Remove Gryphon Ransomware | Updated


I wrote this article to help you remove Gryphon Ransomware. This Gryphon Ransomware removal guide works for all Windows versions.

Gryphon is one of the newest members of the ransomware family as it was first detected on July 31st this year. As a classic ransomware, this infection doesn’t stand out with anything in particular. It operates the same way all ransomware pieces do. First, it sneaks on your machine behind your back. According to researchers, the crooks behind Gryphon rely on spam email messages which include macro-enabled Microsoft Office document to spread their malware.

We strongly recommend that you make sure macros are disabled in your Word processor. Also, be on the alert from emails, send to you by unknown people. Proceed with caution and don’t rush to open the messages and download their attachments. Better yet, delete the email immediately. Gryphon runs as “payload.exe” on victims` machines. Keep an eye for an executable with this name and protect your files. Gryphon is reported to target primary English-speaking users but the Internet has no boundaries so no one is safe.

Once the ransomware enters, it doesn’t waste time. It immediately scans your computer in search for your private files and then encrypts them with a custom AES-256 algorithm. Everything on your local disk as well as data on accessible USB drives gets locked. Your pictures, music, videos, contact lists, databases, presentations, work-related files, MS Office files, etc. becomes inaccessible to you. Gryphon appends the “.[].gryphon” extension to each encrypted file. For instance, a music file names “song.mp3” after being locked becomes “song.mp3.[].gryphon”.

Once this appendix appears, know that the file-locking process is over and no matter what you do, you cannot use your data in any way. The Gryphon drops the “HELP.txt” file, aka your payment instructions. Money is the whole point of locking your files. The note states that if you want your data back, you have to pay up. You are supposed to contact the hackers via email which they provide, so they give you detailed payment instructions. They claim that once you pay, you will receive a decryption tool which will help you retrieve your data.

It sounds simple enough but it is not. Let`s explain why you should not pay. For starters, making deals with cybercriminals is not a good idea. These people cannot be trusted. How do you know if they will keep their end of the bargain? You don’t. And usually, they don’t either. There are a few case scenarios here.

First, you pay but they don’t send you anything. Second, you pay and receive a tool but it only works partially if at all. And third, you pay and get the right tool. Then you decrypt your data but it gets relocked hours later. The decryptor you purchase does not remove the ransomware from your PC. It only frees your files but what is the point when the infection can strike again anytime? Paying is not the option.

How many times are you willing to give these people money and not having your data back? Every cent you give them, they use for more malware creation and business expansion. In addition, when you use your machine to make the payment, you also expose your private details as names, billing address, email address, etc. Do not do that. In order to safely recover your data, you need to remove Gryphon from your computer first. Our removal guide below can help you do that manually. Only then you can try to unlock your files. Also, always keep backups of your most important data. When it comes to ransomware, protection in advance is the best thing you can do.

Gryphon Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Gryphon Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Gryphon Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.