SOURCE: Kaspersky Lab

June 05, 2008 16:15 ET

Kaspersky Lab Warns of New Variant of Dangerous Blackmailing Virus, Gpcode

WOBURN, MA--(Marketwire - June 5, 2008) - Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software, has informed the public that it has been the first to detect a new variant of Gpcode, a dangerous encryptor virus -- Virus.Win32.Gpcode.ak. Kaspersky Lab added a signature for Virus.Win32.Gpcode.ak on June 4, 2008.

Gpcode.ak encrypts files with various extensions including, but not limited to: .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key. Kaspersky Lab analysts succeeded in thwarting previous variants of Gpcode, when Kaspersky virus researchers were able to crack the private key after in-depth cryptographic analysis. The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660 bits.

At the time of writing, Kaspersky Lab is unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long. Thus, the only way currently to decrypt the encrypted files is to use the private key which only the author has available at a fee.

"With this new version of Gpcode, we've encountered ransomware which seems impossible to crack during this early stage of detection. Next to running anti-malware solutions the best measure to fight this kind of malware is to regularly create back-ups of the files stored on the computer," said Roel Schouwenberg, Senior Anti-Virus Researcher, Kaspersky Lab. "We strongly discourage infected people to pay the ransom as this will only encourage the author to create new versions."

After Gpcode.ak encrypts files on the victim machine it adds ._CRYPT to the extension of the encrypted files and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a "decryptor":

  «Your files are encrypted with RSA-1024 algorithm.
  To recovery your files you need to buy our decryptor.
  To buy decrypting tool contact us at: ********»


Contact Kaspersky Lab using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.

Write to Kaspersky at: with the following information included in the email:

--  Date & Time of infection
--  Everything done on the computer in the 5 minutes before the machine
    was infected, including:
    --  Programs executed
    --  Websites visited

Kaspersky Lab will try to help recover any encrypted data.

Kaspersky Lab analysts are continuing to analyze the virus code in search of a way to decrypt the files without having the private key. Until a solution is found, we recommend that anti-malware solutions are set to maximum security and extra care is taken while browsing the Internet and reading email.

We urge infected users not to yield to the blackmailer, but to contact us and local cybercrime law enforcement units. Yielding to blackmailers only continues the cycle.

About Kaspersky Lab

Kaspersky Lab delivers the world's most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. Kaspersky Lab products provide superior detection rates and the industry's fastest outbreak response time for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is used worldwide inside the products and services of the industry's leading IT security solution providers. Learn more at For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit

Contact Information

  • Contact Information:

    Jennifer Jewett
    Kaspersky Lab, The Americas
    + 1 781 503 1856
    Email Contact

    Andrea Jahanbozorgi
    Cohn & Wolfe
    + 1 212 798 9820
    Email Contact