Pin Me

Recovering from Ransomware - How to Foil and Stop a Gpcode.ak attack

written by: Bill Sodeman•edited by: Bill Bunter•updated: 2/4/2011

The Gpcode.ak virus can encrypt files on a Windows user's hard drive. This article discusses how to recover from an attack, and how to prevent a ransomware attack from happening.

  • slide 1 of 1
    The resurgence of ransomware can create real problems for a small business, especially when the company has not developed an implemented strong, consistent antivirus and file backup systems. The specific name of the virus is Virus.Win32.GPCode.ak, and it targets Windows computers.

    A ransomware attack scrambles or encrypts files on a user's computer. The computer gets infected through an email attachment or file that contains a trojan horse or virus. The user has to be tricked into running the payload and starting the infection process. The email message usually offers free files or a prize if the user clicks a link.

    In some cases, the Gpcode files are downloaded into the machine by the trojan. This step helps the attacker evade antivirus programs.

    The infected files include an executable program that searches the user's hard drive for files with specific extensions like xls, pst, doc, pwa, and pst. The program then encrypts these files, using PGP or another strong encryption scheme, along with a public-private key-pair.

    At this point, a ransom scenario unfolds. The payload includes a text file that is written to the user's computer, usually to the folders that contain the newly encrypted files. The text file includes an email address and instructions for contacting the attacker's representatives.

    If the user pays the ransom, it is almost always done through an online service like e_gold and Liberty Reserve that keeps few if any records about its merchants. Upon payment, the attacker's representative will email the private key to the victim. The key is a long alphanumeric string of text that can be pasted into a decryption program that was installed as part of the original attack.

    There are brute force methods that can decrypt the attacker's encryption. Recent variants of Gpcode can use 1024-bit encryption, which would require 15 million computer years to decode. Viruslist has posted a plea for assistance called Help crack Gpcode, in an effort to gather enough resources to decode a Gpcode provate key.

    Recovery with Stopgpcode and PhotoRec

    It is possible to recover from a Gpcode.ak attack, but Kaspersky Labs, a leading antivirus devleoper, has released a free restoration program called Stopgpcode. This utility is available on the Lab's Virus.Win32.pcode.ak web page, along with instructions.

    When Gpcode.ak encrypts each file, it creates a new encrypted file before deleting the original file. The Gpcode encryption program than performs a standard file delete, which only affects the original file's name. The original unencrypted data remains on the hard disk, and as long as it has not been overwritten by another file, an undelete program can be used to restore the original unencrypted file.

    The Kaspersky Labs page also contains instructions and links for using another free program called PhotoRec to recover some of the encrypted files. PhotoRec is available at the CGsecurity.org web site.

    Prevention relies on preparation and training

    Of course, the best prevention is a good backup system that stores the files to a separate drive or an online storage service. Businesses might invest in an file server that runs Linux. The Gpcode attack program runs on the Windows operating system. A Linux-based server should be able to resist the attack, as long as the server is set up so that individual workstations cannot directly access the files. See our Brighthub articles on TimeVault, Why you should backup off-site and Secure Backup Options for more suggestions.

    Small businesses should train their users on secure computing practices. When users know how to identify email attacks, they will be less likely to become victims. Of course, it's important to eliminate the use of P2P file sharing software that sometimes offers infected files disguised as free audio and video downloads. Some antivirus and security programs can compare Web pages and incoming files against lists of domain names that are known sources of malware.

    Another step that small businesses can take is using an online service like OpenDNS that blocks access to malware distribution sites. OpenDNS offers a free domain name service that can block malware sites, as well as domains that are associated with specific types of content. The service takes a few minutes to set up on a computer, but the DNS settings can also be installed on a company's router. See the OpenDNS start page for instructions.

    Users should also install a strong antivirus program, and keep the file definitions updated. Most Gpcode.ak attacks can be stopped before the virus is ever downloaded onto a victim's computer.

    Dancho Danchev has written two articles about the Gpcode.ak attacks, How to recover GPcode encrypted files and Who's behind the GPcode ransomware? He notes that the attackers are not prompt in returning email messages sent to the ransom addresses, which is by itself a cause for concern.

    The Gpcode attack could be easily upgraded so that the encryption program uses a destructive method to erase the original unencrypted files. This step would make the two approaches described above almost useless for file recovery.