GIBON Ransomware - How to Remove and Restore .encrypt Files

GIBON Ransomware – How to Remove and Restore .encrypt Files

This article has been created in order to help you by explaining how to remove GIBON ransomware virus and how to restore files that have been encrypted with the .encrypt file extension.

New ransom infection, named GIBON has been reported to append the .encrypt extension on the files of the affected computers by it. The virus then leaves behind a ransom note, asking victims to visit a tor-based web-page which is named Encryption machine ‘GIBON’. The malware then explains how to make a ransom payment in BitCoins within 24 hours and then GIBON begins. If your computer has been infected by GIBON ransomware, we recommend that you read the following article and learn how to remove this ransomware and restore encrypted files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files and then asks victims to pay a hefty ransom fee in 24 hours time, otherwise GIBON ransomware threatens that the files on the infected PC will be permanently lost.
SymptomsAdds the .encrypt file extension to the files and drops a ransom note, named READ_ME_NOW.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GIBON


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GIBON.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GIBON Ransomware – Distribution

For this virus to infect a computer, it uses an infection file whose primary purpose is to slither on your computer and be executed, while remaining undetected. To do this, the executable may have different exploits as well as obfuscators which aim to conceal it from any antivirus programs.

The infection file of GIBON ransomware may be concealed under different types of seemingly legitimate files. Such files may be:

  • Fake Invoices.
  • Fake purchase receipts.
  • Microsoft word documents with embedded malicious macros.

The documents are often accompanied by a malicious e-mail whose primary purpose is to convince the victim into opening the malicious e-mail attachment or click on a web link that leads to it’s download. Such e-mails often resemble legitimate e-mails from big companies, like eBay, PayPal, FedEx, for example:

GIBON Ransomware – Activity

As soon as the infection process with GIBON ransomware takes place, the virus immediately connects to it’s C&C (Command and Control) servers. This results in the malware dropping It’s malicious files on the computer of the victim. One of the malicious files is named fine.exe and it may be located in the following Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

After the files are dropped, the ransomware also drops it’s note file, named READ_ME_NOW.txt, which has the followng contents:

Attention! All the files are encrypted!
To restore the files, write to the mail:[email protected]
If you do not receive a response from this mail within 24 hours,
then write to the subsidiary:[email protected]

The virus also uses the following web page to let victims login and pay their ransom:

After this has occurred, the GIBON ransowmare virus may also begin to perform various different types of activities on the victim’s computer, such as modify the Windows Registry Editor, more importantly attack the following Windows sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In those sub-keys, the GIBON ransomware may set it’s custom registry entries that run the “fine.exe” file autoamtically on Windows boot. After this has been done, the GIBON virus may also delete the shadow volume copies of the infected computer by executing the bcedit and vssadmin commands in Windows Command prompt as an administrator:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

GIBON Ransomware – Encryption Process

The encryption of files is conducted by GIBON ransomware’s main executable “fine.exe”, but it may also be accompanied by other malicious executable files as well. The virus has been carefully configured not to encrypt important Windows files which prevents the OS from breaking down. Regarding the encryption process, GIBON ransomware targets videos, audio files, image files, documents and other important file types, like the following:


The encryption process itself is comprised by several activities, the first of which is to replace a part of the encrypted file with it’s encrypted analogue, thus making the file no longer able to be opened and resulting in a unique decryption key to be generated in order to unlock the encrypted files. This key is only known to the cyber-criminals as the victim cannot access it.

In addition to encrypting files, the GIBON virus also adds the .encrypt file suffix to the encoded files, making them appear like the following:

Remove GIBON Ransomware and Restore .encrypt Files

In order to remove this virus from your computer, recommendations are to follow the instructions for removal below. They show step-by-step methods with which you can remove all the malicious objects, related to GIBON after isolating the virus. Be advised that while you can manually do that, security professionals always outline to use an advanced anti-malware program which will take care of the removal process for you automatically and make sure that GIBON ransowmare is removed completely and your system is protected against future infections as well.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share