New reports of GPCode “Ransomware”

Executive summary: An automatic, up-to-date backup is your best protection against computer trouble. Next is up-to-date antivirus software. If you’re infected with GPCode and you don’t have a good backup you’re screwed.

I’ve heard reports from some of my colleagues of “Ransomware” cropping back up. A typical scenario:

You’re browsing the Internet, on web sites that never caused any trouble before. Then your hard drive starting working…and working….and working…and you see a message like this:

Attention!!! All your personal files (photo, documents, texts, databases, certificates, video)
have been encrypted by a very strong cypher RSA-1024. The original files were deleted. You
can check - just look for files in all folders. There is no possibility to decrypt these files
without a special decrypt program!
Nobody can help you - even don’t try to find another method or tell anobody. Also after n days
all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 125$ via ukash/psc pre-paid cards. And remember, any harmful
or bad words to our side will be reason for ignoring your message and nothing will be done.
For details you have to send your requests on this email (attach to message a full serial key
shown below in this ‘ how to..’ file on desktop.

And your desktop background changes to this:
Gpcode desktop message 1

Uh-oh. When you see this screen the program is in the process of encrypting your files so that they can’t be read by normal means. Normally encryption is a good thing because it lets you (and only you) see the files. In this case the nasties give you no way of seeing or recovering your files.

Unlike many of the previous versions of these, the new GPCode virus will encrypt your files in-place, meaning that the old tricks we’d use to recover most of the data won’t work.

The instructions usually say to send $125 in prepaid cash cards.

  1. This is for real. If you’ve got this variant, the files on your system are encrypted and nearly impossible to decrypt.
  2. I have heard no reports of success by paying. Even if you DID try to pay it would take several days for your payment to reach the nasty guys in eastern Europe.
  3. As of now (April, 2011) there is no good method for recovering these files. Because of the unknown method of encryption used it’s very, very difficult to plan a recovery. I would expect that over the next few weeks programmers will be reverse-engineering the code and possibly leveraging Amazon’s Electric Compute Cloud to develop a recovery plan. I’ll update this article or add comments as I learn of developments in this area.

What to do?

  1. Back up your system. We recommend that everyone use an automated online backup program. Mozy or JungleDisk are fine for homes, we prefer our partner Intronis for business backups. If you’re unsure how to set this up, please contact us and we’ll lend a hand. If you’re infected with GPCode and you don’t have a good backup you’re screwed.
  2. Run a modern, up-to-date antivirus. I know, some of the slow down your system. Some of them flag good files. You’re super-duper careful and never see the seedy underbelly of the internet. But any decent protection program will block GPCode. We recommend GFI VIPRE,eset nod32, and ZoneAlarm Extreme Security, or free-for-home-use avast! or Antivir.
  3. Quick shut-down. If you see the desktop background change to something like I’ve shown above, shut your computer down. Unplug it or press and hold the power button for five seconds. It will take the virus several minutes to find, process, and encrypt your files. You may lose a few things but you can save most of your information if you shut down immediately.
  4. General good habits. Don’t open e-mail from anyone you don’t know. Don’t open attachments, even from people you do know, unless you’re expecting them. Don’t go to web site links in e-mail. Keep Windows and Adobe Flash up to date. Avoid using Facebook Apps, and don’t click on anything that gets downloaded from Facebook.

Does your business need help recovering from (or better yet, avoiding) a tech disaster? Please contact us at 888-928-3336 or

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: