If your files does not open normally, their names replaced or [gladius_rectus@aol.com].crypton added at the end of their name then your computer is infected with a new Gryphon ransomware virus from a family of file-encrypting ransomware. Once opened, it have encrypted all documents, photos and music stored on a PC system drives and attached network drives.
The Gryphon is a ransomware virus that made to encrypt all personal files found on infected system using a hybrid AES + RSA encryption mode, appending [gladius_rectus@aol.com].crypton extension to all encrypted personal files. Once the encryption procedure is complete, it will open a ransom demanding message offering decrypt all users photos, documents and music if a payment is made.
The Gryphon ransomware virus encourages to make a payment in Bitcoins to get a special software named “GRYPHON DECRYPTER” to decrypt photos, documents and music. Important to know, currently not possible to decrypt .[gladius_rectus@aol.com].crypton files without the private key or GRYPHON DECRYPTER program. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all personal files! If you do not want to pay for a decryption key, then you have a chance to recover encrypted photos, documents and music.
Therefore it’s very important to follow the steps below ASAP. The step by step tutorial will help you to remove Gryphon ransomware infection. What is more, the steps below will help you restore encrypted files for free.
What is Gryphon Ransomware
Gryphon is a new variant of BTCWare crypto virus (malicious software which encrypt personal files and demand a ransom). It affects all current versions of Microsoft Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses RSA-2048 key (AES 256-bit encryption method) to eliminate the possibility of brute force a key which will allow to decrypt encrypted photos, documents and music.
When the ransomware virus infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your system, Gryphon ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware infection scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.rtf, .xy3, .sum, .desc, .xls, .pdd, .ppt, .vpp_pc, .ybk, .cer, .y, .3fr, .xlsx, .srw, .xyw, .iwi, .css, .wbc, .qic, .m2, .bar, .asset, .wri, .erf, .wmo, .gdb, .ztmp, .wdp, .jpeg, .wotreplay, .xyp, .raf, .wps, .wmv, .mlx, .xmind, .wbmp, .dwg, .xbdoc, .mef, .ltx, .epk, .odp, .pem, .odb, .wma, .arw, .zif, .sis, .mpqge, .lbf, .sid, .xlsx, .esm, .kf, .cr2, .7z, .rim, .mdf, .zabw, .svg, .1, .syncdb, .wb2, .wma, .cfr, .accdb, .sql, .wp6, .wpa, .wcf, .dng, .x3f, .wp7, .xlsm, .wpt, .sie, .zdc, .jpg, .avi, .sidd, .m3u, .db0, .xwp, .wp4, .vpk, .xf, .fpk, .icxs, .bc7, .yml, .wbk, .rofl, .xlsm, .t12, .xmmap, .sb, .webp, .vdf, .rb, .apk, .rar, .csv, .xlsb, .rwl, .orf, .zip, .rgss3a, .bkf, .wbd, .wot, .snx, .dazip, .mcmeta, .itl, .ysp, .ai, .xls, .wsh, .mp4, .fos, .wdb, .2bp, .3dm, .bik, .mdbackup, .ncf, .crt, .layout, .kdc, .indd, .tor, .png, .m4a, .bsa, .crw, .js, .r3d, .forge, .raw, .pdf, .nrw, .xld, .slm, .psd, .gho, .p12, .doc, .z, .lrf, .hplg, .cas, .xdb, .wpd, .srf, .xll, .w3x, .wbm, .ff, .der, .dbf, .ws, .cdr, .litemod, .flv, .wm, .wmf, .hkdb, .1st, .ptx, .pptx, .zdb, .bc6, .x, .d3dbsp, .mov, .das, .xpm, .p7c, .wmv, .pst, .pef, .odc, .sidn, .wire, .jpe, .bay, .3ds, .dxg, .zw, .xdl, .wpg, .t13, .mrwref, .xxx, .odt, .menu, .xar, .vfs0, .wmd, .xlk, .big, .webdoc, .pptm, .xlgc, .psk, .arch00, .mdb, .ibank, .p7b, .qdf, .wpd, .wpl, .wpe, .wpb, .dba, .dcr, .map, .wp5, .ntl, .zip, .mddata, .z3d, .re4, wallet, .hkx, .dmp, .fsh, .vtf, .wbz, .py, .yal, .docx, .bkp, .kdb, .wp, .iwd, .rw2, .wgz, .vcf, .blob, .wsc, .pak, .wav, .x3f, .x3d, .txt, .xml, .wn, .zi, .sav, .itdb, .pfx, .wsd, .wpw, .ods, .itm, .lvl, .sr2, .pkpass, .tax, .xbplate, .eps, .xx, .0, .odm, .hvpl, .upk, .wps, .docm
Once a file is encrypted, its extension changed to [gladius_rectus@aol.com].crypton. Next, the ransomware virus creates a file named “HELP.txt”. This file contain guide on how to decrypt all encrypted personal files. An example of the guidance is:
============================== GRYPHON RANSOMWARE ==============================
Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – “GRYPHON DECRYPTER”
Using another tools could corrupt your files, in case of using third party
software we dont give guarantees that full recovery is possible so use it on
your own risk.If you want to restore files, write us to the e-mail: gladius_rectus@aol.com
In subject line write “encryption” and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: gladius_rectus@india.comYour personal identification number:
============================== GRYPHON RANSOMWARE ==============================
The Gryphon ransomware virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom note on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to recover their photos, documents and music.
