Severity scale:  

Remove Gryphon ransomware / virus (Removal Guide) - Recovery Instructions Included

removal by Linas Kiguolis - - | Type: Ransomware

Gryphon ransomware “steals” file extensions from other viruses

Gryphon virus

Gryphon virus is a new computer infection with an aim typical to most cyber infections – making a substantial and effortless profit. Technically, it is known as ransomware [1]. For the communication with their victims, hackers indicate email addresses: and decrsup@cock.ll.

The same email address is featured next to the files that undergo a complex encryption process: documents are appended with [].gryphon extensions. More recent ransomware versions add .crypton file extensions on encrypted records.

Malware experts believe that this cyberthreat might be related to the BTCWare ransomware family as it is build using the code of this infamous virus. Due to such obvious relations, some people are already relabelling this malware as BTCWare Gryphon virus.

Currently, the virus experts are aware of one Gryphon virus version which spreads around as payload.exe file. Once this executable manages to infiltrate the computer, it enables the ransomware to start encrypting files and, eventually, display a ransom note demanding money for data decryption.

Experts have been monitoring this cyber infection for a while, and the mentioned features are major improvements compared to the initial virus version (Test ransomware) which added .[test].gryphon extensions to the computer files and had no defined interface, to begin with.

If you find your files encrypted, don’t allow yourself to be manipulated by the cyber criminals and remove Gryphon from your PC before the parasite receives additional updates. Use Reimage Reimage Cleaner Intego or Malwarebytes to fix your device.

Gryphon makes a diversion by adding .cryptON extension

If you follow the trends in the IT sphere, you may recall that each ransomware has a distinguishable feature – different file extension. Nonetheless, there are cases, when a couple of the same family viruses or even different crypto-malware append the same extensions. Relatively new Gryphon virus happens to behave likewise as well. 

It attaches %s.[ ].crypton extension similar to the one attached by a different virus – CryptOn ransomware. It presents its demands in HELP.txt file. After the victims are ready to transfer the money, they are instructed to contact the perpetrators via or

While there are no major improvements, the authors have employed a different RSA key for encrypting the AES which lowers the overall Gryphon decryption probabilities. Luckily, the new variant is already detectable by multiple cyber security utilities.

Gryphon ransomware virus illustrationGryphon virus infiltrates computers and drops a ransom note (illustrated above) to demand victims for a ransom. In exchange, hackers promise to decrypt victim's files.

The original version of the malware greets its victims by opening HELP.inf or !## DECRYPT FILES ##!.txt files which contain the following message:

Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – “GRYPFON DECRYPTER” Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.
If you want to restore files, write us to the e-mail: test2
In subject lite write “encryption” and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration of your files, because we wont keep your decryption keys at our server more than one week in interest of our security.
Only in case you do not receive a response from the first email address withit 48 hours, please use this alternative email adress: test3
Your personal identification number:
[Victim’s ID]

It seems that the virus is currently undecryptable. Besides, it messes with the computer's Master Boot Records which may need additional fixing after the malware is removed from the PC. The good news is, the parasite does not seem to be erasing Volume Shadow Copies from the infected system which allows relatively easy recovery of your important data.

But first, you must take care of the Gryphon removal. Be careful not to leave dangerous malware files lurking inside your system. Unattended files can trigger the virus to come back to your PC and encrypt your files again.

Ransomware prevention tendencies:

Gryphon ransomware is a perfect example of how various in-development programs can turn into full-blown ransomware infections which may seriously damage infected computers and corrupt users’ personal files.

Thus, a smart thing to do is to learn how to avoid becoming a target.

You can start by following these simple rules:

  • Stay away from poor reputation websites and don’t use them as sources for your software downloads
  • Be careful when opening emails, especially if they arrive from unfamiliar or suspicious senders. Spam folder is the absolute red zone. Emails end up there for a reason thus you should avoid opening them unless you are completely sure the email is safe.[2]
  • Obtain reliable security software, enable firewalls and keep all computers protection tools up to date
  • Don’t forget to enable automatic System Updates as well! If you are still using outdated and unsupported operating system version, we also recommend upgrading to the newest one.

Implementing these rules in your daily computer use should diminish the chances of getting infected with Gryphon or any other ransomware viruses.

Eliminating Gryphon malware

The first Gryphon removal step you should take is to obtain a professional tool that would have no problem eliminating ransomware from your PC. You can find descriptions of our recommended tools in the Software section of our website.

For those who don’t want to invest in new antivirus software or simply can’t remove Gryphon from their computers automatically due to the lack of system capacities, we provide a manual step-by-step guide below this article. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Gryphon virus, follow these steps:

Remove Gryphon using Safe Mode with Networking

Gryphon ransomware may still be a virus in-developement, but it may fight its way of staying installed on your computer. Therefore, you should learn how to block the malicious processes and enable automatic system scan with antivirus. We explain how to do that below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Gryphon

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Gryphon removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Gryphon using System Restore

If you don't want to risk while eliminating the ransomware from your computer you should help your antivirus software out by decontaminating the virus following these steps below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Gryphon. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Gryphon removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Gryphon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Gryphon, you can use several methods to restore them:

Technique no.1: Data Recovery Pro

If you want to employ Data Recovery Pro for the recovery of your files, you should follow the guidelines below and do it properly:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Gryphon ransomware;
  • Restore them.

Technique no.2: Windows Previous Versions feature

The instructions below the article will explain how to use Windows Previous Versions feature and hopefully recover your files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Technique no.3: Shadow Explorer

Shadow Explored may be your best chance at recovering encrypted files. Here is how to use this tool properly:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Gryphon and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

Removal guides in other languages

Your opinion regarding Gryphon ransomware virus