Ransomware virus (3)

Kapersky labs has given up their unrealistic tentative to guess the key used by Gpcode (see blog entry from 10th June). Their conclusion is that the best countermeasure is regular backup.

Nevertheless, thanks to a “common” mistake of the virus’s author, there may be some hope for careless users who did not backup. When encrypting the file, the virus creates a new files that it renames with the expected extension and then deletes the original file. The deletion is not secure. It is common knowledge (at least in the security community) that a simple deletion does not erase the file. It mainly erases the fields in the file system’s indexing tables. Thus, if the data are on the hard disk as long as they are not be overwritten by a new file. If there was not too much activity on the hard drive, typical recovery tools may retrieve the “deleted” files. Kapersky Labs proposes such a tool from the open source community.

No doubt that the author of the virus will add a secure deletion in the new already announced releases of Gpcode. The author claims that he will use stronger algorithm and new keys. Secure deletion is performed by overwriting every bytes of the file to delete with random data several times before removing it. Tools exist that perform such secure erasing

Two lessons:

  • Backup, backup, and backup
  • Developers if you want to delete a file, use a secure procedure.


Leave a Reply

Your email address will not be published. Required fields are marked *