Matthew Mesa, a Proofpoint researcher, has discovered a new ransomware named GIBON which is distributed through malspam with malicious emails.The malspam emails include a malicious document as the attachment which contains macros which will download and i
Matthew Mesa, a Proofpoint researcher, has discovered a new ransomware named GIBON which is distributed through malspam with malicious emails. The malspam emails include a malicious document as the attachment which contains macros which will download and install the ransomware.The working of ransomware is when it is started, the ransomware will connect to the command and control server to register the new victim.The ransomware sends a base64 encoded string containing a timestamp and the register string which tells the command and control server that a new victim is infected.Then the C&C will send a response which contains a base64 encoded string that will be used as the ransom note afterward.After registering, the ransomware generates an encryption key which will be used to encrypt all the files in the system and send it to the C&C server as a base64 encoded string. The server will respond back with a ransom note like all previous request.The ransomware encrypts all extensions file in the computer and will append .encrypt to the encrypted files.To inform the C&C server that it is still encrypting the files, the ransomware will send a ‘Ping’ to the server. Then after finishing the encryption, it will send a message containing a string ‘Finish,' a timestamp, the windows version.Here along the finish message the ransomware also sends the number of files that were encrypted to the C&C server.Along with the encrypted files in each folder, a ransom note named READ_ME_NOW.txt. also will be found which contains details about what happened to the files and instruction on how to get back your files.In the ransom note, users are instructed to contact bomboms123@mail.ru or subsidiary:yourfood20@mail.ru for receiving payment instruction.The good thing is that the files can be decrypted without paying any ransom, thanks to Michael Gillespie for this. It is free and can be downloaded here.
Always follow these basic instructions to protect yourself from any ransomware attack:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.
About the Author
[/lgc_column][lgc_column grid="85" tablet_grid="75" mobile_grid="75" last="true" style="background-color: #ffffff;"]Ashique is a self motivated and passionate security analyst with a good knowledge in computer networking, security analysis, vulnerability assessment and penetration testing. [/lgc_column]