To understand the basic definition of ransomware and how cloud computing can protect the data from attackers, refer to our previous post which explains it in detail. Click here to know more.
Proofpoint researcher Matthew Mesa discovered a new ransomware called GIBON. This ransomware is right now being dispersed by means of MalSpam with a joined malicious document, which contains macros that will download and introduce the ransomware on a PC. Malware Spam or MalSpam is the word used to designate malware that is delivered via email messages.
Working of GIBON
- First GIBON will connect to the ransomware’s Command & Control Server and add a new victim by sending a base64 encoded string. The encoded string consists of the timestamp, “register” string and Windows version. The occurrence of the register string tells the C2 that this is a new victim being infected.
- In response, the C2 will send a GIBON ransom note containing base64 encoded string.
- Once a victim is added to C2, it will produce an encryption key and send it to the C2 server as a base64 encoded string. This key encrypts all of the files on the computer.
- As the victim is added and the key is transmitted to C2, ransomware encryption will begin. All the files will be encrypted regardless of their extension except the files stored in Windows folder.
- All the files are appended with .encrypt extension by GIBON. Throughout the entire process, GIBON is consistently connected to C2 server and send PING to update about ongoing encryption.
- READ_ME_NOW.txt is generated for each encrypted folder. Ransom note provides information on what happened to the victim’s files and sends instructions to contact the emails- email@example.com or subsidiary:firstname.lastname@example.org for payment instructions.
Once encryption is done ransomware will send FINISH string to C2 server with Windows version, the number of files encrypted and timestamp.
To be on safer side security software should be used. Good security habits should be followed such as:
- Data Backup.
- Do not access unknown attachments.
- Scan attachments using security tools.
- Update Operating System periodically.
- Install Security Software.
- Use hard passwords.
- Use different passwords for different sites.
This Ransomware can be removed manually using following methods:
- Using Safe Mode with Networking
- Using System Restore
Good news is that this ransomware can be decrypted using this decryptor.
In our next post, Ransomware Locky is explained. Click here to know more.