NetFort Tips & Tricks - How to detect the presence of Gryphon Ransomware on your network

  • 2
  • Idea
  • Updated 7 months ago
  • (Edited)
A new BTCWare variant called Gryphon Ransomware has wreaked havoc on computer networks with large volumes of data being locked out.

https://www.bleepingcomputer.com/news/security/btcware-variant-called-gryphon-ransomware-adds-crypton-extension/

In this tip e-mail, we are going to take a look at how to detect Gryphon Ransomware that has started to appear on networks since the end of July 2017.

1. Watch out for any inbound RDP connections to your network
Select All Reports \ Bandwidth \ More \ Top Clients
Source IP Subnet use internal address e.g. !10.0.0.0/8,192.168.0.0/16
Protocol use RDP

The report will show any external client trying to access a server inside the network over Remote Desktop Protocol. 

2. Watch out for any .Crypton extensions on network shares
 
Select All Reports \ Windows File Shares \ Search by File Folder Name
File Folder Name use Crypton

The report will show any file server using the .Crypton file extension associated with Gryphon Ransomware.

3. Watch out for any file server using the file names HELP.txt

Select All Reports \ Windows File Shares \ Search by File Folder Name
File Folder Name use HELP.txt

The report will show any file server using the file name HELP.txt associated with Gryphon Ransomware.
 
As always, we recommend to watch out for any sudden increase in file renames. When Ransomware strikes you will see renames at the top of the list. We recommend that you constantly monitor the rate of file renames on all of your network shares.
 
If you have any questions about detecting Gryphon Ransomware, or indeed any other aspect of Ransomware analysis with LANGuardian, please contact us at any time.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 392 Posts
  • 8 Reply Likes

Posted 1 year ago

  • 2
Photo of Logo Experts

Logo Experts

  • 1 Post
  • 0 Reply Likes
It is very much important to keep an eye over all negative activities around ourselves in order to reduce the crime rates. To help reducing such sorts of ransomware we should not just send our credentials blindly to everyone unless and until we make it sure completely from our end. This is the only best possible solution to reduce it from ourselves. Custom Logo Design Dubai
(Edited)