A decrypter released last week for a new ransomware that goes after all files on machines, except those located in the Windows folder.
The ransomware, which researchers named “GIBON”, is for sale for $500 and has been available on underground forums since at least May 2017.
While that is a long time out on the market without anyone noticing, as soon as researcher found it, a decrypter released last week.
The attack involved using malicious spam emails for distribution, but the exact delivery mechanism isn’t known at the moment.
Once it gets on to a computer, GIBON connects to its command and control (C&C) server and registers the new victim by sending a base64 encoded string containing the timestamp, Windows version, and the “register” string.
The server’s response contains a base64 encoded string the ransomware uses as the ransom note.
This setup allows the malware author to update the ransom note on the fly, without having to compile a new executable, said BleepingComputer’s Lawrence Abrams in a post.
Once the victim has been registered, the ransomware generates an encryption key locally and then sends it to the C&C server as a base64 encoded string. The key is used to encrypt all of the files on the computer and appends the .encrypt extension to every encrypted file’s name.
The threat continues to message the server during the encryption process to inform it the operation is still ongoing. When the process has been completed, it sends a final message to the server, containing the string “finish,” a timestamp, Windows version, and the number of files encrypted.
GIBON drops a ransom note on each folder where a file has been encrypted, providing users with information on what happened and instructing them to contact the malware author via email at email@example.com or subsidiary:firstname.lastname@example.org for payment instructions.
GIBON’s author said files encrypted with the ransomware are impossible to decrypt, however, a decrypter has already released on BleepingComputer.