Gryphon Ransomware is another harmful program that can ruin user's precious photos, pictures, videos, documents, and other files of high value to you in a matter of minutes. The worst part is users may help the threat settle on their system without even realizing it. Thus, anyone could encounter such a malicious program. For this reason, we always advise users to backup data important to them regularly so that in a case of an emergency they would have copies to replace ruined originals. Of course, the cyber criminals behind Gryphon Ransomware may offer their help, but we do not think it wise to put your trust in them. There are cases when users pay what they were asked to and still do not get their data back. If you do not want to become one of them, you should not take any chances. The safer choice would be to ignore the demands and erase the infection. In the rest of the text we will talk more about the malware, and at the end of it, you will find our recommended deletion steps showing how to eliminate it manually.
For now, it is yet unknown what kind of cryptosystem is used by Gryphon Ransomware to lock user’s files, but there is no doubt it is a secure encryption algorithm that cannot be easily decrypted. Our researchers encountered two slightly different samples of the threat. To be more precise, one of it applied .[test].gryphon extension at the end of each locked file's title and the other one added just .gryphon. This allows us to assume there could have been a test version that was later updated and released again. Unfortunately, both of the versions ruined same files on the computer, so both of them are extremely harmful.
What’s more, soon after the encryption process, Gryphon Ransomware should create a value name located in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run path. The value name itself might be called “DECRYPTINFO” or similar, and as for its value data, it may contain a path leading to the directory where the malicious program placed a text document we identified as a ransom note. One of the samples our specialists tested created a document called Info.txt while the second titled it HELP.txt. Despite the different names, both of them were placed in C:\Users\user\AppData\Roaming location. Therefore, the mentioned registry entry’s value data should point to either C:\Users\user\AppData\Roaming\Info.txt or C:\Users\user\AppData\Roaming\HELP.txt; it depends on the version you receive.
The ransom note advises to contact the malware’s developers via given email address and learn how to pay a ransom. In case you encounter Gryphon Ransomware’s test version, there might be no email addresses, just words “test2” and “test3”, making it rather impossible to communicate with the hackers. Not that we would recommend doing so. Our specialists learned one other thing about the infection you should know. It did not connect to any server, although it should have done so to save the decryption key. In other words, there is a chance even the malware’s creators do not have the means to restore your files, which means if you pay the ransom your money could be lost in vain.
If you do not have any intention to pay money to these hackers, we advise you not to waste any time with Gryphon Ransomware and remove it right away. It might be not the easiest task considering it is a serious threat, but hopefully the instructions we added at the end of the text will assist you if you should choose to erase the malware manually. Probably, the easier and more beneficial option would be to employ a reliable security tool. This way you could perform a system scan and detect not only this infection but also other possible threats. The best part is you would only need to click the removal button, and the tool should eliminate all malicious data.