
GPcode ransomware leaves victims stranded
The SonicWall Capture Labs threat reseach team have tracking a well established ransomware family known as GPcode. GPcode ransomware is typically spread through email attachments or social engineering techniques, such as disguising the malware as a legitimate software update. Once the malware is run on a victim’s machine, it encrypts files using a strong encryption algorithm, specifically RSA-1024 and AES-256, which makes it impossible to decrypt files without the decryption key. GPcode has been active since 2005 and was nicknamed the “$20 ransomware”. It is considered one of the first examples of ransomware and is still being seen in the wild today. However, GPcode malware authors do not have a track record of providing decryption keys after a ransom is paid and in this case, they are uncontactable.
Infection Cycle:
Upon infection, files on the system are encrypted. Each encrypted file is given a “.ENCODED” file extension. The following image is displayed on the desktop background:
The following message is displayed using Notepad:
During runtime, the malware writes ntfs_system.bat and executes it:
ntfs_system.bat contains the following script. This is used to delete the original malware file:
del "{malware file path}"
del %0
The malware can be seen writing the ransom note file to the desktop:
We tried reaching out to the email address provided in the ransom note but the email bounced:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Gpcode.RSM (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.