Anti-virus and shallot race: in pursuit of Gpcode

In an article in Computer Fraud & Security, Kapersky anti-virus expert David Emm reveals the story behind the pursuit of Gpcode, the notorious blackmail virus . Very informative.

Emm explains that the Gpcode virus first appeared in Russia in December 2004, when users discovered that their files had been encrypted and that it was impossible to find the program that had encrypted them. The only trace of the program was a text file called !_Vnimanie_ !.txt (vnimanie means ‘beware’ in Russian). The first targets were companies in the real estate, advertising and banking sectors. Gpcode then reappeared in June 2005, still in Russia, using a more sophisticated encryption algorithm that was nevertheless easily cracked by theanti-virus editor.
The Gpcode virus marked a shift in the cybercriminal paradigm: instead of breaking into a system to access confidential data and extract money, the procedure is now to hold the data itself hostage and extract a ransom directly. The creators of the Gpcode virus weren’t greedy: the ransom was between 2,000 rubles (around €45) and 500 rubles (around €11), making up for it in volume.

In January 2006, the Gpcode.ac version was released, featuring numerous improvements thanks to the use, instead of their own encryption systems, of the RSA encryption algorithm, based on two keys, one public for encryption, the other private for decryption. The rapid neutralization of this version by anti-virus companies did not prevent the arrival of several new versions, each with a new, longer encryption key. The longer the key used, the harder it became for anti-virus companies to break the encryption. Gpcode.af used a 330-bit key that required 10 man-hours and powerful computers to crack. Gpcode.ag’s 660-bit key would normally have required 30 years of calculations by a 2.2 GHz processor. Thanks to a technique that Kaspersky keeps confidential, the anti-virus editor was able to publish detection and decryption routines on the very day this version was detected.

The gpcode.ak version released in June 2008 used a 1024-bit key. To break it, you’d need the power equivalent of 15 million computers running for a year. No anti-virus vendor could break this code in isolation, which led the Russian company to launch the Stop Gpcode initiative, bringing together anti-virus manufacturers, independent researchers and public institutions in search of a flaw in the implementation of the key used in viruses.

The private key of gpcode.ak has not yet been detected, but the article indicates that it is possible in some cases to recover up to 98% of encrypted files thanks to a mistake made by the virus author: before encrypting a file, the virus creates a new file containing the encrypted data of the original file. Once encryption is complete, the original file is deleted. If the hard disk has not been written to again, the original deleted files can be recovered using file recovery applications, the most effective of which is the freeware PhotoRec, originally designed to recover deleted image files. The Russian anti-virus publisher has also created a utility, StopGpcode, which uses the correspondence between an intact file (recovered with PhotoRec, for example) and an encrypted file on a computer to recover other encrypted files.

The author concludes with a reminder of the basic rules you should never forget: never pay when blackmailed, never run unknown programs and always back up your data. We’d add … use an anti-virus!