Tuesday, September 30, 2008

Identifying the Gpcode Ransomware Author

Interesting article, but it implies that there has been a shortage of quality OSINT regarding the campaigners behind the recent Gpcode targeted cryptoviral extortion attacks :

"The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files. Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the US, which pointed to the fact that GPcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines."

In reality, there hasn't been a shortage of timely OSINT aiming to to identify the authors - "Who’s behind the GPcode ransomware?" :

"So, the ultimate question - who’s behind the GPcode ransomware? It’s Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication (58.38.8.211; 221.201.2.227) :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo .com
saveinfo89@yahoo .com
cipher4000@yahoo .com
decrypt482@yahoo .com


Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838
"

The bottom line - out of the four unique emails used by the GPcode campaigners, only two were actively corresponding with the victims, each of them requesting a different amount of money, but both, taking advantage of U.S based web services to accomplish their attack.