The two most prominent ransomware Trojans of recent times could be the work of the same people, or a related group of criminals, an analysis has suggested.
Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode nasty that first hit the Internet as long ago as Spring 2005, and was tracked to a Russian site. As with its predecessors, the new Trojan, also named “Glamour,” sets out to encrypt data files on any PC it infects, demanding a ransom of $300 in return for a key to unlock files.
Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and another version that appeared in 2006. Of the 168 functions identified in the code of the new variant, 63 were identical to the older 2006 version.
“The results indicate that these two Trojans, found in the wild nearly six months apart, originated from the same source tree. This could mean that the original authors are actively modifying the code themselves, or they sold/traded the source code to another group who is now in charge of the modifications,” say the authors.
In other words, the same basic ransomware platform is being cycled through a series of attacks by a single group, or a closely allied set of groups, modifying it each time to evade detection for long enough to find victims. If true, that increases the likelihood of future attacks using the same code base.
The planned window of opportunity appears to have been a short one – the compile date for the malware was July 5th and the deadline date mentioned in its threat message to victims states a payment deadline of July 15th.
SSC has also found frightening evidence of GPCode’s effectiveness. “In the 8 months since November, we’ve recovered stolen data from 51 unique drop sites […]. The 14.5 million records found within these files came from over 152,000 unique victims,” says the report.
Fortunately, despite claiming to have encrypted files using RSA 4096-bit, the new version’s apparent use of sophisticated encryption is a bluff. Unlike previous versions of GpCode, the new variant uses a much simpler but unnamed technique to create the appearance of having encrypted files, possibly just a long-strong passphrase. A number of companies have produced tools to reverse the work of the latest GpCode.
Ransomware Trojans have a fearsome reputation, but are still thankfully one of malware’s rarer events. The long periods of silence could, indeed, be part of their design. Attacks have been recorded from early 2005, and several times in 2006.