Kaspersky Lab Releases File Recovery Instructions For Gpcode.ak Attacks

By Jane McEntegart
published

Kaspersky Lab has released instructions on how to recover files attacked by the Gpcode.ak virus.

Gpcode is a form of ransome malware, which infects your computer, encrypts your files and then demands money in exchange for their safe return or decryption. The computer security company says that Gpcode.ak works by creating a new encrypted version of a file next to the original. Once encryption is complete, it deletes the original file and adds ._CRYPT to the extension of the newly-created files. It then places a text file named !_READ_ME_!.txt in the same folder, which contains the message,

“Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com”.

The original Gpcode.ak used a 660-bit encryption and was cracked by Kaspersky Lab a couple of years back. However, earlier in the month, it was reported that a new, improved version of the virus had surfaced, which used a 1024-bit encryption and did not have certain bugs or flaws that were present in the 660-bit version. The company estimates that it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

Kasperksy says that while decrypting files encrypted by Gpcode.ak without the private key is not yet possible, the company has identified a method for recovering files. Kaspersky reports that PhotoRec, a utility which was originally developed to recover graphics files but later extended to cover a whole range of formats including PDF and Microsoft Office documents, may be able to help users recover their files as long as the computer has not been rebooted.

PhotoRec is a more than decent utility for recovering your files without paying a ransom to have them decrypted, however Kaspersky says that restoring the exact file names and paths is still a problem and so, has developed its own smaller utility called StopGpcode, which restores original names and full paths of the recovered files.

The security company suggests that by way of thanks, anyone who uses PhotoRec to recover their files should send a donation to the author of the utility for saving them the hassle of paying a ransom to a cybercriminal.

The PhotoRec utility is supplied with the latest version of the TestDisk package. Click here (opens in new tab) to download PhotoRec and StopGpcode.

Jane McEntegart
6 Comments Comment from the forums
  • Christopher1
    Does this attack work on Windows Vista? Or does the included security stop attacks like this in their tracks before they even get started?
    Reply
  • a 6pack in
    Christopher1Does this attack work on Windows Vista http://en.wikipedia.org/wiki/Windows_Vista ? Or does the included security stop attacks like this in their tracks before they even get started?I LOL'ed at that statement too.

    the thought of GPUs being no more.. is totally obsured. considering CUDA. I think that CPUs could be taking a bigger hit, dont ya think?
    Reply
  • seatrotter
    Christopher1Does this attack work on Windows Vista http://en.wikipedia.org/wiki/Windows_Vista ? Or does the included security stop attacks like this in their tracks before they even get started?The malware targets user files (.doc, .txt, .xls, etc). If you're thinking of something like the UAC, it won't stop it. UAC works on system files/configuration and doesn't protect user files. How about other users' files? Vista won't prompt the user, but will deny the malware (unless it's implemented to bypass user restrictions).

    Kaspersky probably already has signature for the caught/detected malware (probably, detected initually as suspicious software). But if the author uses a new kind of packing/encrypting for the malware, throw in some anti-debug and anti-kaspersky mechanism, then the new variation slip right thru.
    Reply
  • seatrotter
    Christopher1Does this attack work on Windows Vista http://en.wikipedia.org/wiki/Windows_Vista ? Or does the included security stop attacks like this in their tracks before they even get started?The malware targets user files (.doc, .txt, .xls, etc). If you're thinking of something like the UAC, it won't stop it. UAC works on system files/configuration and doesn't protect user files. How about other users' files? Vista won't prompt the user, but will deny the malware (unless it's implemented to bypass user restrictions).

    Kaspersky probably already has signature for the caught/detected malware (probably, detected initually as suspicious software). But if the author uses a new kind of packing/encrypting for the malware, throw in some anti-debug and anti-kaspersky mechanism, then the new variation slip right thru.
    Reply
  • seatrotter
    Sorry for the double post. After refreshing several times and not seeing the first post, I thought it didn't go thru. I guess that's TomsH comment system for you :)
    Reply
  • format my computre and saving all good filles
    Reply