Recently, there have been many reports of computers infected with the Gpcode.ak virus, a new attack variant that emerged a few years ago. Gpcode encrypts data on the affected computer’s hard drive as well as any shares it has access to. It leaves the base system software alone (so the computer remains usable) but encrypts the user’s files. The original version was decrypted, allowing anyone to decrypt their own files, but this new version uses a 1024-bit encryption key. According to Kaspersky, this would take a relatively modern computer about 30 years to crack.
Affected users will find a “README” file directing them to contact a specific email address for information on purchasing a “decryption tool” to recover their files. Sometimes the ransom message includes an additional threat of disclosure of confidential information.
However, due to a bug in this version, it is currently possible to recover encrypted files. Gpcode makes a copy of files before encrypting them and then deletes this copy. These deleted files can be recovered using file recovery software, widely available in both free and commercial offerings. Affected users should avoid restarting their computers or use them for anything else until they have recovered their files. This limits the risk of other processes overwriting deleted files. This recovery method is a temporary workaround at best, as it has been widely publicized on security forums, and it’s only a matter of time before virus writers add a step to remove the deleted files from the disk.
It is unclear how exactly this virus spreads, but most malicious infections come directly from spam or rogue websites that spam redirects users to. Therefore, minimizing the risk of exposure to this virus means taking normal precautions against all malware, such as keeping virus scanners and spam filters up to date and having a clearly stated policy of following links in unsolicited emails (spam).