How to decrypt .[gladius_rectus@aol.com].crypton files
Currently there is no available way to decrypt .crypton files, but you have a chance to recover encrypted personal files for free. The ransomware repeatedly tells the victim that uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Gryphon ransomware infection entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the Gryphon ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove Gryphon ransomware virus
We can assist you remove Gryphon ransomware virus, without the need to take your PC system to a professional. Simply follow the removal tutorial below if you currently have the ransomware on your system and want to remove it. If you have any difficulty while trying to delete the ransomware virus, feel free to ask for our assist in the comment section below. Some of the steps will require you to reboot your PC or exit the page. So, read this tutorial carefully, then bookmark or print it for later reference.
Automatically remove Gryphon ransomware virus with Zemana Anti-malware
We suggest using the Zemana Anti-malware that are completely clean your PC system of the virus. The utility is an advanced malware removal program developed by (c) Zemana lab. It’s able to help you remove potentially unwanted programs, ransomware viruss, adware, malware, toolbars, ransomware and other security threats from your machine for free.
Download Zemana antimalware from the link below and save it to your Desktop.
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is complete, close all programs and windows on your computer. Double-click the set up file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed in the following example, click the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana antimalware on your system. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, Zemana anti malware will automatically start and you can see its main screen as displayed in the following example.
Now click the “Scan” button to perform a system scan for the Gryphon ransomware virus and other malicious software. This procedure can take some time, so please be patient.
Once finished, it will show a screen which contains a list of malware that has been found. Make sure all malicious entries are ‘selected’ and press “Next” button. The Zemana anti-malware will start removing Gryphon ransomware and other security threats. Once disinfection is complete, you may be prompted to restart the system.
Get rid of Gryphon ransomware virus with Malwarebytes
We recommend using the Malwarebytes Free which are completely clean your PC system of the virus. The free tool is an advanced malicious software removal program developed by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It’s able to help you remove ransomware infections, PUPs, malicious software, adware, toolbars, ransomware and other security threats from your machine for free.
Download Malwarebytes Free by clicking on the link below. Save it on your Desktop.
326465 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is finished, close all windows on your computer. Further, run the file named mb3-setup. If the “User Account Control” dialog box pops up as displayed in the figure below, click the “Yes” button.
It will show the “Setup wizard” which will help you install Malwarebytes on the PC system. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, click Finish button. Then Malwarebytes will automatically start and you can see its main window as shown on the screen below.
Next, click the “Scan Now” button . This will begin scanning the whole system to find out Gryphon ransomware and other malware. While the utility is scanning, you can see number of objects and files has already scanned.
When the scan is finished, it’ll open a list of all threats detected by this tool. In order to remove all threats, simply press “Quarantine Selected” button.
The Malwarebytes will start removing Gryphon virus and other security threats. Once disinfection is complete, you may be prompted to restart your personal computer. We suggest you look at the following video, which completely explains the procedure of using the Malwarebytes to remove virus, ad supported software and other malware.
Scan and free your personal computer of ransomware virus with KVRT
The KVRT utility is free and easy to use. It may scan and delete ransomware infection like Gryphon, malware, PUPs and ad supported software in Google Chrome, Firefox, Microsoft Internet Explorer and Microsoft Edge browsers and thereby restore their default settings (homepage, new tab page and search provider by default). KVRT is powerful enough to find and get rid of malicious registry entries and files that are hidden on the machine.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this tool for the Gryphon virus and other known infections. This procedure can take some time, so please be patient. When a malicious software, ad supported software or PUPs are found, the count of the security threats will change accordingly.
After the checking is finished, it’ll open a list of detected threats as shown on the screen below.
Review the scan results and then click on Continue to begin a cleaning procedure.
Recovering files encrypted with Gryphon virus
In some cases, you can restore files encrypted by Gryphon virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Run ShadowExplorer to restore .[gladius_rectus@aol.com].crypton files
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Download ShadowExplorer from the following link and save it directly to your MS Windows Desktop. This tool is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
438827 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Run ShadowExplorerPortable. You will see the a window as displayed in the following example.
From the first drop down list you can select a drive that contains encrypted personal files, from the second drop down list you can select the date that you wish to restore from. 1 – drive, 2 – restore point, as displayed on the screen below.
Righ-click entire folder or any one encrypted file and choose Export, as displayed in the following example.
It will display a prompt which asking whether you would like to recover a file or the contents of the folder to.
Recover .[gladius_rectus@aol.com].crypton files with PhotoRec
Before a file is encrypted, the Gryphon virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover applications like PhotoRec.
Download PhotoRec from the link below. Save it on your Windows desktop.
Once the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as shown below.
Choose a drive to recover as shown in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown below.
Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as shown on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your system from becoming infected by Gryphon virus?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your PC system from Gryphon ransomware infection
Download CryptoPrevent on your Windows Desktop by clicking on the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the setup is done, you will be shown a window where you can select a level of protection, as shown on the image below.
Now click the Apply button to activate the protection.
Finish words
Once you have complete the guide shown above, your PC system should be clean from Gryphon ransomware and other malware. Your PC system will no longer encrypt your files. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
HijackThis download
4712 downloads
Version: 2.0.5
Author: OpenSource
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- When it has completed scanning, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Gryphon ransomware virus.