Kaspersky Lab, a leading developer of secure content management systems, is now able to provide users with instruction on how to recover files attacked by the Gpcode.ak virus. As reported earlier, decrypting files encrypted by Gpcode.ak without the private key is not, as yet, possible. However, a method for recovering encrypted files has been identified.
The method makes use of the fact that before encrypting a file, Gpcode.ak creates a new file (which contains encrypted data from the original file) ‘next to’ the file it encrypts. Once encryption of a file is complete, the virus deletes the original file.
It is well-known that deleted files can be recovered if the data on the hard drive has not been significantly modified. This is why, from the start, Kaspersky Lab's advice to users whose computers were attacked by Gpcode.ak has been to contact the company’s virus experts without rebooting the infected computer. Users who have contacted us have been advised to use various file recovery utilities. Unfortunately, most such utilities are distributed under shareware licenses. Kaspersky Lab analysts have searched for the most effective and accessible of such utilities to help users recover the files deleted by Gpcode.ak. The free PhotoRec utility, developed by Christophe Grenier and distributed under a GPL license, turned out to be just such a solution.
Originally, the utility was developed for the recovery of graphics files (hence its name, PhotoRec, which is short for Photo Recovery). Later, its functionality was extended and it can now be used to recover Microsoft Office documents, executable files, PDF and TXT documents, as well as file archives in a variety of formats (view list of formats).
The PhotoRec utility is supplied with the latest version of the TestDisk package (ZIP file, 1.43 MB).
The PhotoRec utility performs the function of recovering files on a selected partition remarkably well. However, restoring the exact file names and paths remains a problem. To address this issue, Kaspersky Lab has developed a small free utility, StopGpcode (ZIP file, 71.2 KB), which restores original file names and the full paths of the files recovered.
Kaspersky Lab suggests that users who have suffered from the Gpcode.ak virus donate to the author of the PhotoRec utility rather than pay cybercriminals.
Detailed instructions on manually recovering files with the help of PhotoRec and StopGpcode utilities have been added to the Gpcode.ak description.