How GIBON Ransomware Created a Benchmark for Response Time

By on Nov 10, 2017

We all remember WannaCry and Petya. How could you forget them? Their rampant spread and malicious maneuvers are burned into memory. But there was one upside to the nasty ransomware campaigns – we learned from them. We adapted and we got agile. So when GIBON ransomware came into town, we were ready to rumble.

Meet GIBON: a new ransomware strain currently for sale on dark web forums for $500 USD. (It gets its name due to a user string of “GIBON” when the malware connects to its command-and-control (C&C) server, as well as the ransomware’s administration panel where it calls itself “Encryption Machine GIBON.”)

It makes its way from forums to victims’ devices through phishing emails containing macros that download and execute the malware payload on a victim’s PC. Then, GIBON connects to the C&C server, passing along a base64 encoded string with a timestamp and registers the string in order to record the new victim. Following that, it generates an encryption key, and begins locking up any file it can find on a device only to return them for, of course, a fee paid in cryptocurrency. Once every file is encrypted, the strain reports back to the boss, letting the C&C server know it’s finished so it can timestamp the event and a record of the number of files encrypted. Simple enough.

GIBON, like many ransomware strains, proves that these attacks don’t have to be very complicated in order to be effective. However, that effectiveness has dwindled in recent attack campaigns. In fact, a decryptor is already available for GIBON — which represents a benchmark for our response time to these attacks.

Christiaan Beek, lead scientist and principal engineer at McAfee, says response time is only improving. “The cybersecurity world is indeed responding faster than before, especially after WannaCry, which was another wake-up call… The moment researchers see that a decryptor is available, we go on and continue to hunt down the next one or learn from the previous ones and start innovating or fine-tuning our products.” Beek continues, “Ransomware has sparked and forced the infosec industry to think and innovate about solutions more than other malware-related threats.”

Basically, the industry now more than ever is expediting how cybersecurity professionals adapt to threats and how quickly they apply learnings to the next go around. White hats are becoming faster in the race against cybercrime, and increasing their chances of eventually getting ahead of these threats.

That’s exactly why we created McAfee Ransomware Recover (Mr 2), a new ransomware decryption framework, which will allow for the rapid incorporation of decryption keys and custom decryption logic (when they become available) and gets help to victims of ransomware a lot quicker. That way, we can continue to combat these threats quickly and effectively, and put ourselves in the best position possible to win the fight against cybercrime.

To learn more about GIBON ransomware, and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

About the Author

Christiaan Beek

Christiaan Beek is the Lead Scientist & Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and ...

Read more posts from Christiaan Beek

Subscribe to McAfee Securing Tomorrow Blogs