Recovering from the Encryption Virus

June 17, 2008 – 9:57 AM

Kaspersky Lab has published advice on recovering files encrypted by the frightening Gpcode.ak virus, but there is a big catch — users must not have turned off their PC first.

A new variant of the malware struck last week, scrambling a variety of files on victims’ PCs using a very strong 1,024-bit RSA encryption key that has so far confounded attempts to crack it. Its creators demand a ransom for the unlock key.

While victims of the malware will be grateful to have any method to recover files, this technique is fraught with problems for the non-technical. Ideally, users need to have a second — and therefore clean — computer with which to download a GPL-licensed utility, Photorec, to start the process.

The biggest barrier of all, however, is that users must employ the recovery utility without having turned off or rebooted their PC after the infection was first noticed, a fact that will probably reduce the number of people able to use the method to low percentages.

A reboot tends to be the first thing users try when hit by malware, but this risks changing the data on the hard disk, overwriting areas used by a file created by the virus writers when initially encrypting a victim’s files — it is this small mistake that has made the recovery possible in the first place.

Although Photorec is reported to be able to recover files successfully under these conditions, users need to use a separate utility from Kaspersky to relate those files to their real file names and original directory structure. All in all, the method adds up to a pretty steep crash course in the technical side of a Windows PC.

Meanwhile, a full cure for Gpcode appears no nearer, with Kaspersky admitting it still hasn’t discovered the key with which to unlock files the easy way. But even if the company managed to recover the key, there is nothing to stop the attackers releasing a variant using a new key.

As serious as Gpcode.ak has become — it is effectively a sort of encryption zero day attack for which there is no patch — Kaspersky’s approach has come in for criticism from security researcher Dancho Danchev, who has accused the company of mining worry over the malware as a marketing tool. If that’s a valid criticism, then Kaspersky is far from the first to employ such tactics. The whole security alerts business is built on the same premise.

Ordinary users affected by Gpcode, if indeed there are many of those, will simply be happy to have at least one method that offers hope of recovering their files without having to give in to the criminals and pay the ransom demanded.

Read the rest of the story…

You must be logged in to post a comment.