Revision as of 16:11, 28 September 2018 edit GreenC bot (talk \| contribs) Bots 3,056,216 edits Rescued 3 archive links; remove 2 links; reformat 1 link. Wayback Medic 2.1 ← Previous edit		Revision as of 10:19, 27 September 2019 edit undo Monkbot (talk \| contribs) Bots 3,695,952 edits m →Efforts to combat the trojan: Task 16: replaced (3×) / removed (0×) deprecated \|dead-url= and \|deadurl= with \|url-status=; Tag: AWB Next edit →
Line 16: == Efforts to combat the trojan == While a few Gpcode variants have been successfully implemented,<ref>{{cite web\|url=http://www.kaspersky.com/news?id=207575651\|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus\|date=2008-06-09}}</ref> many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web\|url=http://www.viruslist.com/en/analysis?pubid=189678219\|title=Blackmailer: the story of Gpcode\|date=2006-07-26\|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file, and this allows an [[undeletion\|undeletion utility]] to recover some of the files. Once some [[known-plaintext attack\|encrypted+unencrypted pairs]] have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web\|url=http://support.kaspersky.com/faq/?qid=208279822\|title=Utilities which fight Virus.Win32.Gpcode.ak\|date=2008-06-25\|publisher=Kaspersky Lab}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187531\|title=Restoring files attacked by Gpcode.ak\|publisher=Kaspersky Labs\|date=2008-06-13\|access-date=2008-09-30\|archive-url=https://web.archive.org/web/20090713204125/http://www.viruslist.com/en/weblog?weblogid=208187531\|archive-date=2009-07-13\|~~dead~~url-~~url=yes\|df~~status=dead}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187538\|archive-url=https://archive.is/20130209010757/http://www.viruslist.com/en/weblog?weblogid=208187538\|~~dead-~~url-status=~~yes~~dead\|archive-date=2013-02-09\|title=Another way of restoring files after a Gpcode attack\|date=2008-06-26}}</ref> Variant Gpcode.am uses [[symmetric-key algorithm\|symmetric encryption]], which made key recovery very easy.<ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187565\|archive-url=https://archive.is/20120918142720/http://www.viruslist.com/en/weblog?weblogid=208187565\|~~dead-~~url-status=~~yes~~dead\|archive-date=2012-09-18\|title=New Gpcode - mostly hot air\|date=2008-08-14\|publisher=Kaspersky Labs}}</ref> In late November 2010, a new version called Gpcode.ax<ref>{{cite web\|url=http://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\|title=GpCode Ransomware 2010 Simple Analysis\|publisher=Xylibox\|date=2011-01-30}}</ref> was reported. It uses stronger encryption (RSA-1024 and AES-256) and physically overwrites the encrypted file, making recovery nearly impossible.<ref>{{cite web\|url=http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back\|title=GpCode-like Ransomware Is Back\|date=2010-11-29\|publisher=Kaspersky Labs}}</ref>

PGPCoder: Difference between revisions