New Gibon Ransomware Campaign Detected

By Richard Anderson

A new ransomware campaign has been detected that is using spam email to deliver Gibon ransomware. The malware has been named Gibon due to the inclusion of the word in the user-agent string of its code.

The ransomware variant was detected by Proofpoint security researcher Matthew Mesa, who notes that as with many other ransomware variants, it is being sold on darknet marketplaces for cybercriminals to use in their own ransom campaigns. Cybercriminals can buy the ransomware for $500 and are told that there is no way that the encryption can be cracked using standard means.

Gibon ransomware was first detected in May this year, and while the ransomware is being sold online, so far there have been few campaigns detected using this particular ransomware variant.

In contrast to many ransomware variants that stipulate the ransom amount, the latest campaign allows the attackers to set the ransom amount per victim. Victims are not told how much they need to pay. They need to make contact with the attackers via email to discover how they can recover their files. The latest campaign supplies a Russian email address for that purpose.

Recovering from a ransomware attack is usually possible if a viable backup of the encrypted files exists. Organizations that have failed to backup their files face file loss if they are not prepared to pay the ransom demand.

However, before that decision is taken, victims should search for decryptors online. The No More Ransom Project is a good first port of call. While the No More Ransom Project has yet to upload a decryptor for Gibon ransomware, all is not lost if infected.

Lawrence Abrams of Beeping Computer, notes that a free decryptor has been made available. The decryptor for Gibon ransomware was developed by Michael Gillespie and is available via Beeingcomputer.com on the following URL: https://www.bleepingcomputer.com/download/gibon-ransomware-decryptor/”>https://www.bleepingcomputer.com/download/gibon-ransomware-decryptor/

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news