Last week we posted an analysis of the GIBON Rasnsomware that was discovered being spread via malspam campaigns. Today, an anonymous source told BleepingComputer that this ransomware has been marketed on underground criminal forums since as early as May 2017.

According to listings on various criminal sites, a user named AUS_8 has been trying to sell the GIBON ransomware for $500 USD. The advertisements for GIBON are in Russian, but a translated copy copy is below.

--------------------------------------------------
Functions: 
--------------------------------------------------
1) Recursive encryption of all files that are on the computer. 
2) In each folder, the README.txt files are left with the message to the user. 
3) Encryption keys are sent to the admin panel. 
4) Decryptor and encryption key are used for decryption. 
--------------------------------------------------
Comments:
--------------------------------------------------
_ It is impossible to decrypt files by standard means. 
_Each file is overwritten, affects the encryption speed, but the quality of encryption is worth it. 
_ The encryption is done with a 2048 bit key. 
The key is sent to the admin panel at the beginning of the encryption. 
_After completion, a report is sent on how many files on which disks are encrypted. 
The program does not increase privileges in the system, so it only works with files for which the user has the appropriate rights. 
_If file attributes can be changed by the user, the 
program changes the attributes to standard ones to increase the number of encrypted files.
System requirements: at least 4GB of RAM on the machine on which you want to encrypt the files. Otherwise, the 
encryption speed will be extremely low. 

It is always interesting to see a malware developer's advertisement after a sample has been analyzed as you can quickly spot the BS that is being pushed on potential buyers. 

For example, it states that it is impossible to decrypt the files, which has already been proven wrong with this release of the GIBON decryptor. The advert also states that the encryption is done using a 2048 bit key, which is not entirely accurate. The files are actually being encrypted using an addition cipher, with that key being encrypted with a RSA-2048 key.

While we have seen at least one campaign distributing GIBON, for the most part this ransomware does not appear to have been sold to many people considering that we are just seeing it in November; 5 months after it was first advertised.

You can see the full advertisement that was posted to various sites below. 

Fort Sale Page Part 1
For Sale Part 1
Fort Sale Page Part 2
For Sale Part 2
Fort Sale Page Part 3
For Sale Part 3
Fort Sale Page Part 4
For Sale Part 4