Kaspersky to try to crack code used in 'blackmailer' virus

Antivirus software vendor Kaspersky is launching an international effort to try to crack the encryption used in a "blackmailer" virus that locks up data on a victim's computer.

The company announced the "Stop the Gpcode Virus" initiative Monday and extended a public invitation to all cryptography experts and other researchers, saying it has sufficient information about the virus to enable experts to begin working on factoring the RSA key.

Kaspersky also created a special forum for the effort.

Kaspersky Lab said last week that it detected a new version of the ransomware type of Gpcode Virus that essentially holds your data hostage until you pay up. It encrypts files on the hard drive using an RSA algorithm with a 1024-bit key and leaves a message that advises the victim to buy a decryptor and provides an e-mail address to contact.

Kaspersky detects the new variant but is unable to crack the encryption key and has analysts working on that. The virus is rated a "moderate risk."

The Gpcode Virus was first detected in 2006. "Two years ago we were able to get the private key by detailed analysis of the data at our disposal," Kasperky Lab explained in a blog posting. "However, the maximum RSA key length we've been able to 'crack' to date is 660 bits. We were able to do this as the author had made some mistakes when implementing the encryption algorithm."

The encryption strength grows exponentially the more bits it has.

People who believe their computers have been infected with the virus are advised not to restart or power down the machines. They should send an e-mail to stopgpcode@kaspersky.com with details of the infection.

This is a screenshot taken of the message that pops up when a computer is infected with the Gpcode virus.

(Credit: Kaspersky )

[Lerianis]

So how do we protect against this? Is there any way to protect against this malware or are you basically screwed because it can appear on any site?

[ecolisnacks]

C'mon Eugene, if you crack the code, everyone will think you wrote the malware to begin with. Screwed if you do, screwed if you don't.

[pagopagopago]

Ok so you have to send the payment to whom? Trace the transaction, get the FBI or Interpol to arrest them, waterboard them till they give you the key, and all of our problems are solved.

[humbuzz]

...and the ransom payment goes where? Seems like it could be tracked somehow.

[Dalmatian28]

whao...this is good one! I wander if this thing works for the files on your beck up drive! If it does, this guy is pro! My first thought was to format the hard-drive and restore from your backup, that is a lot of wasted time but it should work. The problem with this option of course is that if you have some recent files that you care about....you will loose them because you have to restore it to the date before infection. Isn't ironic that the Russian anti-virus company is the only one that is working on this....do you guys think what I am thinking???

[Dalmatian28]

whao...this is good one! I wander if this thing works for the files on your beck up drive! If it does, this guy is pro! My first thought was to format the hard-drive and restore from your backup, that is a lot of wasted time but it should work. The problem with this option of course is that if you have some recent files that you care about....you will loose them because you have to restore it to the date before infection. Isn't ironic that the Russian anti-virus company is the only one that is working on this....do you guys think what I am thinking???

[0zSpit]

the virus is running rampant because too many people are using free security programs pushed on them from download.com as actually good security. these people also think you should load your computer up with an arsenal of security that it takes minutes to view a page. it's not like they would pay for anything, just look at all the comments on the iphone blogs. there isnt any. these cheap free-or-nothing people won't be owning an iphone anytime soon.

[Rants&Raves]

On tracking the payment: you can be sure that if it was that blindingly obvious and easy, it would have been done by now. This suggestion is hardly contributing to the discussion.

Dalmatian28: Hmm, praising the bad guy, pointing out the wasted time with the non-compliance option, pointing out how smart the minutiae of the strategy is (more recent files have a higher perceived value), and following up with the misdirection thing. Did I get the gist of your post ?

[Remo_Williams]

Are you thinking what I'm thinking?
"Albanian chicken juice?"
No Shane, I'm thinking that the next time I cross back into the US and some federal schmuck wants to look at my HDD, I'll just claim that the virus has made it inoperable and they are welcome to copy the virus if they like. If they call my bluff, good luck trying to pry open my TrueCrypt volumes.

-R

[Ron&Hillery]

Every time I read one of these I'm so glad I surf and E-mail with Mandriva Linux. Go penguin power.

[preacherx]

Amen to that!

[Seaspray0]

It's time for the world to stop allowing criminals like this to live. I don't care if they are hiding in another country. The internet is world wide and needs a security force that trancends the boundaries of all countries. Hunt them down like the animals they are.

[ralfthedog]

Does anyone know if the decryptor work when you cave in to the extortion? If it does, set up a temporary bank account with just the money to buy the decryptor, then reverse engineer the decryptor software.

.

I wonder if the attached email address is even connected to the people who wrote the virus. I can picture someone writing something that encrypts to a random key, then gives his ex bosses email just for revenge.

[Dalkorian]

Wow, that's one nasty little sucker. I hope they catch these folks, film their executions in the electric chair and post the footage on YouTube for others to see. Really make an example out of these buggers. I hate winblows and all, but this is just cold blooded.

[benjaminstraight]

Good luck crackin'. But it makes him suspect.