Hit by Gpcode ransomware? File recovery is the only way forward …



June 16th, 2008

Been hit by Gpcode ransomware? Don't bother waiting around for a tool to crack the encrypted files, instead recover the original files ...

Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition.

When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file.

It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode.

What did we settle on? An excellent free utility called PhotoRec, which was created by Christophe Grenier and which is distributed under General Public License (GPL).

The official PhotoRec utility site is here.

I'm in agreement with Bruce Schneier:

The single most important thing any company or individual can do to improve security is have a good backup strategy. It's been true for decades, and it's still true today.

To add to that, I'd say that what's really important is being able to restore from your backup.

This entry was posted on Monday, June 16th, 2008 at 13:26 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.