RANSOMWARE – GIBON

Posted by

To understand the basic definition of ransomware and how cloud computing can protect the data from attackers, refer to our previous post which explains it in detail. Click here to know more.

Proofpoint researcher Matthew Mesa discovered a new ransomware called GIBON. This ransomware is right now being dispersed by means of MalSpam with a joined malicious document, which contains macros that will download and introduce the ransomware on a PC. Malware Spam or MalSpam is the word used to designate malware that is delivered via email messages.

 

Working of GIBON

  1. First GIBON will connect to the ransomware’s Command & Control Server and add a new victim by sending a base64 encoded string. The encoded string consists of the timestamp, “register” string and Windows version. The occurrence of the register string tells the C2 that this is a new victim being infected.
  2. In response, the C2 will send a GIBON ransom note containing base64 encoded string.

r1

  1. Once a victim is added to C2, it will produce an encryption key and send it to the C2 server as a base64 encoded string. This key encrypts all of the files on the computer.
  2. As the victim is added and the key is transmitted to C2, ransomware encryption will begin. All the files will be encrypted regardless of their extension except the files stored in Windows folder.
  3. All the files are appended with .encrypt extension by GIBON. Throughout the entire process, GIBON is consistently connected to C2 server and send PING to update about ongoing encryption.
  4. READ_ME_NOW.txt is generated for each encrypted folder. Ransom note provides information on what happened to the victim’s files and sends instructions to contact the emails- bomboms123@mail.ru or subsidiary:yourfood20@mail.ru for payment instructions.

r2

Once encryption is done ransomware will send FINISH string to C2 server with Windows version, the number of files encrypted and timestamp.

 

To be on safer side security software should be used. Good security habits should be followed such as:

  • Data Backup.
  • Do not access unknown attachments.
  • Scan attachments using security tools.
  • Update Operating System periodically.
  • Install Security Software.
  • Use hard passwords.
  • Use different passwords for different sites.

 

This Ransomware can be removed manually using following methods:

  • Using Safe Mode with Networking
  • Using System Restore

 

Good news is that this ransomware can be decrypted using this decryptor.

 In our next post, Ransomware Locky is explained. Click here to know more.

 

4 comments

  1. Nice post! Ransomware is a very dangerous version of Malware (Malicious Software) used to force the victim to pay a fee called a Bitcoin. Why is it called Bitcoin? Because you cant cancel the transaction if they dont give you the key to unlock your device. Its safe to say if your infected with Ransomware, than you are in big trouble. One of the worst Ransomware outbreaks was Cryptolocker. The creator was never caught but basically Cryptolocker was both a Trojan Horse and a Ransomware virus. It tricked you into believing you were infected with Spyware and offers a supposed Solution To Your Problem. You actually dont have a virus until you enable the Cryptolocker. It than does what a normal Ransomware virus would do. Be careful online guys. There are always vulnerabilities and you are never 100% immune to computer viruses.

    Liked by 1 person

  2. I simply wanted to thank you very much all over again. I’m not certain what I would’ve worked on without those creative concepts revealed by you relating to my problem. This was an absolute intimidating circumstance for me, however , observing this well-written technique you managed that took me to jump over happiness. I am happier for your guidance and in addition trust you know what a great job you were doing teaching the mediocre ones via a site. I am certain you’ve never met all of us.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s