Kaspersky pinpoints workaround for ransomware virus

Earlier this month Kaspersky was first to identify a new and improved variant of the blackmailing Gpcode trojan.

The virus works by infiltrating a user’s computer via unpatched browsers. Once active it encodes most of the data on the computer, including .doc, .txt, .pdf, .xls, .jpg and .png files, with a 1024 bit key and then demands money from the user to obtain the decryption key.

The malware is a revision of a previous virus, thought to be from the same author, which appeared two years ago but only used a 660 bit key.

Although Kaspersky and other security vendors have been successful in cracking the 660 bit key, efforts to decode the 1024 bit key have proven unsuccessful.

And while Kaspersky is still yet to crack the 1024 bit encryption, it has identified a method to retrieve users’ encrypted files.

The new method makes use of the fact that before encrypting a file, the Gpcode ransomware creates a new file ‘next to’ the file it encrypts. Once encryption of a file is complete, the virus deletes the original file.

Kaspersky has pinpointed a method based on data recovery techniques to retrieve the original file.

To do this, Kaspersky Lab analysts have leveraged the free PhotoRec utility while adding the ability to restore exact file names and pathways.

The downloadable executable "restores original filenames and the full paths of the files recovered," said Kaspersky.

While the new utility is free, Kaspersky is asking victims to consider donating to the PhotoRec creators, who include Christophe Grenier.