{"id":85245,"date":"2018-03-19T13:29:15","date_gmt":"2018-03-19T20:29:15","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=85245"},"modified":"2025-06-04T02:14:50","modified_gmt":"2025-06-04T09:14:50","slug":"ransomware-takes-open-source-path-encrypts-gnu-privacy-guard","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/","title":{"rendered":"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard"},"content":{"rendered":"<p>McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\" target=\"_blank\" rel=\"noopener\">ransomware using GnuPG<\/a> to encrypt files is not unique, it is uncommon.<\/p>\n<h2>We analyzed the following SHA-256 hashes of the malware GPGQwerty:<\/h2>\n<ul>\n<li>2762a7eadb782d8a404ad033144954384be3ed11e9714c468c99f0d3df644ef5<\/li>\n<li>39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502<\/li>\n<li>f5cd435ea9a1c9b7ec374ccbd08cc6c4ea866bcdc438ea8f1523251966c6e88b<\/li>\n<\/ul>\n<p>We found these hashes need many support files for successful execution. The three files themselves will not encrypt anything. GPGQwerty consists of a bundle of files that runs together to encrypt a victim\u2019s machine. The bundle comprises ten files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85301\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg\" alt=\"\" width=\"720\" height=\"210\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/1-1.jpg 720w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/1-1-300x88.jpg 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/p>\n<p>This ransomware was first seen at the beginning of March. Generally, this type of malware spreads by spam email, malicious attachments, exploits, or fraudulent downloads. The binary 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 was spotted in the wild at hxxp:\/\/62.152.47.251:8000\/w\/find.exe; it may be part of a drive-by download strategy or was hosted on a legitimate site.<\/p>\n<p>Key.bat, run.js, and find.exe are three files that play a vital role in the encryption process. The infection process follows this path:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85302\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/2.png\" alt=\"\" width=\"1124\" height=\"346\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/2.png 1124w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/2-300x92.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/2-768x236.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/2-1024x315.png 1024w\" sizes=\"auto, (max-width: 1124px) 100vw, 1124px\" \/><\/p>\n<h2><strong>Analysis<\/strong><\/h2>\n<p>The binary find.exe has eight sections and the raw size of its .bss section is zero.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85246\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1.jpg\" alt=\"\" width=\"543\" height=\"314\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/1.jpg 543w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/1-300x173.jpg 300w\" sizes=\"auto, (max-width: 543px) 100vw, 543px\" \/><\/p>\n<p>It also has an unusual time and date stamp:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85247\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/2-1.jpg\" alt=\"\" width=\"521\" height=\"234\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/2-1.jpg 521w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/2-1-300x135.jpg 300w\" sizes=\"auto, (max-width: 521px) 100vw, 521px\" \/><\/p>\n<p>The file includes malicious thread local storage (TLS) callbacks as an anti-analysis trick. Generally, this technique allows executable files to include malicious TLS callback functions to run prior to the AddressOfEntryPoint field (the normal execution point of a binary) in the executable header.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85248\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/3.png\" alt=\"\" width=\"669\" height=\"227\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/3.png 669w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/3-300x102.png 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/p>\n<p>The action starts with the execution of the batch file key.bat. It imports the key and launches find.exe on the victim\u2019s machine by executing the JavaScript run.js. The contents of the batch and JavaScript files are shown in the following snippet:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85303\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/3.jpg\" alt=\"\" width=\"353\" height=\"263\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/3.jpg 353w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/3-300x224.jpg 300w\" sizes=\"auto, (max-width: 353px) 100vw, 353px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85304\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/4.jpg\" alt=\"\" width=\"488\" height=\"556\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/4.jpg 488w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/4-263x300.jpg 263w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/4-439x500.jpg 439w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><\/p>\n<p>This ransomware kills some selected running tasks using command-line utility taskkill. This command has options to kill a task or process either by using the process ID or the image filename. In the following snippet, we see it terminating some processes forcefully by using their image names.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85249\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/4.png\" alt=\"\" width=\"648\" height=\"322\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/4.png 648w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/4-300x149.png 300w\" sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/p>\n<p>The ransomware tries to encrypt data using GnuPG (gpg.exe). The malware appends the extension .qwerty to the encrypted files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85251\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/6.png\" alt=\"\" width=\"907\" height=\"158\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/6.png 907w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/6-300x52.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/6-768x134.png 768w\" sizes=\"auto, (max-width: 907px) 100vw, 907px\" \/><\/p>\n<p>The malware overwrites the original files using shred.exe:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85305 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/6.jpg\" alt=\"\" width=\"642\" height=\"79\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/6.jpg 642w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/6-300x37.jpg 300w\" sizes=\"auto, (max-width: 642px) 100vw, 642px\" \/><\/p>\n<p>After encryption, the ransomware allots a unique ID that identifies each victim. It also creates a .txt file that states all files on the computer have been locked and the victim must pay to decrypt the files.