GIBON Ransomware sold for $500 in Russian dark web criminal forum

To prevent this situation, be very cautious when browsing the Internet. Never open files received from suspicious email addresses - these emails should be deleted without reading. Furthermore, download your software from official sources only using a direct download link (third-party download/installation tools often install malicious apps). In addition, keep installed applications up-to-date and use a legitimate anti-virus/anti-spyware software, but bear in mind that criminals employ fake updaters to proliferate malware. Therefore, using a third party tool to update apps is very risky. The key to computer safety is caution.

The text presented in GIBON ransomware text file ("READ_ME_NOW.txt"):

Attention! All the files are encrypted!
To restore the files, write to the mail:bomboms123@mail.ru
If you do not receive a response from this mail within 24 hours,
then write to the subsidiary:yourfood20@mail.ru

Screenshot of GIBON admin website:

As mentioned above, GIBON is promoted via spam emails, however, these viruses are also often proliferated via fake software updaters, unofficial software distribution sources, and trojans. Fake software updaters infect the system by exploiting outdated software bugs/flaws. Third party software download sources (e.g., freeware download websites, free file hosting websites, torrents, etc.) often present malicious executables as legitimate software, thereby tricking users into downloading and installing malware. Trojans work very simply - they merely open "gates" for malware to infiltrate the system. The main reasons for computer infections are poor knowledge and careless behavior.

GIBON is a ransomware-type virus discovered by a security researcher, Matthew Mesa. This malware is distributed via a malicious MS Office document attached to spam emails. The document contains a number of macro commands designed to download and install malware. Once infiltrated, GIBON encrypts stored data and appends the ".encrypt" extension to each filename. For instance, "sample.jpg" is renamed to "sample.jpg.encrypt". Following successful encryption, GIBON creates two files ("desktop.ini.encrypt" and "READ_ME_NOW.txt"), placing them in each existing folder.

The malware was first found by ProofPoint researcher Matthew Mesa who found out it was being distributed via malspam with malicious document attached that contained macros.

The GIBON Ransomware variant was on sale with a $500 price tag in Russian dark web criminal forum advertisement. The advertisement said that GIBON has the ability to use recursive encryption, leave README.txt files in messages to users, encryption keys sent to admin and create both encryption and decryption keys. Once the system is infected, the malware adds the .encrypt extension to the encrypted file&rsquo s name.