Watch out: GIBON enters the ransomware space

The new ransomware strain is the latest to target your PC for cash.
Written by Charlie Osborne, Contributing Writer

Researchers have dubbed a new strain of ransomware GIBON, although its origin remains a mystery.

Last week, ProofPoint researcher Matthew Mesa discovered the ransomware, which is being distributed in the common fashion of phishing campaigns.

According to an analysis by Lawrence Abrams, the ransomware has been called GIBON due to a user string of "GIBON" used when the malware connects to its command-and-control (C&C) server for instructions, as well as the ransomware's administration panel where it calls itself "Encryption Machine GIBON."

The phishing emails crafted to distribute the ransomware contain macros which then download and execute the malware payload on a victim's PC.

GIBON then comes into play, encrypting the device and demanding a ransom.

When GIBON first begins its encryption task, it connects to the C&C server, passing along a base64 encoded string with a timestamp, the version of Windows present on the target computer, and a "register" string to record the new victim.

"The C2 will send back a response that contains a base64 encoded string that will be used by GIBON as the ransom note," Abrams says. "By having the C2 server supply the ransom note rather than it being hardcoded in the executable, the developer can update it on the fly without having to compile a new executable."

Once a victim is registered, an encryption key is generated and sent to the C&C server. This key is used to encrypt every file on the PC and the C&C server then responds with ransom notes.

GIBON targets every file regardless of its extension as long as the files are not in the Windows folder.

After every file is encrypted with the extension .encrypt, GIBON pings the C&C server for a final time with a "finish" string, timestamp, the Windows version and a record of the number of files encrypted.

The ransomware may have ties to Russia. In the administration panel, the logo is based on a Russian television company, and for each file that is encrypted, the malware generates a ransom note which contains instructions to contact a set of mail.ru email addresses for ways to pay.

Details are scarce on the origin of the malware, the price demanded, as well as any in-depth technical details surrounding GIBON -- however, the malware does highlight what appears to be a growing trend in cybercriminality.

Ransomware does not have to be complex to create or distribute, and as long as victims pay up to unlock their systems, the industry will remain profitable -- and this will not be the last new ransomware strain we will see.

If you are a victim of GIBON, you can use this decryptor (.ZIP) to eradicate the infection, as it has been possible to decrypt the malware's code.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

In October, a new ransomware campaign was launched against high-profile targets in Russia and Eastern Europe. Dubbed Bad Rabbit, the ransomware uses full disk encryption and demands roughly $285 in Bitcoin in return for users to regain access to their systems.

10 things you didn't know about the Dark Web

Previous and related coverage

    Remove ransomware infections from your PC using these free tools

    A how-to on finding out what ransomware is squatting in your PC -- and how to get rid of it.

    Double trouble: This ransomware campaign could infect your PC with two types of file-locking malware

    Victims around the world hit by criminals who can switch the malicious payload of emails between Locky and FakeGlobal on a whim.

    No More Ransom project helps thousands of ransomware victims

    After only a year, the initiative has unlocked thousands of devices, but there is more work to do.

      Editorial standards