The malicious file encryptor GPCODE, which held captive the files of its victims with a 660-bit algorithm for ransom, has not been heard of for two years now. Neither has an incident involving ransomware occurred for the last five months — but now all that has changed.
A new and more powerful variant of GPCODE has emerged, this time encrypting files on affected systems using a much more powerful algorithm. Detected by Trend Micro as TROJ_GPCODE.AD, this file-encryptor uses a 1024-bit key, making it tremendously hard for experts to debunk the algorithm. Doing the said task would take 15 million modern computers about a year to complete, The Register reports.
TROJ_GPCODE.AD encrypts all files with certain file extensions, which includes a wide array of file types, rendering the files unreadable. It displays the following message box that informs the user of the file encryption, and then gives an email address to contact whoever has the decryptor that they can use to reclaim their files.
It also changes the file names of all encrypted files by appending the string ._CRYPT to the end of every file name.
Moreover, according to independent security researcher Dancho Danchev, the IPs used in this campaign are from China even though the authors may be Russian.