Mathew Mesa, a senior researcher from Proofpoint has discovered that hackers are distributing a new variant of ransomware called GIBON through ‘Malspam’ with an attached malicious document containing macros that will download and install the malicious software onto a PC.
NOTE- In the digital world, Spam is nothing but unsolicited or irrelevant emails sent to a large section of users to fulfill purposes such as advertising, phishing, spreading malware…etc. Malspam or Malware spam is the term used to designate malware that is being delivered through email messages over the internet.
Mathew has named the newly found ransomware based on two characteristics of the malware. First, with the name found in the slot of USER Agent that is used when the malware communicates with the Command & Control Server. Secondly, the same name is appearing on the admin panel of the ransomware.
How does GIBON encrypt data on the computer-
Researchers from Proofpoint say that the ransomware will connect to the command & control server of the malware developers and will start by registering the victim by sending a base64 encoded string that contains the timestamp, the OS details, and the register string number. The command and control center identifies the new victim based on the register string’s number.
And as soon as the command center registers the victim’s details, a base64 encoded string will be used by GIBON as the ransom note. The command center also sends instructions to the infected machine to encrypt all the files on the computer.
When encrypting the files, a .encrypt extension is appended to the file name. For example suppose, it is a test.jpg file, the GIBON names it with an extension test.jpg.encrypt which encrypts the file.
For each folder that is being encrypted, GIBON generates a ransom note that reads on what has happened to the files and an email address to contact and know the payment instructions.
After finishing the process of encryption, the ransomware sends a message to command and control server with a string message that includes a time stamp, windows version and a number of files that are being encrypted.
Currently, the developer details of GIBON are unknown. But the email id is ending with an RU domain name indicating that the ransomware creators might be from Russia.
More details are awaited!
