Gryphon Ransomware

Gryphon Ransomeware

What does it do?

Encrypts the file like any other ransomware.

To know more about ransomware, please refer:

Ransomware – A Simple ‘Pay or Loose Everything’ Game

What else?

Renames the selected files and update their extensions to .[[email protected]].gryphon

And copies a ransom note to each directory it encrypts file into, and also creates a entry in autorun to run automatically every time system logs in.

Deletes volume snapshots (often used by ransomware).

——————————-Let’s do some More Digging————————————-

Creations when execution begins

  • Ransom Note

The original ransom note is created in

C:\Users\<UserName>\AppData\Roaming\HELP.txt

which is copied in each directory it encrypts files into.

The ransom note looks like this:

Gryphon ransomeware message on screen

 

and once it’s executed, the system folders look like this:

 

System Folder snapshot

  • Autorun Entry

The registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” is updated with a new value named “DECRYPTINFO”. Its value data is “C:\Users\<Username>\AppData\Roaming\HELP.txt”.

Effect: The ransom note is displayed on desktop everytime you login windows.

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider

Possessions when it executes

Imported System Libraries and functions

ADVAPI32.dll

CryptAcquireContextA

CryptCreateHash

CryptDeriveKey

CryptDestroyHash

CryptEncrypt

CryptHashData

cryp32.dll

CryptStringtoBinary

CryptDecodeObject

CryptImportPublicKeyInfo

Command line Execution

The following shell commands deletes shadowcopy and disables system recovery feature.

C:\Windows\System32\cmd.exe /c vsadmin.exe Delete Shadow /All /Quiet

C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe /c bcedit.exe /set {default} bootstatuspolicy ignoreallfailures

Is recovery possible?

Yes. Many online vendors are doing it for you though you can do it as well by following the simple steps as given in following link:

https://www.pcrisk.com/removal-guides/11531-gryphon-ransomware

Note: Start reading after “If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.”

References:

https://www.hybrid-analysis.com/sample/933af0c69e1e622e5677e52c24545761c2843b3f52ea38e63bbe4786bfd6276e?environmentId=100

https://www.hybrid-analysis.com/sample/5c87f436bc60196fe3e4160ba2083bde10de5a37ea0d5bcdccf6088eaa517cfe?environmentId=100

https://malwr.com/analysis/MzJkOGFkZDdiZmJkNDllZDkzMmMyZDE4MGQyNmI3ZjI/

https://www.virustotal.com/en/file/5c87f436bc60196fe3e4160ba2083bde10de5a37ea0d5bcdccf6088eaa517cfe/analysis/

And our dude:

Dude's Tweet

For me, it’s the toughest thing to define oneself. I mean, It’s always better and easy to judge others, isn’t it?
I have hundreds of thing i can tell you about me but at the same time, i’ll be hiding hundreds of thing from you. I can tell you my Office friends call me Dionysus (Google can tell you why). “Dead Can Dance Kiko” Song is enough to tell what i like. I feel happy to share something i learn everyday which i think this site is a part of it.

You may also like...