The new ransomware is similar to the GpCode trojan detected by Kapersky in 2004, according to Vitaly Kamluk, a Kaspersky analyst. That GpCode trojan encrypts files on the victim’s computer using Microsoft Enhanced Cryptographic Provider v1.0. Files are encrypted using the RC4 algorithm, and the encryption key is encrypted using an RSA public key 1024 bits in length.
Once the attack happens, the user is instructed, by a popup or a text written on the desktop background, to buy a decrypter tool in order to access the encrypted files.
“Unlike the previous variants, [the new GpCode] doesn’t delete files after encryption. Instead, it overwrites data files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack”, Kamluk wrote.
“This type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive”, he added.
The Kaspersky analyst advises victims of the ransomware not to change anything on their systems “as it may prevent potential data recovery when we find a solution”. Kamluk said it is safe to shutdown the computer and restart it, despite claims by the malware that files will be deleted. “Pushing the reset/power button on your desktop may save a significant amount of your valuable data”, he advised.