Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11GIBON extortion code spread through spam
A new ransomware called GIBON, once again malspam (malware spread via email) attaches a malicious file and contains the download macro, installs the malicious code to blackmail the victim's computer.
Although there is not much information about this malspam, at least you know how to operate it and fortunately it can be decoded. So if you are a victim of this ransomware, download the file decryption tool here. https://download.bleepingcomputer.com/demonslay335/GibonDecrypter.zip
Why is it called GIBON ransomware?
When a new malicious code appears, researchers often name the string found in the executable file or malware itself, suggesting a naming scheme.
Gibon Ransomware communicates with C2 server
GIBON's name comes from 2 locations. The first is the identification string (user agent) of GIBON used when communicating with C&C server. The second is the Admin panel. In the image below, you also see it calling itself 'GIBON coding machine'.
Admin control panel of GIBON
See also: 10 typical malware types
How does GIBON encrypt computers?
Although detailed information on how to invade GIBON is not available, this is how it encrypts victim computer data. On startup, GIBON connects to the C&C server and registers the new victim by sending base64 encoded string containing timestamp, Windows version and 'register' string. It will tell C2 that this is a new victim.
C2 then sends a response containing the base64 encoded string used for extortion notice. Using the C2 server to create a blackmail notification instead of being made available to the executable file, the attacker can update it easily without having to run a new executable file.
When registering with C2, there will be a key code that encodes XOR sent to C2 based on base64 string, which is used to encrypt all files on the computer. The extension extension is .encrypt. In the process, GIBON periodically sends a ping to C2 to indicate that it is still encrypted.
Encrypted files have additional .encrypt extensions
Each encrypted folder will also have a separate extortion notice READ_ME_NOW.txt that provides paid information and instructions.
GIBON extortion notice
When completed, ransomware sends a message to C2 with a 'finish' string with a timestamp, a Windows version, and the number of encrypted files.
See also: Enable ransomware Controlled Folder Access on Windows 10
IOC information about GIBON Ransomware
Hash
SHA256: 30b5c4609eadafc1b4f97b906a4928a47231b525d6d5c9028c873c4421bf6f98
Related files
READ_ME_NOW.txt
Email related
bomboms123@mail.ru
subsidiary: yourfood20@mail.ru
Notice of extortion
Attention! Đã có tập tin được tập tin đã được xác thực!
Để phục hồi tập tin, ghi vào thư: bomboms123@mail.ru
Nếu bạn không nhận ra câu trả lời từ thư này trong 24 giờ,
rồi ghi vào tên chính của: bạnfood20@mail.ru
Lesley MontoyaYou should read it
- Lukitus Guide to preventing extortion malicious code
- Ako ransomware is raging all over the world, what do you know about this ransomware?
- Ryuk Ransomware has added 'selective' encryption capabilities.
- How to remove Moba ransomware from the operating system
- Top 20 best encryption software for Windows
- Warning: Dangerous new malicious code spills over to Vietnam
- Ransomware (ransomware) is showing signs of explosion worldwide, paying is no longer the most effective option.
- Can data encryption protect you from Ransomware?
May be interested
- DDoS Attack Group Extortion sent requests to extort money to thousands of companies
a group of ddos extortion attackers, known as phantom squad, have sent many spam messages to thousands of companies, threatening ddos attacks on september 30 if victims don't pay. - What is DDoS Extortion attack?also known as ransom ddos (rddos) attacks, ddos extortion occurs when cybercriminals threaten individuals or organizations to perform a ddos attack, if a request for blackmail is not met.
- Bad Rabbit - Petya's new ransomware spreads throughout Eastern Europea new ransomware called bad rabbit is stirring up many countries in eastern europe, including government and business units. the spread rate is similar to wannacry and notpetya which took place in may and june.
- Appearing dangerous Android malicious code specializing in stealing chat content on Facebook Messenger, Skype ...a type of malware that has a package name is com.android.boxa that can steal users' private chat data on current messaging applications such as facebook messenger, skype, etc., by experts from the company. network security trustlook detected on android operating system.
- Is Ransomware Annabelle scary with Annabelle movies?while most extortion codes are created to make money, some people create them to show their skills. that's the case of ransomware inspired by the horror film annabelle.
- McAfee spoofing spam to distribute trojanssecurity experts say they have stopped a new spam attack in order to spread a dangerous trojan that steals passwords.
- How to handle the emergency WannaCry malicious code from the National Information Security Departmentthe information security department has issued guidelines for emergency handling of wannacry extortion codes for users as well as organizations and businesses to avoid damage caused by this malicious code. vietnam is currently on the list of 20 countries attacked by this malicious code.
- Watch out for new dangerous viruses similar to WannaCryanother type of computer virus that exploits a security hole in the windows operating system, such as the wannacry malicious code, has spread more than 200,000 devices and helped hackers hack silver.
- Shade ransomware, the nightmare of 5 years ago is showing signs of returningshade ransomware - extortion code recorded by kaspersky labs disappeared from the internet five years ago, 2014, showing signs of returning again.
- ShieldFS can stop and reverse the effects of extortion codeitalian researchers have developed a custom drop-in driver and system file that can detect signs of ransomwrae infection, stop the malicious activity and even transfer the encrypted file to its original state. .
Attack the network
- Tor Project increases users' security and privacy with the new Onion generation
- Easily bypass the iPhone's authenticity thanks to the vulnerability on iOS 11
- 25% of the 1.9 billion passwords and usernames bought on the black market are Google accounts
- VNCERT issued an emergency alert warning malicious code exploiting Coinhive virtual money
- Malware can steal Facebook, Twitter and Gmail accounts
- BankBot is back on Play Store - an uninterrupted story about malware on Android
Tor Project increases users' security and privacy with the new Onion generation
Easily bypass the iPhone's authenticity thanks to the vulnerability on iOS 11
25% of the 1.9 billion passwords and usernames bought on the black market are Google accounts
VNCERT issued an emergency alert warning malicious code exploiting Coinhive virtual money
Malware can steal Facebook, Twitter and Gmail accounts
BankBot is back on Play Store - an uninterrupted story about malware on Android