Kaspersky Lab has released instructions on how to recover files attacked by the Gpcode.ak virus.
Gpcode is a form of ransome malware, which infects your computer, encrypts your files and then demands money in exchange for their safe return or decryption. The computer security company says that Gpcode.ak works by creating a new encrypted version of a file next to the original. Once encryption is complete, it deletes the original file and adds ._CRYPT to the extension of the newly-created files. It then places a text file named !_READ_ME_!.txt in the same folder, which contains the message,
“Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com”.
The original Gpcode.ak used a 660-bit encryption and was cracked by Kaspersky Lab a couple of years back. However, earlier in the month, it was reported that a new, improved version of the virus had surfaced, which used a 1024-bit encryption and did not have certain bugs or flaws that were present in the 660-bit version. The company estimates that it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.
Kasperksy says that while decrypting files encrypted by Gpcode.ak without the private key is not yet possible, the company has identified a method for recovering files. Kaspersky reports that PhotoRec, a utility which was originally developed to recover graphics files but later extended to cover a whole range of formats including PDF and Microsoft Office documents, may be able to help users recover their files as long as the computer has not been rebooted.
PhotoRec is a more than decent utility for recovering your files without paying a ransom to have them decrypted, however Kaspersky says that restoring the exact file names and paths is still a problem and so, has developed its own smaller utility called StopGpcode, which restores original names and full paths of the recovered files.
The security company suggests that by way of thanks, anyone who uses PhotoRec to recover their files should send a donation to the author of the utility for saving them the hassle of paying a ransom to a cybercriminal.
The PhotoRec utility is supplied with the latest version of the TestDisk package. Click here to download PhotoRec and StopGpcode.
