoder''', also known asor '''GPCode''', is a [[trojan horse (computing)|trojan]] that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, dubbed [[ransomware (malware)|ransomware]] or [[cryptovirology]].

While a few Gpcode variants have been successfully implemented<ref>{{cite web|url=http://www.kaspersky.com/news?id=207575651|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus|date=2008-06-09}}</ref>, many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web|url=http://www.viruslist.com/en/analysis?pubid=189678219|title=Blackmailer: the story of Gpcode|date=2006-07-26|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file, and this allows an [[undeletion|undeletion utility]] to recover some of the files. Once some [[known-plaintext attack|encrypted+unencrypted pairs]] have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web|url=http://support.kaspersky.com/faq/?qid=208279822|title=Utilities which fight Virus.Win32.Gpcode.ak|date=2008-06-25|publisher=Kaspersky Lab}}</ref><ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187531|title=Restoring files attacked by Gpcode.ak|publisher=Kaspersky Labs|date=2008-06-13}}</ref><ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187538|title=Another way of restoring files after a Gpcode attack|date=2008-06-26}}</ref> Variant Gpcode.am uses [[symmetric-key algorithm|symmetric encryption]], which made decryptionkey recovery very easy.<ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187565|title=New Gpcode - mostly hot air|date=2008-08-14|publisher=Kaspersky Labs}}</ref>