The ProofPoint researcher Matthew Mesa found a new strain of ransomware called GIBON, which is distributed via malspam.
The spam messages use a malicious document as attachment containing macros that when enabled, they will download and install the ransomware on the victim’s machine.
Matthew Mesa called the threat GIBON ransomware due to the presence of the string “GIBON” in two places.
The string was first spotted in the user agent string of the malware using in the communications with the Command & Control server.
The second place where the string “GIBON” could be found is the Admin panel for the ransomware.
Being executed, the GIBON ransomware will connect to the C&C and register a new victim by sending a base64 encoded string which contains the timestamp, the version of Windows, and the “register” string.
After that, the C&C will send back a response which contains a base64 encoded string that will be used by GIBON ransomware as the ransom note.
Being registered with the C&C, the infected computer will locally generate an encryption key and send it to the server as a base64 encoded string.
The GIBON ransomware will use the key to encrypt all files on the target computer and will append the .encrypt extension to the encrypted file’s name.
“Now that the victim has been registered and key transmitted to the C2, the ransomware will begin to encrypt the computer. While encrypting the computer, it will target all files regardless of the extension as long as they are not in the Windows folder.” a security blog post reads.
“During the encryption process, GIBON will routinely connect to the C2 server and send it a “PING” to indicate that it is still encrypting the computer.”
The GIBON ransomware drops a ransom note in each folder containing the encrypted files and generates a ransom note called READ_ME_NOW.txt.
“Attention! All the files are encrypted!
To restore the files, write to the mail:firstname.lastname@example.org
If you do not receive a response from this mail within 24 hours,
then write to the subsidiary:email@example.com”
After completing the file encryption, the GIBON ransomware will send a message to the C&C server with the string “finish”, a timestamp, the Windows version, and the number of the encrypted files.
Nevertheless, the good news here is that the victims can decrypt all files encrypted by the GIBON ransomware by using the GibonDecrypter which they can find on Internet.