How to salvage data lost to Gpcode.ak encryptor virus
- — 17 June, 2008 07:30
The Gpcode.ak virus, which encrypts files on the victim's desktop and demands a ransom to decrypt them, uses encryption that so far has proven too strong to crack. But Kaspersky Lab, which first identified Gpcode.ak earlier this month, says there is a way for most victims to at least recover their files.
Kaspersky says Gpcode.ak works by making a copy of the original file it wishes to kidnap using 1,028-bit encryption, then deleting the original. However, "it doesn't wipe the file from the system," says Roel Schouwenberg, senior antivirus research analyst at the security company.
Kaspersky is recommending the most cost-effective tools it determined can recover files, the freely available PhotoRec utility in conjunction with a free utility Kaspersky has designed called StopGPcode that restores the original file name and full paths of the recovered files. Kaspersky is recommending that anyone using the free PhotoRec utility for this purpose make a volunteer donation for its use in the open source spirit.
Various commercial file-recovery software packages may be able to find this kind of deleted file, too.
But any of these file-recovery methods could still prove ineffective in some cases.
"Some variables that come into play are that in re-booting the system or using it a lot, there's a higher chance you won't be able to recover the files," Schouwenberg says.
The underlying concern is that the unknown malware creator may create another version that does a better job of fully purging files after a copy of them has been encrypted.
While there hasn't been a massive Gpcode outbreak, the virus appears to slowly be gaining steam with a few thousand infections identified so far, including at a hospital outside the United States.
Kaspersky hasn't yet determined exactly how GPcode.ak spreads since first surfacing in early June, but a trail of clues is leading to suspect Blogspot spam and Usenet spam, Schouwenberg says.