View my documents ()
 Home > Insights 

This Blog

Syndication

Tags

Calendar

<June 2008>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345

CA Security Advisor Research Blog

Find out what our research team is saying about the latest security threats in the CA Security Advisor blog

We call it RANSOMWARE: look out!

The problem is not a new one; however, the research community has found a new variant of the fearful GPCODE
malware. To be precise, we call it "ransomware" (http://en.wikipedia.org/wiki/Ransomware_%28malware%29).

The new GPCODE variant uses 1024-bit encryption to lock down all data on an infected hard drive, and to date,
it is surely the worst one.

This is what I obtained when I ran the malware in my laboratory:

 

 

This popup displays a message that says your files are encrypted with a 1024 bit-key, and what I observed is
that every document file (.txt, .doc, .pdf) is encrypted as shown in the image below.  My pdf document for the
linksys AG241 router setting is not readable anymore.

 

 

The extension added to your document files is ._CRYPT.

According to the message, you need to buy a decryptor tool to decrypt all your documents, and the yahoo
email address through which you buy the tool is random so you cannot take action against the owner of the
email address.

 

Recommendations:

  • Since CA Anti-Spyware detects the GPCODE ransomware variant (http://www.ca.com/securityadvisor/pest/pest.aspx?id=453098767), the safest approach is to keep
    your anti-spyware software up-to-date in order to block the malware from running and infecting your machine
  • If you realize you have launched something similar to what has been described above, do NOT reboot
    your machine because our lab tests show that the ransomware does not affect the machine until it is rebooted
Share this post: Email it! | bookmark it! | digg it! | reddit!
Published Jun 09 2008, 04:35 PM by Rossano Ferraris
Tags: , , , , , ,

Comments

翻译公司 said:

I'm searching on it. Very useful, thanks!

June 13, 2008 10:15 PM

John Smith said:

Wow! what an article...please keep posting such articles. very useful for me.

June 17, 2008 3:18 AM

Leave a Comment

(required)  
(optional)
(required)  
Add

About Rossano Ferraris

Rossano Ferraris is located in Italy where he lives and works for the CA Anti-Spyware Research Team as a research engineer. He was one of the first employees of PestPatrol and has been working for CA since its acquisition.

 

At CA he has taken the worldwide responsibility for supporting the CA Anti-Spyware product family as a senior specialist engineer, where he has trained the CA Threat Support Team on spyware issues. His main interests include spyware research, phishing, exploits and potentially unwanted software falling within CA Anti-Spyware’s scope of detection.

 

Rossano is an active member of various well known security forums and a member of ISSA association. He is the author of many articles on security matters for Italian newspapers and magazines and he is also author of a book on the spyware phenomenon published in Italy. He holds a degree in Computer Science and he is a GREM certified.
 
 
Page Tools