Content deleted Content added
No edit summary |
|||
Line 17:
== Efforts to combat the trojan ==
While a few Gpcode variants have been successfully implemented<ref>{{cite web|url=http://www.kaspersky.com/news?id=207575651|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus|date=2008-06-09}}</ref>, many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web|url=http://www.viruslist.com/en/analysis?pubid=189678219|title=Blackmailer: the story of Gpcode|date=2006-07-26|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file, and this allows an [[undeletion|undeletion utility]] to recover some of the files. Once some [[known-plaintext attack|encrypted+unencrypted pairs]] have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web|url=http://support.kaspersky.com/faq/?qid=208279822|title=Utilities which fight Virus.Win32.Gpcode.ak|date=2008-06-25|publisher=Kaspersky Lab}}</ref><ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187531|title=Restoring files attacked by Gpcode.ak|publisher=Kaspersky Labs|date=2008-06-13}}</ref><ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187538|title=Another way of restoring files after a Gpcode attack|date=2008-06-26}}</ref> Variant Gpcode.am uses [[symmetric-key algorithm|symmetric encryption]], which made key recovery very easy.<ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187565|title=New Gpcode - mostly hot air|date=2008-08-14|publisher=Kaspersky Labs}}</ref>
In late November 2010, a new version called Gpcode.ax<ref>{{cite web|url=http://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html|title=GpCode Ransomware 2010 Simple Analysis|publisher=Xylibox|date=2011-01-30}}</ref> was reported. It uses stronger encryption (RSA-1024 and AES-256) and physically overwrites the encrypted file, making recovery nearly impossible. <ref>{{cite web|url=http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back|title=GpCode-like Ransomware Is Back|date=2010-11-29|publisher=Kaspersky Labs}}</ref>
Kaspersky Lab has been able to make contact with the author of the program, and verify that they are the real author, but have so far been unable to determine his real world identity.<ref>{{cite web|url=http://www.techworld.com/security/news/index.cfm?newsid=105043|title=Police 'find' author of notorious virus|date=2008-09-30|publisher=TechWorld}}</ref>
| |||