GIBON Ransomware - How to Remove and Restore .encrypt Files
THREAT REMOVAL

GIBON Ransomware – How to Remove and Restore .encrypt Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by GIBON and other threats.
Threats such as GIBON may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created in order to help you by explaining how to remove GIBON ransomware virus and how to restore files that have been encrypted with the .encrypt file extension.

New ransom infection, named GIBON has been reported to append the .encrypt extension on the files of the affected computers by it. The virus then leaves behind a ransom note, asking victims to visit a tor-based web-page which is named Encryption machine ‘GIBON’. The malware then explains how to make a ransom payment in BitCoins within 24 hours and then GIBON begins. If your computer has been infected by GIBON ransomware, we recommend that you read the following article and learn how to remove this ransomware and restore encrypted files.

Threat Summary

NameGIBON
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files and then asks victims to pay a hefty ransom fee in 24 hours time, otherwise GIBON ransomware threatens that the files on the infected PC will be permanently lost.
SymptomsAdds the .encrypt file extension to the files and drops a ransom note, named READ_ME_NOW.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GIBON

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GIBON.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GIBON Ransomware – Distribution

For this virus to infect a computer, it uses an infection file whose primary purpose is to slither on your computer and be executed, while remaining undetected. To do this, the executable may have different exploits as well as obfuscators which aim to conceal it from any antivirus programs.

The infection file of GIBON ransomware may be concealed under different types of seemingly legitimate files. Such files may be:

  • Fake Invoices.
  • Fake purchase receipts.
  • Microsoft word documents with embedded malicious macros.

The documents are often accompanied by a malicious e-mail whose primary purpose is to convince the victim into opening the malicious e-mail attachment or click on a web link that leads to it’s download. Such e-mails often resemble legitimate e-mails from big companies, like eBay, PayPal, FedEx, for example:

GIBON Ransomware – Activity

As soon as the infection process with GIBON ransomware takes place, the virus immediately connects to it’s C&C (Command and Control) servers. This results in the malware dropping It’s malicious files on the computer of the victim. One of the malicious files is named fine.exe and it may be located in the following Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

After the files are dropped, the ransomware also drops it’s note file, named READ_ME_NOW.txt, which has the followng contents:

Attention! All the files are encrypted!
To restore the files, write to the mail:[email protected]
If you do not receive a response from this mail within 24 hours,
then write to the subsidiary:[email protected]

The virus also uses the following web page to let victims login and pay their ransom:

After this has occurred, the GIBON ransowmare virus may also begin to perform various different types of activities on the victim’s computer, such as modify the Windows Registry Editor, more importantly attack the following Windows sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In those sub-keys, the GIBON ransomware may set it’s custom registry entries that run the “fine.exe” file autoamtically on Windows boot. After this has been done, the GIBON virus may also delete the shadow volume copies of the infected computer by executing the bcedit and vssadmin commands in Windows Command prompt as an administrator:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

GIBON Ransomware – Encryption Process

The encryption of files is conducted by GIBON ransomware’s main executable “fine.exe”, but it may also be accompanied by other malicious executable files as well. The virus has been carefully configured not to encrypt important Windows files which prevents the OS from breaking down. Regarding the encryption process, GIBON ransomware targets videos, audio files, image files, documents and other important file types, like the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

The encryption process itself is comprised by several activities, the first of which is to replace a part of the encrypted file with it’s encrypted analogue, thus making the file no longer able to be opened and resulting in a unique decryption key to be generated in order to unlock the encrypted files. This key is only known to the cyber-criminals as the victim cannot access it.

In addition to encrypting files, the GIBON virus also adds the .encrypt file suffix to the encoded files, making them appear like the following:

Remove GIBON Ransomware and Restore .encrypt Files

In order to remove this virus from your computer, recommendations are to follow the instructions for removal below. They show step-by-step methods with which you can remove all the malicious objects, related to GIBON after isolating the virus. Be advised that while you can manually do that, security professionals always outline to use an advanced anti-malware program which will take care of the removal process for you automatically and make sure that GIBON ransowmare is removed completely and your system is protected against future infections as well.

Note! Your computer system may be affected by GIBON and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as GIBON.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove GIBON follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove GIBON files and objects
2. Find files created by GIBON on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by GIBON

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...