Ransomware returns: 'If you ever want to see your data again...'

Revamped version of GpCode is out, yet the malware still requires victims to believe kidnappers will return stolen data for a fee

Ransomware is back. After a hiatus of more than two years, a variant of the GpCode program has again been released, kidnapping victims' data and demanding $120 for its return.

Like the ransomware programs before it, GpCode encrypts a victim's files and then demands payment for the decryption key. The new version of GpCode -- labeled GpCode.AX by security firm Kaspersky -- comes with a bit more nastiness than previous attempts. The program overwrites files with the encrypted data, causing total loss of the original data, and uses stronger crypto algorithms -- RSA-1024 and AES-256 -- to scramble the information.

"This type of malware is very dangerous because the chances of getting your data back are very low," Vitaly Kamluk, a malware lab expert at security firm Kaspersky, writes in a blog post describing the attack. "It is almost the same as permanent removal of the data from your hard drive."

Ransomware crops up occasionally. The last known revision of the GpCode program came two years ago. At the time, the author claimed that the scheme pays well, but the criminal business model has a number of factors working against it.

First off, antivirus firms immediately analyze ransomware code for errors that could allow decryption. Writing good encryption code is notoriously difficult, and previous versions of the program had flaws that allowed security firms to help victims recover at least some of their data.

And of course, there's the trust problem. Unlike rogue security software, where the criminal dons the guise of a trusted security company, ransomware is in the business of blatant extortion. How, exactly, does paying a criminal who has just encrypted your data guarantee its return?

No wonder ransomware is rare. Moreover, for the properly prepared company or user, defending against the attack is simple: Just ensure you make frequent backups and train users to restore data if you're ever faced with a ransomeware threat. These days, companies have no excuse for being unprepared.

For those victims without backups, those with quick reflexes can still preserve data, says Kaspersky's Kamluk. Victims that get a notice that their data has been encrypted should immediately pull the plug on their PC.

"Pushing [the] reset/power button on your desktop may save a significant amount of your valuable data!" he writes.

This article, "Ransomware returns: 'If you ever want to see your data again...'," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform