Russian Dark Web Forum Selling GIBON Ransomware

Published on:
man working on the tablet of the future, select on the virtual display: RANSOMWARE
GIBON Ransomware is supposedly now being sold on the dark web and for only $500 (£380), according to a criminal forum advertisement.

GIBON, a newly discovered ransomware variant, is supposedly up for grabs on the dark web for an approximate $500 (£380).

According to a Russian advertisement, cybercriminals have allegedly been selling the GIBON ransomware since May.

In the recent past, ransomware has become a household name and it appears there is no going back.

Although cybercriminals have been making use of ransomware for some time now, it was not until earlier this year with the worldwide WannaCry attack that awareness about it spread across the globe.

Although it has been out in the market for some time now, researchers have reported a substantive decline in sale activities on the dark web since reports surfaced, which perhaps indicates that this ransomware may not have been sold to numerous individuals.

Some reports infer that the GIBON ransomware may have ties to the Russian nation.

Your TOR usage is being watched

The link to Russia originated from the ransomware’s logo, which is supposedly centered on a logo design as seen on one particular Russian television company.

Additionally, there is more reason to believe that GIBON ransomware is Russian since the instructions relayed to potential buyers on how to make payments surprisingly also included directives to get in touch with a Russian ( email addresses.

Moreover, the advertisement for GIBON ransomware is even available in Russian among other translated copies.

This is adequate evidence to relate the ransomware to Russian origins.

GIBON is a discovery by Matthew Mesa, a ProofPoint researcher who stated that the ransomware was distributed through email spam alongside a malicious document attachment which contains macros utilized in delivering the payload.

Reports confirm that, as aforementioned, the GIBON ransomware has been on the market since May of 2017.

The advertisement for this ransomware can make use of recursive encryption, in which encrypted keys are sent to typical admin panes, leaving README.txt files to the following users in messages and also establishing encryption and decryption keys.

Once infected, the GIBON ransomware appends the particular extension down to the subsequent encrypted file’s name.

Open lock on world wide network. Illustration of malware.
GIBON, a newly discovered ransomware variant, is supposedly up for grabs on the dark web for an approximate $500 (£380).

This malware’s Control and Command server supplies the ransom note, which is contrary to usual practices where it is hardcoded in the executable to enable the developer to consequently update it on the fly, devoid of having to assemble a new executable, according to researchers.

The malware’s C2 server registers the victims as a standard base64 encoded string.

Immediately after a victim has been registered, this malware encrypts their device and targets every file on it—regardless of their particular extensions so long as it is not in the folder containing the Windows.

Although the supposed price tag is around $500, it is not yet clear how much money the cybercriminals are demanding although according to researchers, the attackers left instructions to contact two particular emails addresses to get an outline of the payment instructions.

The encryption is undertaken using a 2048-bit key, leaving it virtually impossible to decrypt files using standard means.

The advertisement said that on completion, the victim would receive a report that indicates the number of files and which precise disk they are encrypted.

It further went on to state that the program only operates with data that the user has appropriate rights to and does not subsequently increase privileges in the user’s system.

Although standard methods may not have the capacity to enable decryption, researchers have already identified a method of decoding and freeing up the affected devices.

Michael Gillespie, a co-creator of ID Ransomware, developed an exclusive decryptor for any system that has been infected with the program.

Gillespie made the decryptor available for download at Bleeping Computer.

For prevention purposes, however, researchers recommend some precautions which users can take to avoid a ransomware attack in the future.

Key among them is that users need to have both a tested and dependable backup for all their data which is recoverable in case they are victims of a ransomware attack.

What’s more, users are advised to treat attachments and emails, especially from unfamiliar sources, with utmost suspicion since most ransomware attacks are carried out through infected doc/zip/xls/exe files.

Finally, aside from backing up data and continually testing the backups, users are advised to establish a plan in preparation of an attack and to subsequently consult IT and cybersecurity professionals for precautionary measures and solutions.

Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.