GIBON targets Windows OS and is distributed via a malicious spam campaign that utilizes macros within attached documents to download and install the ransomware. It has also been marketed and sold on underground criminal forums since as early as May 2017. After a system is infected, GIBON connects to its C2 server and registers the newly compromised device. The C2 then delivers a ransom note to the infected system and encrypts all files with the exception of those located within the Windows folder. Once encrypted, GIBON appends .encrypt to the names of files and drops a ransom note named READ_ME_NOW.txt in each folder containing the encrypted files. Email addresses associated with GIBON include firstname.lastname@example.org and email@example.com.
Image Source: Bleeping Computer