Only yesterday we have informed our users about Gibon ransomware and how to deal with it, and today we have some news. According to the source that wanted to remain anonymous, this ransomware infection has been for sale on criminal forums on deep web since May 2017. That means basically anyone who had the money could purchase a copy of software that would allow to launch ransomware attack.
We even got our hands on the original ad copy for this ransomware software and it looks like this :
1) Recursive encryption of all files that are on the computer.
2) In each folder, the README.txt files are left with the message to the user.
3) Encryption keys are sent to the admin panel.
4) Decryptor and encryption key are used for decryption.
_ It is impossible to decrypt files by standard means.
_Each file is overwritten, affects the encryption speed, but the quality of encryption is worth it.
_ The encryption is done with a 2048 bit key.
The key is sent to the admin panel at the beginning of the encryption.
_After completion, a report is sent on how many files on which disks are encrypted.
The program does not increase privileges in the system, so it only works with files for which the user has the appropriate rights.
_If file attributes can be changed by the user, the
program changes the attributes to standard ones to increase the number of encrypted files.
System requirements: at least 4GB of RAM on the machine on which you want to encrypt the files. Otherwise, the
encryption speed will be extremely low.
The person that goes by the nickname AUS_8 are promoting GIBON ransomware as a virus that can encrypt files so it would be impossible to decrypt them by standard means. However, that’s a straightforward lie because it didn’t take long for cyber security experts to develop a decryption tool, so this ransomware is now worthless. Anyone can download decryption tool for free and decrypt files encrypted by Gibon.
Another interesting facts – this software requires at least 4 GB of RAM, otherwise the encryption process will be extremely slow. That means users of older and cheaper computers can be sure that this kind of ransomware won’t be targeting them.
We have recorded only one case of trying to distribute the Gibon ransomware – recent malspam campaign. Taking this fact into consideration, we can conclude that not many copies were sold, since the virus copy is on sale for almost 7 months, even though the price is relatively low $500.
Lastly, we have noticed that there is an ad copy written in Russian. Pair that with the fact that email addresses on the last Gibson virus attack were also registered in Russia, there is a big chance that the ransomware was developed by Russians and used by developers themselves.