The malware, called Virus.Win32.Gpcode by Kaspersky, had been pestering computer users in Eastern Europe for over a year. It spreads via a Microsoft Word document – called anketa.doc – which contains a malicious program called Trojan-Dropper.MSWord.Tored.a. After it downloads another trojan onto an affected PC, Gpcode scans the PC’s directories and codes all available encrypted files.
A .txt file is left for victims to instruct them on how to pay to have their files back.
Security experts said earlier this month that the ransomware could eventually spread from Russia to Western Europe and eventually the U.S.
Kaspersky was first notified of Gpcode in December of 2004, and a second wave of infections hit users last June. This January, the trojan began to use RSA encryption, and new variants of the malware launched this month.
The malicious user would restore the files for between 500 and 2,000 rubles – or between approximately $20 and $80, according to Kaspersky.
Numerous security vendors said the trojan also creates a list of the files it has infected on an affected PC, called autosave.sin.
The ransomware is reminiscent of older scams, according to F-Secure.
"Gpcode is a trojan that encrypts files with certain extensions on local and remote drives and then asks a user to contact its author to buy a decryption solution. So basically, the trojan makes users files hostages and asks for a ransom to ‘free’ them. This is a type of criminal activity that has not been seen for a long time," read part of an advisory from the Helsinki-based security vendor.