Gryphon Ransomware

What does it do?

Encrypts the file like any other ransomware.

To know more about ransomware, please refer:

Ransomware – A Simple ‘Pay or Loose Everything’ Game

What else?

Renames the selected files and update their extensions to .[[email protected]].gryphon

And copies a ransom note to each directory it encrypts file into, and also creates a entry in autorun to run automatically every time system logs in.

Deletes volume snapshots (often used by ransomware).

——————————-Let’s do some More Digging————————————-

Creations when execution begins

• Ransom Note

The original ransom note is created in

C:\Users\<UserName>\AppData\Roaming\HELP.txt

which is copied in each directory it encrypts files into.

The ransom note looks like this:

 

and once it’s executed, the system folders look like this:

 

• Autorun Entry

The registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” is updated with a new value named “DECRYPTINFO”. Its value data is “C:\Users\<Username>\AppData\Roaming\HELP.txt”.

Effect: The ransom note is displayed on desktop everytime you login windows.

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider

Possessions when it executes

Imported System Libraries and functions

ADVAPI32.dll

CryptAcquireContextA

CryptCreateHash

CryptDeriveKey

CryptDestroyHash

CryptEncrypt

CryptHashData

cryp32.dll

CryptStringtoBinary

CryptDecodeObject

CryptImportPublicKeyInfo

Command line Execution

The following shell commands deletes shadowcopy and disables system recovery feature.

C:\Windows\System32\cmd.exe /c vsadmin.exe Delete Shadow /All /Quiet

C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} bootstatuspolicy ignoreallfailures

Is recovery possible?

Yes. Many online vendors are doing it for you though you can do it as well by following the simple steps as given in following link:

https://www.pcrisk.com/removal-guides/11531-gryphon-ransomware

Note: Start reading after “If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.”

References:

https://www.hybrid-analysis.com/sample/933af0c69e1e622e5677e52c24545761c2843b3f52ea38e63bbe4786bfd6276e?environmentId=100

https://www.hybrid-analysis.com/sample/5c87f436bc60196fe3e4160ba2083bde10de5a37ea0d5bcdccf6088eaa517cfe?environmentId=100

https://malwr.com/analysis/MzJkOGFkZDdiZmJkNDllZDkzMmMyZDE4MGQyNmI3ZjI/

https://www.virustotal.com/en/file/5c87f436bc60196fe3e4160ba2083bde10de5a37ea0d5bcdccf6088eaa517cfe/analysis/

And our dude: