GPcode ransomware leaves victims stranded

The SonicWall Capture Labs threat reseach team have tracking a well established ransomware family known as GPcode.  GPcode ransomware is typically spread through email attachments or social engineering techniques, such as disguising the malware as a legitimate software update.  Once the malware is run on a victim’s machine, it encrypts files using a strong encryption algorithm, specifically RSA-1024 and AES-256, which makes it impossible to decrypt files without the decryption key.  GPcode has been active since 2005 and was nicknamed the “$20 ransomware”.  It is considered one of the first examples of ransomware and is still being seen in the wild today.  However, GPcode malware authors do not have a track record of providing decryption keys after a ransom is paid and in this case, they are uncontactable.

Infection Cycle:

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.ENCODED” file extension.  The following image is displayed on the desktop background:

The following message is displayed using Notepad:

During runtime, the malware writes ntfs_system.bat and executes it:

ntfs_system.bat contains the following script.  This is used to delete the original malware file:

del "{malware file path}"
del %0


The malware can be seen writing the ransom note file to the desktop:

We tried reaching out to the email address provided in the ransom note but the email bounced:

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Gpcode.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.