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85252\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/7.png\" alt=\"\" width=\"1093\" height=\"265\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/7.png 1093w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/7-300x73.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/7-768x186.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/7-1024x248.png 1024w\" sizes=\"auto, (max-width: 1093px) 100vw, 1093px\" \/><\/p>\n<p>GPGQwerty deletes the recycle bin using the Windows utility del:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85253 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/8.png\" alt=\"\" width=\"575\" height=\"159\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/8.png 575w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/8-300x83.png 300w\" sizes=\"auto, (max-width: 575px) 100vw, 575px\" \/><\/p>\n<p>Using the command \u201cvssadmin.exe Delete Shadows \/All \/Quiet,\u201d the ransomware silently removes the volume shadow copies (vssadmin.exe, wmic.exe) from the target\u2019s system, thus preventing the victim from restoring the encrypted files. It also deletes backup catalogs (wbadmin.exe) and disables automatic repair at boot time (bcdedit.exe):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85255\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/11-1.png\" alt=\"\" width=\"921\" height=\"182\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/11-1.png 921w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/11-1-300x59.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/11-1-768x152.png 768w\" sizes=\"auto, (max-width: 921px) 100vw, 921px\" \/><\/p>\n<p>Finally, it creates the ransom note readme_decrypt.txt in each folder that holds an encrypted file. The ransom note gives instructions to communicate with an email address within 72 hours to arrange payment.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/20180319-GPGwerty-20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-86561\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/20180319-GPGwerty-20.png\" alt=\"\" width=\"947\" height=\"119\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/20180319-GPGwerty-20.png 947w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/20180319-GPGwerty-20-300x38.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/20180319-GPGwerty-20-768x97.png 768w\" sizes=\"auto, (max-width: 947px) 100vw, 947px\" \/><\/a><\/p>\n<p>This Yara rule detects GPGQwerty:<\/p>\n<p>rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty<\/p>\n<p>{<\/p>\n<p style=\"padding-left: 30px;\">meta:<\/p>\n<p style=\"padding-left: 60px;\">author = &#8220;McAfee Labs&#8221;<\/p>\n<p style=\"padding-left: 60px;\">description = &#8220;Detect GPGQwerty ransomware&#8221;<\/p>\n<p style=\"padding-left: 30px;\">strings:<\/p>\n<p style=\"padding-left: 60px;\">$a = &#8220;gpg.exe &#8211;recipient qwerty\u00a0 -o&#8221;<\/p>\n<p style=\"padding-left: 60px;\">$b = &#8220;%s%s.%d.qwerty&#8221;<\/p>\n<p style=\"padding-left: 60px;\">$c = &#8220;del \/Q \/F \/S %s$recycle.bin&#8221;<\/p>\n<p style=\"padding-left: 60px;\">$d = &#8220;cryz1@protonmail.com&#8221;<\/p>\n<p style=\"padding-left: 30px;\">condition:<\/p>\n<p style=\"padding-left: 30px;\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 all of them<\/p>\n<p>}<\/p>\n<p>&nbsp;<\/p>\n<p>McAfee advises all users to keep their antimalware products up to date. <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/products.html\">McAfee products<\/a> detect this malware as Ransomware-GKF! [<em>Partial hash<\/em>] with DAT Versions 8826 and later. For more on combating ransomware, visit <a href=\"https:\/\/www.nomoreransom.org\/en\/index.html\" target=\"_blank\" rel=\"noopener\">NoMoreRansom.org<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG)&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[76,4452,338,180,4549],"coauthors":[3973],"class_list":["post-85245","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybercrime","tag-cybersecurity","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard | McAfee Blog<\/title>\n<meta name=\"description\" content=\"McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-03-19T20:29:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T09:14:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/1-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"720\" \/>\n\t<meta property=\"og:image:height\" content=\"210\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard\",\"datePublished\":\"2018-03-19T20:29:15+00:00\",\"dateModified\":\"2025-06-04T09:14:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/\"},\"wordCount\":668,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg\",\"keywords\":[\"cybercrime\",\"cybersecurity\",\"endpoint protection\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/\",\"name\":\"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg\",\"datePublished\":\"2018-03-19T20:29:15+00:00\",\"dateModified\":\"2025-06-04T09:14:50+00:00\",\"description\":\"McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard | McAfee Blog","description":"McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard | McAfee Blog","og_description":"McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2018-03-19T20:29:15+00:00","article_modified_time":"2025-06-04T09:14:50+00:00","og_image":[{"width":720,"height":210,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/03\/1-1.jpg","type":"image\/jpeg"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard","datePublished":"2018-03-19T20:29:15+00:00","dateModified":"2025-06-04T09:14:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/"},"wordCount":668,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg","keywords":["cybercrime","cybersecurity","endpoint protection","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/","name":"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg","datePublished":"2018-03-19T20:29:15+00:00","dateModified":"2025-06-04T09:14:50+00:00","description":"McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/03\/1-1.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/85245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=85245"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/85245\/revisions"}],"predecessor-version":[{"id":215079,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/85245\/revisions\/215079"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=85245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=85245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=85245"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=85245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}