How to remove GRYPHON virus and restore encrypted files

GRYPHON ransomware already penetrated thousands of machines in different parts of the world via most effective method: false messages with dangerous attachments. Also, scammers use zero-day vulnerabilities to infect the system, but big software companies promptly fix them. After the infection, GRYPHON reviews the computer memory, determines the amount of files for encryption and their general price. Nowadays, each new ransomware is able to cypher image, audio, text and video information in all most used extensions. Virus encrypts all files, but the ones that could be business records go first. Virus corrupts only information, and doesn't touch the programs, so that the man can pay the ransom with help of his PC. The operation is executed through famous AES and RSA algorithms, and its complexity is so high that it can't be bruteforced. This is the reason for unbelievable success of this kind of viruses in last years: common PC operator, even if he has a fairly good knowledge of the PC, will never be able to get back the data, and will have no choice except paying to scammers. The single manner to recover files is to hack the scam webpage and obtain the encryption keys. Some experienced malware specialists can retrieve these keys via faults in the code of the virus itself. The encrypted files get ".[test].gryphon" extension, and the amount of ransom varies from $500 to $1500 in BTC equivalent.

This item is about GRYPHON virus that gets onto customers' PC around the world, and corrupts their files. Here you will see important info about what is GRYPHON, and the uninstalling of GRYPHON from your computer. Except that, we will teach you how to get back the corrupted files and is it possible.

There is one common feature for all types of ransomware: it's way easier to avoid it than to get rid of its fruits. It's sad to say, but 90% of customers realize the importance of computer literacy just after ransomware infection. To protect yourself, you need to understand these few basic principles:

    • Do not accept any alterations to the PC, originating from weird software. If the system is penetrated by virus, it will try to eliminate all copies of the data, to lower the possibility of restoration. Anyway, deletion of copies requires admin rights and your acceptance. So, if you do not confirm changes from a strange software at the proper time, you will reserve the way to recover all lost files free of charge.
    • Don't ignore the signs that your hardware and software shows. It consumes a lot of CPU resources to encode the files. If you mention a strange reduction in workstation capacity or see a weird process in the Process Manager, you can switch off the laptop, launch it in safe mode, and search for malware. Of course, some files will be encrypted, but the other part of them will be safe.
    • Carefully study your emails, specifically the messages which have attached files. If you don't know the person who send the message and it tells about winning any prize, a lost parcel or anything similar, this is most likely a fraud message. You also should keep an eye on business-related letters, especially if the sender and the content is unknown. lawsuits, Bills for services and products, appeals, summaries and suchlike important information do not come accidentally, and you, as a minimum, should know the person who sent it. Otherwise, it is a fraud.

Ransomware deletion isn't the happy end - it's just a first move in the long road before the complete file recovery. If you delete ransomware, you will not return the information instantly, it will require multiple actions described in the next section. In case of ransomware we don't provide the hand removal guide, because its complexity and the probability of errors will be too high for regular user. High class ransomware can't be uninstalled even via AV-program, and have lots of effective mechanics of protection. The most effective ransomware protection manner is the removal of data in event of data recovery or virus deletion attempt. This is extremely bad, and the below guide will help you to avoid it.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of virus: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects virus on the computer, you will need to purchase malware removal tool for $39,99 to delete viruses. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

After erasing the ransomware from the machine, you should recover the encrypted information. Actually, this is not literally decipherment, as the encryption algorithms owned by scammers are extremely complex. There are the certain exceptions, but generally data recovery needs lots of time and money. If you are very interested in the independent file restore - read this article, which shows all the safest ways.

To restore information, follow the article about files decryption.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.