Security Experts:

Connect with us

Hi, what are you looking for?



New Ransomware Uses GnuPG to Encrypt Files

Ransomware Using GnuPG to Encrypt Files

Ransomware Using GnuPG to Encrypt Files

Security companies have come across a new piece of ransomware that’s designed to encrypt files on infected computers. What’s interesting about this threat is that it’s easy to update and it uses open source software to encrypt files.

Both Symantec and Trend Micro have analyzed the malware, which they’ve dubbed Trojan.Ransomcrypt.L and BAT_CRYPTOR.A, respectively. Once it infects a computer, the crypto ransomware uses GNU Privacy Guard (GnuPG), an open source implementation of the OpenPGP standard, to encrypt files and hold them for ransom.

The main component of Ransomcrypt is a batch file that enables the attackers to easily update the malware and control its behavior, Symantec said.

“The threat downloads the 1024-bit RSA public key and imports this key through an option in GnuPG. The malware then encrypts the victims’ files by using GnuPG’s Encrypt Files option with the public key. If the user wants to decrypt the affected files, they need the private key, which the malware author owns. It’s difficult for victims to decrypt the encrypted files without this private key,” Symantec’s Kazumasa Itabashi wrote in a blog post.

Trend Micro has pointed out that GnuPG doesn’t need to be installed on infected systems for the ransomware to perform its encryption routines. The malware is designed to download a copy of the application if necessary.

Once the files are encrypted, they’re renamed to “[file name][email protected]_com.” Then, a text document written in Russian informs victims that they have to pay €150 ($200) to recover their files. Users are instructed to contact a specified email address for information on how to decrypt the compromised files.

In addition to BAT_CRYPTOR.A, Trend Micro has spotted another new crypto ransomware which it has dubbed Cryptoblocker (TROJ_CRYPTFILE.SM). Unlike BAT_CRYPTOR.A, this threat doesn’t target only Russian speakers. Infections have been spotted in several countries, but the most affected are the United States (28% of infections), France  (17%), Japan (10%), Spain (8%) and Italy (7%).

“This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that  the advanced encryption standard (AES) is found in the malware code,” Trend Micro Research Engineer Eduardo Altares II explained in a blog post.

Trend Micro believes Cryptoblocker might be the creation of inexperienced malware writers because compiler notes have not been removed from the code, allowing security researchers to detect the files they create.

Another interesting piece of ransomware uncovered recently is CTB-Locker (Critroni), which is the first threat of this kind to use Tor for communications with command and control (C&C) servers.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.