What does it do?
Encrypts the file like any other ransomware.
To know more about ransomware, please refer:
Ransomware – A Simple ‘Pay or Loose Everything’ Game
What else?
Renames the selected files and update their extensions to .[[email protected]].gryphon
And copies a ransom note to each directory it encrypts file into, and also creates a entry in autorun to run automatically every time system logs in.
Deletes volume snapshots (often used by ransomware).
——————————-Let’s do some More Digging————————————-
Creations when execution begins
- Ransom Note
The original ransom note is created in
C:\Users\<UserName>\AppData\Roaming\HELP.txt
which is copied in each directory it encrypts files into.
The ransom note looks like this:
and once it’s executed, the system folders look like this:
- Autorun Entry
The registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” is updated with a new value named “DECRYPTINFO”. Its value data is “C:\Users\<Username>\AppData\Roaming\HELP.txt”.
Effect: The ransom note is displayed on desktop everytime you login windows.
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
Possessions when it executes
Imported System Libraries and functions
ADVAPI32.dll
CryptAcquireContextA
CryptCreateHash
CryptDeriveKey
CryptDestroyHash
CryptEncrypt
CryptHashData
cryp32.dll
CryptStringtoBinary
CryptDecodeObject
CryptImportPublicKeyInfo
Command line Execution
The following shell commands deletes shadowcopy and disables system recovery feature.
C:\Windows\System32\cmd.exe /c vsadmin.exe Delete Shadow /All /Quiet
C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} recoveryenabled No
C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} bootstatuspolicy ignoreallfailures
Is recovery possible?
Yes. Many online vendors are doing it for you though you can do it as well by following the simple steps as given in following link:
https://www.pcrisk.com/removal-guides/11531-gryphon-ransomware
Note: Start reading after “If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.”
References:
https://malwr.com/analysis/MzJkOGFkZDdiZmJkNDllZDkzMmMyZDE4MGQyNmI3ZjI/
And our dude: