What is Gryphon ransomware? How does it work?

Gryphon is a new computer infection that infects all the files on its wake by encrypting them. According to security experts, this ransomware might be related to the family of BTCWare ransomware due to the fact that Gryphon is developed with the codes similar to BTCWare, similarly so, that it is also known as the BTCWare Gryphon ransomware.
This infection spreads through a malicious payload file named, payload.exe. If this malicious executable file manages to run in your computer, it immediately starts to encrypt your files by adding the .gryphon file extension to the targeted files. After it is done with the encryption it displays its ransom note which is either the HELP.inf or !##DECRYPT FILES ##!.txt Scontaining the following message:
Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – “GRYPFON DECRYPTER” Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.
If you want to restore files, write us to the e-mail: test2
In subject lite write “encryption” and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration of your files, because we wont keep your decryption keys at our server more than one week in interest of our security.
Only in case you do not receive a response from the first email address withit 48 hours, please use this alternative email adress: test3
Your personal identification number:
[Victim’s ID]
Gryphon ransomware is the type of infection that would give you nightmares, besides the fact that its encrypted files are currently undecryptable, it also messes with your PC’s Master Boot Records which may need additional fixing after your remove it from your system. However, the good thing is that, it does not delete the shadow volume copies of your files so there’s still a good chance that you’ll get your files back, but before you do that, you need to rid your computer of this infection first.

How does Gryphon ransomware infect your computer?

As pointed out, Gryphon spreads through a malicious executable file which is payload.exe. There are many ways this payload file can be distributed; it can be through spam emails with infected attachments, corrupted and malicious software updates from shady sites. To avoid this, make sure that your system is always up-to-date and that you have a reliable antivirus and anti malware program.
Eliminate Gryphon ransomware using the complete set of instructions below in order to continue using your computer safely. Keep in mind that ransomware often spreads in a bundle with other types of malicious infection.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.

Step 2: Go to the Processes tab and look for Gryphon ransomware’s process or any suspicious processes for that matter and then kill them.

Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 4: Look for Gryphon Ransomware or any suspicious program and then Uninstall.

Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and delete everything in it. Or other directories you might have saved the bundled file related to Gryphon Ransomware.

  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop
  • %TEMP%

Step 7: Look for any malicious file that might be related to Gryphon ransomware.
Step 8: Right-click on it and click Delete.
Step 9: Empty the Recycle Bin.
Step 10: Recover your encrypted files.
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if the Gryphon Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Follow the continued advanced steps below to ensure the removal of the Gryphon Ransomware:
Perform a full system scan using SpyRemover Pro.

  1. Turn on your computer. If it’s already on, you have to reboot
  1. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the Safe Mode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Box will show up.
  2. Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

  1. A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.

  1. Click OK to launch SpyRemover Pro.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.

  1. Register SpyRemover Pro to protect your computer from future threats.


logo main menu

Copyright © 2022, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?