Tougher ransomware spreading online -Kaspersky

The warning is now out against a new tougher variant of the GPCode "ransomware", a malicious program that encrypts files and demands ransom in exchange for getting the files back. Online security firm Kaspersky Labs said the new variant, detected in late March, demands $125 (P5,403) from the victim via prepaid cash transfer, in exchange for a key that will decrypt the encrypted files. "Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer," Kaspersky Lab expert Niclolas Brulez said in a blog post. He recommended immediately shutting down the computer —pulling out the power cable if necessary— the moment the ransomware's warning appear onscreen. Updated antivirus software can now detect the ransomware as Trojan-Ransom.Win32.Gpcode.bn, even if infection is via drive-by download, or when one visits a malicious website, he said. Brulez said that the first sign of infection is when the victim's desktop background is changed to display a message warning that his or her personal files had been encrypted. "All your personal files were encrypted with a strong algorythm (sic) RSA-1024 and you can't get an access to them without making of what we need! Read the TXT file on desktop! Just do it as fast as you can!" the message reads. Brulez said that while the victim reads the message, the hard drives are being scanned for files to encrypt. He also noted that the ransomware uses an updateable configuration file. What to do in case of infection In case of an infection, Brulez recommended not changing any system settings, as this might hinder data recovery if a solution is found. "It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days —we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart," he said. He also said that people should be aware of the problem and should recognize GPCode from the first second that the warnings appears on the screen. "Pushing the Reset/Power button on your desktop may save a significant amount of your valuable data! Don't hesitate to turn off your PC or pull out the power cable if this is fastest!" he said. He added that the encrypted files cannot be recovered because of the strong cryptography employed. The only way to recover one's files is to use backups, he said. First attacks in the wild A news release by Kaspersky Labs said that the first attacks by the new GPCode variant were detected in late March, although the malware itself was first discovered in 2004 and reappeared in 2010. Brulez said the new GPcode variant is an obfuscated or encoded executable, which makes it difficult to initially identify as malware. — TJD, GMA News