Kaspersky lab discovered a new variant of GPCode Ransomware today, in the form of an obfuscated executable.
The threat was detected automatically thanks to the Kaspersky Security Network as UDS
angerousObject.Multi.Generic.
Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn
The infection occurs when a malicious website is visited. (drive by download)
Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:
It’s important to notice that, unlike the sample from last November, they are asking for payment through Ukash pre-paid cards. On a side note, the Ransomware we discovered yesterday, that was disguising as a notice from the federal German police was also asking for Ukash coupons.
It seems the criminals are moving away from the old money transfer, and preferring the pre paid cards instead. the price increased from 120 to 125 dollars.
At the very same time, the Desktop background is changed to tell the user they have been infected, and that a ransom should be paid:
At this point, the hard drives are being scanned for files to encrypt. The file extensions used to determine whether a file is to be encrypted or not are provided inside of an encrypted configuration file. It means the GPCode Ransomware can be easily updated with a new configuration file. It also includes the ransom letter as well as the public RSA 1024 key from the criminals.
More details - link
The threat was detected automatically thanks to the Kaspersky Security Network as UDS
angerousObject.Multi.Generic.Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn
The infection occurs when a malicious website is visited. (drive by download)
Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:
It’s important to notice that, unlike the sample from last November, they are asking for payment through Ukash pre-paid cards. On a side note, the Ransomware we discovered yesterday, that was disguising as a notice from the federal German police was also asking for Ukash coupons.
It seems the criminals are moving away from the old money transfer, and preferring the pre paid cards instead. the price increased from 120 to 125 dollars.
At the very same time, the Desktop background is changed to tell the user they have been infected, and that a ransom should be paid:
At this point, the hard drives are being scanned for files to encrypt. The file extensions used to determine whether a file is to be encrypted or not are provided inside of an encrypted configuration file. It means the GPCode Ransomware can be easily updated with a new configuration file. It also includes the ransom letter as well as the public RSA 1024 key from the criminals.
More details - link
