GIBON ransomware delivered via malspam
GIBON ransomware delivered via malspam

The GIBON Ransomware variant was reportedly seen for sale in a dark web criminal forum with a $500 price tag in a Russian advertisement.

The malware was uncovered by ProofPoint researcher Matthew Mesa who said it is being distributed via malspam with a malicious document attachment that contains macros used to deliver the payload. An anonymous source notified Bleeping Computer that the malware has been on the market since May 2017.

The advertisement for the malware said GIBON has the ability to use recursive encryption, leave README.txt files in messages to the users, encryption keys sent to an admin pane, and create decryptor and encryption keys. Once infected, the malware appends the .encrypt extension to the encrypted file's name.

The malware's command and control (C2) server supplies the ransom note as opposed to the normal practice of it being hard coded in the executable allowing the developer to update it on the fly without having to compile a new executable, researchers said. Victims are registered to the C2 server and the ransomware will locally generate an encryption key and send it to the C2 server as a base64 encoded string.

As soon as the victim is registered the malware encrypts the devices targeting all files regardless of their extensions as long as they aren't in the Windows folder.

It's unclear how much money the criminals are requesting, but researchers said they left instructions to contact the emails bomboms123@mail.ru or yourfood20@mail.ru for payment instructions.

The criminals said the encryption is done with a 2048-bit key and that's it's impossible to decrypt files by standard means.

“After completion, a report is sent on how many files and on which disks are encrypted," the advertisement said. “The program does not increase privileges in the system, so it only works with files for which the user has the appropriate rights.”

While standard means may not allow decryption, researchers have already found a way to free up seized devices. ID Ransomware researcher Michael Gillespie developed a decryptor for those affected by the malware.

In order to prevent infection, researchers recommend users have a reliable and tested backup for their data that can be restored in the event of a ransomware attack.