The two most prominent ransomware Trojans of recent times could be the work of the same or a closely-related Russian group, an analysis has suggested.
Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode nasty that first hit the internet as long ago as early 2005. As with its predecessors, the new Trojan, also named “Glamour,” sets out to encrypt data files on any PC it infects, demanding a ransom of US$300 (NZ$394) in return for a key to unlock files.
Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and the earlier version. Of the 168 functions identified in the code of the new variant, 63 were identical to the older version.
“The results indicate that these two Trojans ... originated from the same source tree. This could mean that the original authors are actively modifying the code themselves, or they sold/traded the source code to another group who is now in charge of the modifications,” say the authors.
In other words, a single or allied group is cycling the same basic ransomware platform through a series of attacks, modifying it each time to evade detection for long enough to find victims. If true, that increases the likelihood of future attacks using the same code base.
The planned window of opportunity appears to have been a short one — the compile date for the malware was July 5 and the deadline date mentioned in its threat message to victims states a payment deadline of July 15.
SSC has also found frightening evidence of GpCode’s effectiveness. “In the 8 months since November, we’ve recovered stolen data from 51 unique drop sites. The 14.5 million records found within these files came from over 152,000 unique victims,” says the report.
Fortunately, despite claiming to have encrypted files using RSA 4096-bit, the new version’s apparent use of sophisticated encryption is a bluff. Unlike previous versions of GpCode, the new variant uses a much simpler but unnamed technique to create the appearance of having encrypted files, possibly just a long-strong pass phrase. A number of companies have produced tools to reverse the work of the latest GpCode.
Ransomware Trojans have a fearsome reputation, but are still thankfully one of malware's rarer events. The long periods of silence could, indeed, be part of their design. Attacks have been recorded from early 2005, and several times in 2006.