Gpcode

Gpcode is a ransomware variant of Trojan that holds your computer hostage by encrypting files to make them unusable. Although Gpcode tells you that paying a high price for decryption will allow your files to go back to normal, Gpcode may continue to attack your system even after you've paid the price. The majority of Gpcode variants has weaknesses that allow you to regain access to your files without purchasing the criminal decryption tool, making the optimal solution removing Gpcode by the use of a suitable anti-malware program and then using more specialized tactics to restore your files, completely free of charge.

How Gpcode Takes Your Files Hostage

Gpcode, also known as GPCoder, comes in a number of different variations that all use the same basic tactics but with different coding tricks to back them up. Gpcode, like most types of malware, adds a startup entry into your Registry so that Gpcode can run automatically and adds in another entry that helps Gpcode monitor its own encryption progress through your files.

Gpcode encrypts files according to their extensions, and is known to target the following file types:

7z, abd, abk, acad, ace, arh, arj, arx, asm, bak, bcb, bz, bz2, c, cc, cdb, cdr, cdw, cer, cgi, chm, cnt, cpp, css, csv, db, db1, db2, db3, db4, dba, dbb, dbc, dbd, dbe, dbf, dbm, dbo, dbq, dbt, dbt, dbx, djvu, doc, dok, dpr, dwg, dxf, ebd, eml, eni, ert, fax, fjs, flb, frg, frm, frt, frx, gfa, gfd, gfr, gtd, gz, gzip, h, hpp, htm, html, iges, igs, inc, jad, jar, java, jfi, jpe, jpeg, jpg, jsp, key, kwm, ldiflst, ldr, lsp, lzh, lzw, man, mdb, mht, mmf, mnb, mns, mnu, mo, msb, msg, mxl, old, p12, pak, pas, pdf, pem, pfx, pgp, php, php3, php4, pl, pm3, pm4, pm5, pm6, prf, prx, pst, pw, pwa, pwl, pwm, rar, rmr, rnd, rtf, safesar, sig, sql, tar, tbb, tbb, tbk, tdf, tgz, txt, uue, vb, vcf, wab, xls, xml

The exact method of encryption used is dependent on the version of Gpcode that's infected your PC. It should be noted that after performing this task, some versions of Gpcode will delete themselves and leave you only with the encrypted files and a ransom note.

After encrypting your files to make them unusable, Gpcode will leave instructions you to contact an email address to pay a high ransom price (usually $100 to $200) in exchange for a decryption tool that will return your files to their original states. These instructions are usually left in a text file named 'ATTENTION!!!.TXT' or '!_READ_ME_!.txt.'

The ransom note may read as follows:

• Some files are coded.
• To buy decoder mail: n781567@yahoo.com
• with subject: GPCoder 000000000032

Getting Your Files Back Without Paying the Ransom

Most versions of Gpcode have flaws that you can exploit to get your files back without giving money to the criminal behind Gpcode. For example, a simple Windows undelete utility can help you recover the original versions of files that were deleted by some types of Gpcode, allowing you to dispose of the encrypted files with no harm done. Other versions of Gpcode can be beaten by acquiring a freely-available decryption utility based on the ease of cracking the encryption techniques.

After recovering your files, you should probably run a full system scan in Safe Mode to make sure that lingering remnants of malware related to Gpcode aren't hiding deep in your PC. Although Gpcode itself is limited to its ransomware tactics, Gpcode may come coupled with other malware that can cause further problems for your computer.

Of course, avoiding any infection by Gpcode is preferable to needing to know how to deal with Gpcode! Gpcode is a relatively small executable of just 56kb and uses file compression to reduce its size further and avoid detection. As long as you avoid interacting with risky .exe files and don't acquire any trojans or other infections that can install such files without your consent, you should be safe from Gpcode's scam.