Gryphon Ransomeware

What does it do?

Encrypts the file like any other ransomware.

To know more about ransomware, please refer:

Ransomware – A Simple ‘Pay or Loose Everything’ Game

What else?

Renames the selected files and update their extensions to .[[email protected]].gryphon

And copies a ransom note to each directory it encrypts file into, and also creates a entry in autorun to run automatically every time system logs in.

Deletes volume snapshots (often used by ransomware).

——————————-Let’s do some More Digging————————————-

Creations when execution begins

  • Ransom Note

The original ransom note is created in


which is copied in each directory it encrypts files into.

The ransom note looks like this:

Gryphon ransomeware message on screen


and once it’s executed, the system folders look like this:


System Folder snapshot

  • Autorun Entry

The registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” is updated with a new value named “DECRYPTINFO”. Its value data is “C:\Users\<Username>\AppData\Roaming\HELP.txt”.

Effect: The ransom note is displayed on desktop everytime you login windows.

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider

Possessions when it executes

Imported System Libraries and functions












Command line Execution

The following shell commands deletes shadowcopy and disables system recovery feature.

C:\Windows\System32\cmd.exe /c vsadmin.exe Delete Shadow /All /Quiet

C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} bootstatuspolicy ignoreallfailures

Is recovery possible?

Yes. Many online vendors are doing it for you though you can do it as well by following the simple steps as given in following link:

Note: Start reading after “If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.”


And our dude:

Dude's Tweet

Related Posts

Leave a Reply

Your email address will not be published.