Time and again we have come across viruses / malware which have put our gray cells to test. One such malware is the GPCode.
The Attack vector of GPCode is to encrypt the files, whose extensions are in its list. This malware searches for files from its list of at-least 140+ extensions and then encrypts them. Once the encryption is complete, it then changes the desktop wallpaper to a ransom note wallpaper threatening the user to pay up 120$ for decrypting the files. Details of money transfer are provided in a text file, which is lying on the desktop.
No tweaking of registry or injecting complicated code into the dll’s, nothing complicated, just encrypt the files with RSA 1024 bit encryption. The whole hype surrounding these malwares is only due to the fact that they interact with their victim using the visual mode of communication.
Today, GPCode provides RSA 1024 bit encryption, tomorrow someone else might come up with 2048 bit encryption with DoD 5220.22-M file wipe-out standard to delete original files after encrypting them to a new file or attacks the partition table or mbr, then what are we (Antivirus Organizations) going to do?
Encrypting a file depends on a few factors
1: File Size
4: All of the above factors have a direct impact on the encryption time. Since, the payload of the malware is to encrypt all the important files, its going to take its own sweet time.
The only possible solution at this time which we can foresee is to keep an active watch on the hard-disk operations (Disk IO – file read write create and the percentage thresh-hold of these events), but since the payload of the malware is bound to change, it would be very difficult to ascertain the quick remedial steps a user can follow. But it is advisable to deploy Microsoft’s SteadyState, in case of any eventuality the victim can always revert back to the original state. Please note there are certain rules which govern Steadystate and the user should be aware of these rules.
*SteadyState allows the user to revert back to the previously saved state; in case you have saved the infected system then the restored state would also be infected.
** Any document modified during the infected state would be reverted back to its original state.
Generally, malware’s target a host to generate ad-clicks which are then converted into real time money. Whether its a Spam campaign or sites being opened on the host machine without the knowledge of the victim or site redirection using XSS/CSRF. Malware authors can come up with different tricks to achieve one single goal i.e. Money.
Sometimes I wonder, why dont money transfer organizations provide a mechanism to trace the beneficiary of the transaction? Though internet provides a fantastic mechanism to transfer funds, don’t you think it is the onus of such organizations to provide transparency to their transactions?
During our research we have come across various ransom-wares and all of them use the online money transfer method. The reasons why hackers use this method is due to the sheer fact that Online Money Transfer Organizations do not provide a trace back mechanism i.e. 100% Anonymity and secondly the speed at which these transfer take place. Start providing “trace back” and “money withdrawal restriction” mechanisms and we shall find a sharp decrease in the deployment of ransomware and botnets.
Theres a saying: Hit where it hurts the most, in this case the financial aspect.
Antivirus Organizations and Security Researchers, are always fighting a never ending battle against crimewares and botnets and what not, but as long as hackers/malware authors have a method to transfer funds anonymously, this is not going to stop.