GPcode ransomware leaves victims stranded

January 13, 2023

The SonicWall Capture Labs threat reseach team have tracking a well established ransomware family known as GPcode.  GPcode ransomware is typically spread through email attachments or social engineering techniques, such as disguising the malware as a legitimate software update.  Once the malware is run on a victim’s machine, it encrypts files using a strong encryption algorithm, specifically RSA-1024 and AES-256, which makes it impossible to decrypt files without the decryption key.  GPcode has been active since 2005 and was nicknamed the “$20 ransomware”.  It is considered one of the first examples of ransomware and is still being seen in the wild today.  However, GPcode malware authors do not have a track record of providing decryption keys after a ransom is paid and in this case, they are uncontactable.



Infection Cycle:


Upon infection, files on the system are encrypted.  Each encrypted file is given a “.ENCODED” file extension.  The following image is displayed on the desktop background:


The following message is displayed using Notepad:


During runtime, the malware writes ntfs_system.bat and executes it:


ntfs_system.bat contains the following script.  This is used to delete the original malware file:

del "{malware file path}"
del %0


The malware can be seen writing the ransom note file to the desktop:


We tried reaching out to the email address provided in the ransom note but the email bounced:


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Gpcode.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.