3. GPCODE or PGPCoder

GPCODE or PGPCoder is one of the oldest ransomwares and was first discovered in Russia in December 2004. The initial version used to encrypt files and create a file with the name !_Vnimanie_!.txt. Vnimanie in Russian means Attention. Gpcoder is a file-encrypting ransomware or crypto ransomware. Gpcoder was seen between 2005 and 2008. A few other versions were reported at the end of 2010.

It was distributed by infected websites, which we refer to as drive-by-download (explained in section 3.1 Exploit kits in Chapter 3, Ransomware Distribution). When a user visits infected websites, it will be automatically downloaded and executed.

 There is no information about authors, but according to ZDNet the author's email identities that were collected from the warning message and provided as contacts to get the decryptor, were as follows:

Initial versions of Gpcoder used a symmetric key and were easily breakable. Many antivirus vendors could decrypt the encrypted files. But later, the encryption algorithms got stronger and very tough to crack. Some of the encryption algorithms used were RSA1024, AES256, and so on. Ransomware would change the file extension of the original file to something else. Some extensions were LOL!, .OMG!, and .ENCODED.

It encrypts the following partial list of files extension:

.xls, .doc, .txt, .rtf, .zip, .rar, .dbf, .htm, .html, .jpg, .db, .db1, .db2, .asc, .pgp, and so on.

Gpcoder finds these file of these extensions. To encrypt a file, it reads the contents of the file into memory. Then the ransomware encrypts the contents and writes it into a new file. The new file has a different extension from the original file. The original file is deleted. The images here are related to a version of Gpcoder that changes the file extension to ENCODED:

Desktop wallpaper overwritten by a ransom note

A ransom note is created in the same folder with the name HOW TO DECRYPT FILES.TXT on the desktop. The desktop background has the ransomware ATTENTION message:

In some versions of Gpcoder, only the beginning of the file is encrypted.

Left side is encrypted file and the right side is original file

The unpacked version or memory of Gpcoder ransomware usually has the file extension that it uses for the encrypted file (in the screenshot, this is ENCODED) and the name of the ransom note file, HOW TO DECRYPT.TXT:

Memory string in Gpcoder

Some versions of Gpcoder were known to infect MBR. The encryption method employed by Gpcoder was altered with different versions. In 2006 several variant of Gpcoder were released in short time duration with encryption keys of different length. The key sizes varied from 220 bits, 330 bits to 660 bits.  Kaspersky labs claims have written decryptor for some the versions. Here is the link to it: https://securelist.com/blackmailer-the-story-of-gpcode/36089/.

Some versions of Gpcoder were so weak that people could easily escape without paying a ransom. Gpcoder used to demand approximately ~0.5 - 1.5BTC (where the Bitcoin rate was around ~$600 at that time). Some of its versions concealed the payment method and asked the victim to pay Ukash prepaid cards, which was investigated by the Federal Police in Germany.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.134.118.95