Gryphon File Virus (+Restore Files)

How to Remove Gryphon Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

    GRYPHON RANSOMWARE
    Your documents, photos, databases and other important files have been encrypted
    cryptographically strong, without the original key recovery is impossible!
    To decrypt your files you need to buy the special software – “GRYPHON DECRYPTER”
    Using another tools could corrupt your files, in case of using third party
    software we dont give guarantees that full recovery is possible so use it on
    your own risk.

    If you want to restore files, write us to the e-mail: decr@cock.li
    In subject line write “encryption” and attach your ID in body of your message
    also attach to email 3 crypted files. (files have to be less than 2 MB)

    It is in your interest to respond as soon as possible to ensure the restoration
    of your files, because we wont keep your decryption keys at our server more than
    one week in interest of our security.

    Only in case you do not receive a response from the first email address
    withit 48 hours, please use this alternative email adress: decrsup@cock.ll

    Your personal identification number:

Gryphon is the name of a newly-discovered cyber threat. It belongs to the worst category of all. Ransomware. These tools have certainly earned their reputation. Their notoriety is due to the fact, they target your data. Everything you keep on your computer, becomes a victim of the infection. After it slithers its way inside, it takes over. The program spreads its clutches, and seizes control. Every single file, you have, you lose. Well, not technically. Rather, you lose your hold over your own data. The ransomware appends a special extension on each file. Thus, solidifying its keep. Once the extension is in place, you can no longer open anything. Moving or renaming them does nothing. They’re not captives of a dangerous cyber plague, who seeks to extort you for money. So, your data is still where you left it. Only, it’s no good to you anymore. After Gryphon locks everything, it leaves you a ransom note. It contains an explanation on your situation. And, instructions on what, it expects you to do. It demands you reach out to them. And, of course, to pay them. If you transfer a certain amount in Bitcoin, they will send you a key. It’s a special decryption key that, supposedly, unlocks your data. And, ‘supposedly’ is the key word here. You have zero guarantees of success. If anything, the odds are against you from the start. You may not like experts’ advice, but you best heed it. Discard your data. Pay these people nothing. Forsake your files, and move on. It’s a harsh choice to make. But it’s the right one.

How did I get infected with?

Ransomware tools are masterful at invading your system. The Gryphon program is no different. The most common means of infiltration include the usual antics. It appends itself in spam emails. And, if you’re foolish enough to open one. And, then, download its attachment, you’re in for an unpleasant surprise. It can also lurk behind corrupted links or sites. So, click on the wrong thing, and it’s the Gryphon extension on all your files. The ransomware can use freeeware as its carriers, as well. That’s why you mustn’t rush through their installment processes. Take the time to read the terms and conditions. Know what you get asked to agree to before you agree to it. Spare yourself the shock to discover your data locked. And, because you were careless enough, to allow a ransomware into your PC. Do yourself a favor, and always do your due diligence. Don’t rush. Don’t give into gullibility. Don’t discard the importance of vigilance. Even a little extra attention today can save you a ton of troubles tomorrow.

Why is Gryphon dangerous?

As stated, experts urge users against payment, when stuck with ransomware. Here’s why. Think about your predicament. Your computer harbors an infection that locked your files with a ‘.gryphon’ extension. It, then, demands you pay a ransom, if you wish to unlock them. And, all you have to hang on is their word. The cyber kidnappers promise to end you the decryption key you need. But only after they receive your payment. And, that’s suspicious, to say the least. Can you trust extortionist cyber criminals to keep their word? It’s a hundred times more likely, they’ll break their promises. Let’s examine your options, shall we? Say, you transfer the amount, they requested. Then, you wait for the key. But what if it doesn’t arrive? They can choose not to send you one. Or, they can send the wrong one. And, applying it does nothing. Even, in the off-chance, they do send you the proper key, what then? You may free your files from the encryption, but that’s all you’ll do. The key does not remove the infection, only its hold over your data. So, the Gryphon program still lurks somewhere on your PC. And, what’s stopping it from striking again? It can act up at any given moment, and send you back to square one. Only that time, you’ll have less money, and no private life. Let’s elaborate. When you pay the ransom, you provide personal and financial details. You leave them for the extortionists to find. And, once they get a hold of your private information, they can use it as they see fit. Don’t allow that scenario to unfold. Choose privacy over pictures. Data is replaceable. Privacy is not.

Gryphon Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Gryphon Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Gryphon encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Gryphon encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.