GIBON Ransomware

Gibon targets every file that is not located in the Windows folder. The malware is spread via emails with macro enabled attachments that will download and execute the ransomware. It will then contact its Command and Control (C2) server to register the new infection.

The malware will then generate an encryption key which will encrypt the files on the device. The malware sends the key to the C2 server which will respond with the ransom note for the infected device. Once every file is encrypted, GIBON will contact the C2 server for the final time to report how many files were encrypted.

When encrypting the files GIBON will append the .encrypt extension to the encrypted file’s name. For example a file called test.jpg would be encrypted and named as test.jpg.encrypt.




Resolution :

GIBON’s author claims that files encrypted with the ransomware are impossible to decrypt, which is false, given that a decryptor has been already released.

As with all forms of zero-day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.

To avoid becoming infected with ransomware, ensure that:

• A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
• All operating systems, antivirus and other security products are kept up to date.
• All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.

To limit the damage of ransomware and enable recovery: 

All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.

Multiple backups should be created including at least one off-network backup (e.g. to tape).