Gibon virus Removal Guide
What is Gibon ransomware virus?
Files locked by Gibon ransomware can be decrypted thanks to flaws in the malicious code
Gibon ransomware is a new crypto-malware variant which has been spreads via malspam and corrupts files on a computer and appends a .encrypt file extension to their filenames. Consequently, it leaves a note in READ_ME_NOW.txt file and instructs the victim to contact fraudsters by writing to email@example.com or firstname.lastname@example.org.
No further information is provided to the victim, but it is clear that criminals have only one objective – extort the computer user by asking to pay a ransom for a data decryption solution.
This file-encrypting ransomware was dubbed GIBON as it uses such name for user agent during the communication with Command & Control server (C2). Additionally, the name is used in virus’ admin’s panel, where it calls itself “Encryption machine “GIBON.”
According to the latest information, ransomware has also been promoted on various underground criminal forums as an easy way to get rich. A user who presents himself as AUS_8 has been presenting the virus as “Encryption Machine GIBON” since May 2017. All ads that are used to push it re written in Russian, prompting the idea that the virus hails from Russia. The price that is asked for this example is $500.
Once installed on the target computer, the ransomware addresses its C2 server and register the new victim by sending several details about the compromised computer. The C2 server receives the following information (base64-encoded) about victim’s computer:
- The timestamp;
- Version of Windows OS;
- “Register” string.
The server then responds with a base64-encoded string that contains the ransom note. This way, the author of the virus can customize the ransom note text without having to create a whole new ransomware executable and distribute it again.
Finally, the malicious virus generates an encryption key on victim’s computer, encodes it and transmits it to the Command & Control server. The server then responds with a ransom note again.
At this point, the malware is ready to start the encryption procedure. Gibon virus is set to encrypt all files except the ones stored in C:/Windows directory. The entire time of the encryption procedure, the virus keeps sending notifications to its C2 server to confirm that data encryption is in progress.
Finally, the virus completes the encoding procedure by dropping ransom notes into folders that contain some encrypted data. The full text provided in the ransom note is provided below.
Attention! All the files are encrypted!
To restore the files, write to the mail: email@example.com
If you do not receive a response from this email within 24 hours,
then write to the subsidiary: firstname.lastname@example.org
If your files were corrupted by this malicious virus, you must remove Gibon ransomware as soon as you can. The virus is new and dangerous, so we suggest deleting it with an anti-malware software like FortectIntego.
IMPORTANT. Good news to all victims of this new ransomware – files encrypted by this malware variant can be decrypted for free. Researchers have discovered a free decryption solution that helps to restore .encrypt extension files for free. Please complete Gibon removal before attempting to use data recovery instructions provided below this article.
Gibon ransomware is a file-encrypting software that seeks to extort inexperienced computer users. Luckily, a free decryption tool is available, so victims can restore .encrypt file extension files without paying the ransom.
The new ransomware is being pushed via malspam and criminal forums
Gibon virus is currently being pushed via malicious spam (also known as malspam), says our colleague from Novirus.uk. It means that you can receive the virus in the form of a deceptive email attachment or a hyperlink added to a virtual message. Therefore, you should stay away from messages composed by strangers, even if they pretend to be someone you know.
Keep in mind that scammers often include official-looking company logos and other details to make their messages look legitimate. Unfortunately, they can also spoof the sender’s address and trick you into thinking that the email came from a trustworthy party.
We do not recommend you to interact with the content of suspicious emails, and better take actions to protect your computer system in advance. First of all, you should secure your PC with an anti-malware software, create a data backup and install the latest software updates. Finally, we recommend reading these tips on how to identify phishing emails containing malicious attachments.
Besides, the latest reports warned PC users that ransomware has also been sold on Russian criminal forums. Currently, the price for this example reaches $500, but there is no guarantee that it won't increase in the future. Unfortunately, this can also increase the risk of getting infected with this example.
Remove Gibon ransomware and decrypt files with .encrypt extensions
The decryption software for the described malware variant is already available, so make sure you remove Gibon virus properly before using it. You can restore all of your files for free, which happens very rarely. It is clear that authors of the virus still have space for improvement and it is very likely that they will do so shortly.
Take the chance and restore your files for free, but do not forget to take precautionary measures to prevent a similar virus from encrypting your files ever again. Gibon removal guide we provided below explains how to kill the virus safely. You will find the link to download the decryption software right below the removal instructions.
Getting rid of Gibon virus. Follow these steps
Manual removal using Safe Mode
Before you try to restore your files, remove Gibon virus after rebooting your computer in clean state. Instructions on how to do it safely are presented below.
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Gibon using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Gibon. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Gibon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
At the moment, there is a free decryption tool that you can use to restore all files with .encrypt file extensions. If the ransomware gets updated in the future, the tool may no longer work. However, in such situation you can use data backups (you have to create them prior to a ransomware attack!).
If your files are encrypted by Gibon, you can use several methods to restore them:
Use a free GIBON decryption tool
This Gibon ransomware decrypter was created by Michael Gillespie, a known malware analyst. You can use it to decrypt your files for free.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Gibon and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.