{
	"id": "03c4e56a-4989-454a-90f2-3c8afada4302",
	"created_at": "2026-04-06T00:13:51.96142Z",
	"updated_at": "2026-04-10T13:11:51.647849Z",
	"deleted_at": null,
	"sha1_hash": "fad3b72fed7a64edfda66fd3e1fffd1460a5223d",
	"title": "Who's behind the GPcode ransomware?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78293,
	"plain_text": "Who's behind the GPcode ransomware?\r\nBy Written by Dancho Danchev, ContributorContributor June 9, 2008 at 10:52 p.m. PT\r\nArchived: 2026-04-05 12:51:43 UTC\r\nIn one of these moments when those who are supposed to know, don't know, and those who don't realize what they\r\nknow\r\naren't reaching the appropriate parties, it's time we get back to the basics - finding out who's behind GPcode, and\r\ntrying to tip them on the consequences of their blackmailing actions in between collecting as much actionable\r\nintelligence as possible using OSINT (open source intelligence) and CYBERINT (cyber intelligence practices).\r\nGreat situational awareness on behalf of Kaspersky Labs who were the first to report that a new version of\r\nGPcode (also known as PGPCoder) is in the wild, this time with a successful implementation of RSA 1024-bit\r\nencryption. However, aiming to crack the encryption could set an important precedent, namely using distributed\r\ncomputing to fight the effect of cyber criminal's actions. Theoretically, the next time they'll introduce even\r\nstronger encryption, which would be impossible to crack unless we want to end up running a dedicated BOINC\r\nproject cracking ransomware in the future. Are there any other more pragmatic solutions to dealing with\r\ncryptoviral extortion? It's all a matter of perspective. More info on the Stop GPcode initiative, seeking and\r\nreceiving the collective intelligence of independent researchers in this blog post :\r\n\"Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-\r\nbit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern\r\ncomputers, running for about a year, to crack such a key. Of course, we don't have that type of\r\ncomputing power at our disposal. This is a case where we need to work together and apply all our\r\nhttp://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/\r\nPage 1 of 3\n\ncollective knowledge and resources to the problem. So we're calling on you: cryptographers,\r\ngovernmental and scientific institutions, antivirus companies, independent researchers…join with us to\r\nstop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than\r\ntheoretical or malicious considerations. Here are the public keys used by the authors of Gpcode.\"\r\nDespite that GPcode indeed got the encryption implementation right this time, it's only weakness remains the way\r\nit simply deletes the files it has just encrypted, next to securely wiping them out - at least according to a single\r\nsample obtained. Consequently, just like a situation where your files are encrypted with strong encryption and\r\nvirtually impossibe to crack, but the original files  Moreover, instead of trying to crack an algorithm that's created\r\nnot to be cracked at least efficiently enough to produce valuable results by have the encrypted data decrypted, why\r\nnot buy a single copy of the decryptor and start analyzing it? It also appears that the decryptor isn't universal,\r\nnamely they seem to be building custom decryptors once the public key used to encrypt the data has been\r\nprovided to them.\r\nSo, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold\r\nand Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or\r\n$200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they\r\nuse, the email responses they sent back, the currency accounts, as well their most recent IPs used in the\r\ncommunication :\r\nEmails used by the GPcode authors where the infected victims are supposed to contact them :\r\ncontent715@yahoo .com saveinfo89@yahoo .com cipher4000@yahoo .com decrypt482@yahoo .com\r\nVirtual currency accounts used by the malware authors : Liberty Reserve - account U6890784 E-Gold -\r\naccount - 5431725 E-Gold - account - 5437838\r\nSample response email : \"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account\r\n5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer\r\ndescription specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our\r\nguarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being\r\nin the  directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards,\r\nDaniel Robertson\"\r\nSecond sample response email this time requesting $200 : \"The price of decryptor is 200 USD. For  payment\r\nyou may use one of following variants: 1. Payment  to E-Gold account 5437838 (www.e-gold.com). 2. Payment \r\nto  Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants,\r\ncontact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and\r\nsend to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke\"\r\nSo, you've got two people responding back with copy and paste emails, each of them seeking a different amount\r\nof money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network\r\nChina Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul\r\nDyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation\r\nNo.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.\r\nhttp://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/\r\nPage 2 of 3\n\nThis incident is a great example of targeted cryptoviral extortion attacks, namely, it's not efficiency centered and\r\nthe core distribution method remains unknown for the time being. Analysis and investigation is continuing. If\r\nyou're affected, look for backups of your data, or try restoring the deleted files, don't stimulate blackmailing\r\npractices by paying them.\r\nSource: http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/\r\nhttp://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/"
	],
	"report_names": [
		"whos-behind-the-gpcode-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fad3b72fed7a64edfda66fd3e1fffd1460a5223d.pdf",
		"text": "https://archive.orkl.eu/fad3b72fed7a64edfda66fd3e1fffd1460a5223d.txt",
		"img": "https://archive.orkl.eu/fad3b72fed7a64edfda66fd3e1fffd1460a5223d.jpg"
	}
}