I recently wrote about a Ransomware attack called GPcode that encrypts files on the victim’s computer and then offers to sell them a decryption key to get them back.

According to Kaspersky Labs, When GPcode does it’s thing, it first creates a copy of the file it’s going to encrypt.  Once that encryption is done, it deletes the original file.  Here’s where the fix comes in.  When a file is deleted, it isn’t really erased or destroyed unless and until something writes over that same spot on the disk where it was stored.  This means that if you get to it soon enough, it’s possible to recover the original file that GPcode deleted.

There’s a free utility called PhotoRec that was originally developed to recover graphics files.  It’s since been expanded and now can be used to recover a wide variety of files.  It’s available as part of the latest version of the TestDisk package

If you suspect that you’ve been attacked by GPcode, Don’t reboot the computer, absolutely never pay the ransom by “buying” the attaker’s “decryptor” utility.  Instead, get the PhotoRec utility and use it to recover the deleted original files.

This fix isn’t guaranteed, and it won’t always work, but it’s certainly worth trying.

Technorati Tags: recover deleted files, Hackers, recover files, ransomware, GPcode, Security, photorec, Kaspersky Labs

Be Sociable, Share!
  • Twitter
  • Facebook
  • email
  • Google Reader
If you enjoyed this post, make sure you subscribe to my RSS feed!

Tagged with:

Filed under: Current EventsfreewareInternetMisc Assorted General StuffNewsOpinionProgrammingSecuritySoftware

Like this post? Subscribe to my RSS feed and get loads more!