Kaspersky revealed how to 'kill' Gpcode

Kaspersky Lab claims users can use a simple open source file recovery application to recover files that have been encrypted and deleted by "kidnapped" Trojan.

On June 8, Moscow-based security firm issued a warning to users about the new variant of the "kidnapping" Trojan Gpcode.ak. It is worth noting that this variant can encode files using 1024-bit RSA encryption keys. Kaspersky had to call for help from the community to break the code.

Specifically, Gpcode can encrypt 143 different file types on a PC that are infected and delete the original files before displaying messages that require users to pay for the files to be retrieved. has been encrypted.

Dancho Danchev, a security researcher, said the money that the Trojan requires users to pay to buy file encryption software is between 100-200 USD.

After many days of research, Kaspersky has found a solution to help users retrieve the encrypted files without paying. " It is possible to restore deleted files if the hard drive has not had any changes to the data structure ".

A Kaspersky researcher nicknamed VitalyK - in an article on the company's official blog - said users can use a file recovery application that has been deleted with the open source named PhotoRec to retrieve files deleted by Gpcode.

This possibility is possible because when infected the Gpcode system, it will quickly encrypt files within its capabilities, delete the originals of these files and destroy them themselves to avoid detection. Therefore, users do not have to worry that the restored files will be encrypted again.

In addition, Kaspersky has developed an application called StopGpcode that seamlessly integrates with PhotoRec to recover not only the file but also the full name of the file before it was encrypted by the Trojan.

VitalyK acknowledges that breaking the 1024-bit RSA encryption of Gpcode seems to be impossible unless it is the key code of the person who generated the key.