A new variant of the Gryphon Ransomware has been discovered by ID-Ransomware's Michael Gillespie that appends the %s.[gladius_rectus@aol.com   ].crypton extension to encrypted files. First discovered at the end of July 2017, Gryphon Ransomware is actually a variant of the BTCWare ransomware.

The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a computer, they will install the ransomware and encrypt the victim's files.

Unfortunately, at this time there is no way to decrypt files encrypted by the Gryphon Ransomware for free. If you wish to discuss this ransomware or receive any support, you can use our dedicated Btcware Ransomware Support Topic. In the past, the developers rhave eleased the decryption keys for variants that were no longer in distribution. It appears they decided to no longer offer this to their victims. We hope they change their mind.

What's New in the Gryphon Ransomware BTCWare Variant

While overall the encryption methods stay the same in this variant, there have been some differences. First and foremost, we have a new ransom note with a file name of HELP.txt. This ransom note contains instructions to contact either gladius_rectus@aol.com or gladius_rectus@india.com for payment information as shown below.

Gryphon Ransomware Ransom Note
Gryphon Ransomware Ransom Note

The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .[gladius_rectus@aol.com   ].crypton extension to encrypted file's name. For example, a a file called test.jpg would be encrypted and renamed to test.jpg.[gladius_rectus@aol.com   ].crypton.

You can see an example of an encrypted folder below.

Folder of Encrypted Crypton Files
Folder of Encrypted Crypton Files

This variant also uses a different public RSA encryption key that is used to encrypt the victim's AES encryption key. This public encryption key is:

-----BEGIN PUBLIC KEY-----
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHa80rcXngiQzlP5sLk4/wHxY9IJO89+x+KOEgV0Dd+a9CHgMelns8J4Z+PPimqmO/KTW3B7w9W26qLo31ALImmd0wc3Qoa1wYXM9n5OtP1Q9qQq1lbGk5wGFwk0l8Rg0fVrujX0amROunVd7WUKN+k1gm0IftgnYBlFWY+wnPpNAgMBAAE=
-----END PUBLIC KEY-----

If any new information or methods to decrypt the files becomes available, we will be sure to update this article.
 

IOCs

File Hashes:

SHA256: fdb0a71b9835e4bee273bc8e572ed93426a8100b32e63bd57d1bb4337499808f

Filenames associated with the Gryphon Ransomware Variant:

Help.txt

Gryphon Ransomware Ransom Note Text:

============================== GRYPHON RANSOMWARE ==============================

Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software - "GRYPHON DECRYPTER"
Using another tools could corrupt your files, in case of using third party 
software we dont give guarantees that full recovery is possible so use it on 
your own risk.

If you want to restore files, write us to the e-mail: gladius_rectus@aol.com   
In subject line write "encryption" and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)

It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.

Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: gladius_rectus@india.com 

Your personal identification number:

[base64_encoded_id]
============================== GRYPHON RANSOMWARE ==============================

Emails Associated with the Gryphon Ransomware:

gladius_rectus@aol.com   
gladius_rectus@india.com 

Bundled Public RSA-1024 Keys:

-----BEGIN PUBLIC KEY-----
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHa80rcXngiQzlP5sLk4/wHxY9IJO89+x+KOEgV0Dd+a9CHgMelns8J4Z+PPimqmO/KTW3B7w9W26qLo31ALImmd0wc3Qoa1wYXM9n5OtP1Q9qQq1lbGk5wGFwk0l8Rg0fVrujX0amROunVd7WUKN+k1gm0IftgnYBlFWY+wnPpNAgMBAAE=
-----END PUBLIC KEY-----