Gpcode File Recovery Method Revealed
0Overall Score

Kaspersky Lab has provided instructions on how to recover files attacked by the Gpcode.ak virus.

According to the company, decrypting files encrypted by Gpcode.ak without the private key is not, as yet, possible. However, a method for recovering encrypted files has been identified.

The method makes use of the fact that before encrypting a file, Gpcode.ak creates a new file (which contains encrypted data from the original file) ‘next to’ the file it encrypts. Once encryption of a file is complete, the virus deletes the original file.

It is well known that deleted files can be recovered if the data on the hard drive has not been significantly modified. Kaspersky Lab analysts have searched for the most effective and accessible such utility to help users recover the files deleted by Gpcode.ak.

The free PhotoRec utility, developed by Christophe Grenier and distributed under a GPL license, is such a solution. Originally, the utility was developed for the recovery of graphics files as exemplified by its name, PhotoRec – short for Photo Recovery. Later, its functionality was extended and it can now be used to recover Microsoft Office documents, executable files, PDF and TXT documents, as well as file archives in a variety of formats. The PhotoRec utility is supplied with the latest version of the TestDisk package.

 

The PhotoRec utility effectively performs the function of recovering files on a selected partition. However, restoring the exact file names and paths remains a problem. To address this issue, Kaspersky Lab has developed a small free utility, StopGpcode, which restores original file names and the full paths of the files recovered.

Kaspersky Lab suggests that users who have suffered from the Gpcode.ak virus donate to the author of the PhotoRec utility rather than pay cybercriminals. Detailed instructions on manually recovering files with the help of PhotoRec and StopGpcode utilities have been added to the Gpcode.ak description.

See: www.kaspersky.com