Severity scale:  
  (99/100)

Gryphon ransomware virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - | Type: Ransomware
12

Gryphon ransomware “steals” file extensions from other viruses

Gryphon virus

Gryphon virus is a new computer infection with an aim typical to most cyber infections – making a substantial and effortless profit. Technically, it is known as ransomware [1]. For the communication with their victims, hackers indicate email addresses: decr@cock.li and decrsup@cock.ll.

The same email address is featured next to the files that undergo a complex encryption process: documents are appended with [decr@cock.li].gryphon extensions. More recent ransomware versions add .crypton file extensions on encrypted records.

Malware experts believe that this cyberthreat might be related to the BTCWare ransomware family as it is build using the code of this infamous virus. Due to such obvious relations, some people are already relabelling this malware as BTCWare Gryphon virus.

Currently, the virus experts are aware of one Gryphon virus version which spreads around as payload.exe file. Once this executable manages to infiltrate the computer, it enables the ransomware to start encrypting files and, eventually, display a ransom note demanding money for data decryption.

Experts have been monitoring this cyber infection for a while, and the mentioned features are major improvements compared to the initial virus version (Test ransomware) which added .[test].gryphon extensions to the computer files and had no defined interface, to begin with.

If you find your files encrypted, don’t allow yourself to be manipulated by the cyber criminals and remove Gryphon from your PC before the parasite receives additional updates. Use Reimage or Malwarebytes Anti Malware to fix your device.

Gryphon makes a diversion by adding .cryptON extension

If you follow the trends in the IT sphere, you may recall that each ransomware has a distinguishable feature – different file extension. Nonetheless, there are cases, when a couple of the same family viruses or even different crypto-malware append the same extensions. Relatively new Gryphon virus happens to behave likewise as well. 

It attaches %s.[gladius_rectus@aol.com ].crypton extension similar to the one attached by a different virus – CryptOn ransomware. It presents its demands in HELP.txt file. After the victims are ready to transfer the money, they are instructed to contact the perpetrators via gladius_rectus@aol.com or gladius_rectus@india.com.

While there are no major improvements, the authors have employed a different RSA key for encrypting the AES which lowers the overall Gryphon decryption probabilities. Luckily, the new variant is already detectable by multiple cyber security utilities.

The original version of the malware greets its victims by opening HELP.inf or !## DECRYPT FILES ##!.txt files which contain the following message:

GRYPHON RANSOMWARE
Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – “GRYPFON DECRYPTER” Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.
If you want to restore files, write us to the e-mail: test2
In subject lite write “encryption” and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration of your files, because we wont keep your decryption keys at our server more than one week in interest of our security.
Only in case you do not receive a response from the first email address withit 48 hours, please use this alternative email adress: test3
Your personal identification number:
[Victim’s ID]
GRYPHON RANSOMWARE

It seems that the virus is currently undecryptable. Besides, it messes with the computer's Master Boot Records which may need additional fixing after the malware is removed from the PC. The good news is, the parasite does not seem to be erasing Volume Shadow Copies from the infected system which allows relatively easy recovery of your important data.

But first, you must take care of the Gryphon removal. Be careful not to leave dangerous malware files lurking inside your system. Unattended files can trigger the virus to come back to your PC and encrypt your files again.

Ransomware prevention tendencies:

Gryphon ransomware is a perfect example of how various in-development programs can turn into full-blown ransomware infections which may seriously damage infected computers and corrupt users’ personal files.

Thus, a smart thing to do is to learn how to avoid becoming a target.

You can start by following these simple rules:

  • Stay away from poor reputation websites and don’t use them as sources for your software downloads
  • Be careful when opening emails, especially if they arrive from unfamiliar or suspicious senders. Spam folder is the absolute red zone. Emails end up there for a reason thus you should avoid opening them unless you are completely sure the email is safe.[2]
  • Obtain reliable security software, enable firewalls and keep all computers protection tools up to date
  • Don’t forget to enable automatic System Updates as well! If you are still using outdated and unsupported operating system version, we also recommend upgrading to the newest one.

Implementing these rules in your daily computer use should diminish the chances of getting infected with Gryphon or any other ransomware viruses.

Eliminating Gryphon malware

The first Gryphon removal step you should take is to obtain a professional tool that would have no problem eliminating ransomware from your PC. You can find descriptions of our recommended tools in the Software section of our website.

For those who don’t want to invest in new antivirus software or simply can’t remove Gryphon from their computers automatically due to the lack of system capacities, we provide a manual step-by-step guide below this article. 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Gryphon ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Gryphon ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Gryphon virus Removal Guide:

Remove Gryphon using Safe Mode with Networking

Gryphon ransomware may still be a virus in-developement, but it may fight its way of staying installed on your computer. Therefore, you should learn how to block the malicious processes and enable automatic system scan with antivirus. We explain how to do that below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Gryphon

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Gryphon removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Gryphon using System Restore

If you don't want to risk while eliminating the ransomware from your computer you should help your antivirus software out by decontaminating the virus following these steps below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Gryphon. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Gryphon removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Gryphon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Gryphon, you can use several methods to restore them:

Technique no.1: Data Recovery Pro

If you want to employ Data Recovery Pro for the recovery of your files, you should follow the guidelines below and do it properly:

Technique no.2: Windows Previous Versions feature

The instructions below the article will explain how to use Windows Previous Versions feature and hopefully recover your files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Technique no.3: Shadow Explorer

Shadow Explored may be your best chance at recovering encrypted files. Here is how to use this tool properly:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Gryphon and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Removal guides in other languages