Skip to main content

GIBON Ransomware Being by Malspam

A new ransomware was discovered by ProofPoint researcher Matthew Mesa called GIBON. This ransomware is currently being distributed via malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. Unfortunately, more information about the malspam is currently not available at this time.

We have, though, provided information below on how the ransomware operates and thanks to Michael Gillespie, it is decryptable. So if you are a victim, you can download a decryptor here. If you need help, please contact us in our GIBON Ransomware Support & Help topic.

Why is it called GIBON Ransomware?

When a new ransomware is discovered it is not always easy to come up with a good name for it. Sometimes researchers will use strings found in the executables and other times the malware itself will give us clues as to what we should call it.

With GIBON Ransomware, it is the latter as its name is provided to us two places. The first place is the user agent string of GIBON that is used when it communicates with the Command & Control server.

Communicating with the C2 Server

The second location it tells us its name is in the Admin panel for the ransomware itself, which is shown below. In the site below, you can clearly see it calls itself "Encryption machine 'GIBON'". For those who are curious, the logo below is from the Russian television company VID.

GIBON Admin Panel

How the GIBON Ransomware encrypts a computer

While full details regarding its delivery are not available, I can provide some information on how the GIBON Ransomware encrypts a computer. When GIBON is first started, it will connect to the ransomware's Command & Control Server and register a new victim by sending a base64 encoded string that contains the timestamp, the version of Windows, and the "register" string. The presence of the register string tells the C2 that this is a new victim being infected for the first time. 

The C2 will send back a response that contains a base64 encoded string that will be used by GIBON as the ransom note. By having the C2 server supply the ransom note rather than it being hard coded in the executable, the developer can update it on the fly without having to compile a new executable.

Response with Ransom Note

Once a victim is registered with the C2,  it will locally generate a encryption key and send it to the C2 server as a base64 encoded string. This key will be used to encrypt all of the files on the computer. Like the previous request, the C2 will respond with the ransom note.

Now that the victim has been registered and key transmitted to the C2, the ransomware will begin to encrypt the computer. While encrypting the computer, it will target all files regardless of the extension as long as they are not in the Windows folder.

When encrypting the files, GIBON will append the .encrypt extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and named as test.jpg.encrypt.  You can see a folder of encrypted files below.

Encrypted Files

During the encryption process, GIBON will routinely connect to the C2 server and send it a "PING" to indicate that it is still encrypting the computer.

For each folder that a file is encrypted, it will also generate a ransom note named READ_ME_NOW.txt. This ransom note will provide information on what happened to the victim's files and instructions to contact the emails bomboms123@mail.ru or subsidiary:yourfood20@mail.ru for payment instructions.

Ransom Note

When the ransomware has finished encrypting a computer, it will send a final message to the C2 server with the string "finish", a timestamp, the Windows version, and the amount of  files that were encrypted.

At this time, it is not currently known how much ransomware the developers are demanding. As previously stated, the good news is that this ransomware can be decrypted using this decryptor.

How to protect yourself from the GIBON Ransomware

In order to protect yourself from GIBON, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that contains behavioral detections such as Emsisoft Anti-MalwareMalwarebytes, or HitmanPro:Alert. 

Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:

Backup, Backup, Backup!Do not open attachments if you do not know who sent them.Do not open attachments until you confirm that the person actually sent you them,Scan attachments with tools like VirusTotal.Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.Make sure you use have some sort of security software installed.Use hard passwords and never reuse the same password at multiple sites.

Labels:

Comments

Post a Comment

Popular posts from this blog

Floyd Mayweather Baby Mama Sues for $20 Mil ... He's a Despicable Liar

Floyd Mayweather could lose tens of millions of dollars from his big payday if his baby mama gets her way ... because she's just filed a lawsuit claiming he ruined her with lies to save his own ass. Josie Harris, who has 3 kids with Floyd, claims he lied through his teeth in an interview with Katie Couric just 2 weeks before the big fight ... when he claimed Josie was in a drug-fueled rage and he had to "restrain" her during their infamous 2010 domestic violence incident. Point of fact ... Floyd was convicted of domestic violence and spent two months in jail. Josie recounts her terror in the lawsuit, explaining how she and Floyd had broken up ... but he flew into a jealous rage that night, broke into her home and viciously attacked her while she was sleeping on her couch ... and her kids saw part of the beating. Harris says she is now labeled a drug addict thanks to Mayweather's lies -- and was embarrassed and humiliated on a global scale.   Her lawyer, Dan Friedl...
Post a Comment
Read more

Dangerous sex Positions For Men

The most common cause of pénile injury is found among the variety of potentially dangerous positions used for séxual intercourse. The most popular is the ‘woman-on-top’. This type of position can result in an impact between the pénis against the female pelvis or perineum that can easily traumatize the pénile cylinders. A pénis becomes érect when the lining of the cylinder within it is engorged with blood.  A pénis fracture can occur when there is trauma to the eréct pénis, resulting in a rupture of the cylinder lining. This very painful injury is often accompanied by an abrupt, distressing cracking noise that is immediately followed by dark bruising of the pénis due to blood escaping the cylinder. In ten to 30% of pénis fractures, the urethra is damaged and blood may be visible at the urinary opening. Given these signs, an injury should be relatively simple to diagnose, right? You would be surprised, even with the unsettling sounds of a fracture occurring, many men...
Post a Comment
Read more

Google Authenticator, a formidable layer of protection to your account.

​Google Authenticator is a free security app that can protect your accounts against password theft. It's easy to set up and can be used in a process called two-factor authentication (2FA) offered on popular social media services like Gmail, Facebook, Twitter, Instagram, etc.  The app ( iOS / Android ) generates a random code used to verify your identity when you're logging into various services. The code can technically be sent to your phone via text message every time— but the Google Authenticator app provides an extra level of security.  SMS-based 2FA has a  known security flaw , and any devoted hacker can attempt to  socially engineer  an attack against your phone company. The Google Authenticator app eliminates the possibility of an SMS-based attack  using algorithms  to generate the codes on your phone. Here's how to set it up: 1. Download Google Authenticator from either the Apple App Store or the Android Google Play store. It's free. 2. Nex...
Post a Comment
Read more