"Ransomware" – Extortion by Encryption

Recently there has been a rash of reports of computers becoming infected with the Gpcode.ak virus, a new variant of an attack that surfaced a few years ago. Gpcode encrypts data on the affected computer’s hard drive, plus any shares to which it has access. It leaves the basic system software alone (so the computer remains useable), but encrypts the user’s data files. The encryption for the original version was cracked, making it easy for anyone to decrypt his or her own files, but this new version uses a 1024-bit encryption key. According to Kaspersky, this would take a relatively modern PC about 30 years to crack.

Affected users find a “README” file directing them to contact a specific email address for details on purchasing a “decryption tool” in order to recover their files. Sometimes the additional threat of publicizing confidential information is included in this ransom note.

However, because of a flaw in this version, it is currently possible to recover the encrypted files. Gpcode makes a copy of the files before encrypting them, and then deletes this copy. These deleted files can be recovered with file-recovery software that is widely available in both free and commercial offerings. Affected users should avoid rebooting their computers, and should not use them for anything else until they’ve recovered their files. This limits the risk of the deleted files being overwritten by other processes. This method of recovery is a temporary work-around – at best – because it has been widely publicized on the security forums, and it is only a matter of time before the virus authors add a step to wipe the deleted files from the disk.

It is unclear exactly how this virus spreads, but the vast majority of malicious infections come directly from spam email or from rogue web sites to which spam directs users. Therefore, minimizing one’s risk of exposure to this virus means taking the normal precautions against any malware, such as keeping virus scanners and spam filters up to date, and having a clearly communicated policy about not following links in unsolicited emails (spam).

Source by Christopher Spence