Matthew Mesa, a proofpoint researcher has discovered a Gibon ransomware being sold on a Darknet marketplace for $500. There are quite a number of forums on the Darknet where different goods and services are advertised and discussed. Matthew Mesa, on his research duty, came across a Russian forum where the Gibon ransomware was being advertised. The Russian Darknet forum is known for providing different forms of ransomware, just as a new form of Ceber Ransomware was offered there last year.
The Gibon ransomware has the ability to infect all data on a machine except files in window folders. Though it was recently discovered on the Darknet, investigation says that this dangerous ransomware has been on the Darknet since May 2017.
Once Gibon gets into a machine, it encrypts stored data and makes sure that the “.encrypt” extension to each filename is appended. The ransomware contains a base64 encoded string.
In the advertisement as discovered by Matthew Mesa, it reads: “After completion, a report is sent to how many files and on which disks are encrypted. The program does not increase privileges in the system, so it only works with files for which the user has the appropriate rights.”
According to another section of the advertisement, the ransomware also has the ability to use recursive encryption, leave README.txt files in messages to the users, encryption keys sent to an admin pane, and create decryption and encryption keys.
After the ransomware has infected a machine, it continuously notifies victims in the encryption process about the ongoing operation. After the encryption is completed, it sends a message to the server: “finish”, a timestamp, Windows version, and the number of files encrypted.”
The Gibon contains a text file which gives the victim some kind of option, by asking them to contact the Gibon developer email. It is clear that the victims will be persuaded to pay a certain amount before their data are recovered. Whether the hackers will really go by their promise to release the data held to ransom or not, nobody knows. Statistics says that 40% of consumers pay ransomware fees.
There have been reports that the hackers refuse to release hacked data even after the ransom has been paid. Experts advise victims to just ignore hackers instead of wasting effort and spending money to get their data restored which normally does not happen.
The vice president of corporate and product marketing at Druva, Dave Packer advised against the payment of ransomware to these hackers: “Normally we recommend not paying when hit with a ransomware attack as this only feeds the flames for cybercriminals to continue the practice. Your payment becomes an incentive for them to continue working on more advanced attacks. Additionally, paying doesn’t necessarily mean you’re going to get your data back.”
The manufacturer of the Gibon ransomware has said that it is impossible to decrypt a file once it has been encrypted. This is seen as false since there has been a release of the descriptor.
Ransomware sale Becomes Big Time Business on Darknet
Researchers at the Carbon Black recently released that ransomware in the various Darknet forums has witnessed a massive growth worth $6,237,248.90 since 2016. It was estimated that the total sale of this ransomware skyrocketed from $250,000 to over $6M in just a year.
Its prices on the Darkweb ranges from $1 to $3,000 depending on how customized it is. It was also released that some ransomware sellers are making over $100,000 a year on the Darknet.
This may account for the reasons for the recent cyber attacks which had no respect for countries and people.
Some ransomware which can sell for as much $400 is also being offered cheaply for just $1. The security strategist at Carbon Black, Rick McElroy said that “They are pulling in these salaries by selling one of the several components of the ransomware supply chain or by selling complete, do-it-yourself, ransomware kits.”
He added that: “The overall ransomware economy is expanding into goods and service, much like the regular markets we participate in during our daily lives.”
The reasons why vendors and hackers are selling other related ransomware are the same reasons for the sale of the Gibon ransomware.