Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

LockBit 3.0 Black / CriptomanGizmo ([random 9 chars]; README.txt) Support Topic


  • Please log in to reply
290 replies to this topic

#1 tcolaco

tcolaco

  •  Avatar image
  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 03 December 2022 - 04:43 AM

Any files that are encrypted with the original LockBit 3.0 (LockBit Black) ransomware (a spin-off from BlackMatter) will have TWO strings of random 7.random 9 character extensions appended to the end of the encrypted data file and typically will leave files (ransom notes) which include the same second string [random 9 characters].README.txt, [random 9 characters].bmp  as part of its name as explained here (Figure 3) and here (Figure 10-11). These are some examples.

.CDtU3Eq.HLJkNskOq
.qwYkH3L.HLJkNskOq
HLJkNskOq.README.txt
HLJkNskOq.bmp

According to CISA CYBERSECURITY ADVISORY: non-LockBit affiliates were able to use LockBit 3.0 after its builder was leaked in Sep 2022. In December 2023 it was reported LockBit ransomware now poaching BlackCat, NoEscape affiliates.

 

Any files that are encrypted with LockBit 3.0 (Black) / CriptomanGizmo ransomware (used by affiliate or non-LockBit affiliates after its builder was leaked) will have a random 9 character alpha-numerical extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name as explained here by Amigo-A (Andrew Ivanov).  These are some examples.

.hZiV1YwzR
.3WbzmF0CC
.JxxLLpPns
hZiV1YwzR.README.txt
3WbzmF0CC.README.txt
JxxLLpPns.README.txt

Some CriptomanGizmo/LockBit 3.0 (Black) ransom notes are known to include a long string of hexadecimal characters comprising a Decryption ID similar to N3ww4v3/Mimic but without an asterisk (*) and extension after the ID numbers.

Your personal DECRYPTION ID: 495927C9CC58D8A36B47827EAE1AEA72
»» Your personal DECRYPTION ID: 9FE85D4F9C7EA210F904E9BC55F74ECA
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
specify your ID - 6800F4848694EC5B39B3525AF9F34521
report your ID - C7EC9516C90F63DF285
YOU LOCK-ID: 7565BD6495000673051C5B6F24EE1B30

There is no known method to decrypt files encrypted by most LockBit 3 (Black) ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from those who created the ransomware. However, rivitna has had some success obtaining the private keys for several LockBit 3 (Black) variants so he may be able to help some victims. A limited number of private keys were retrieved by rivitna after victims paid the ransom and uploaded those keys/decryptor to the public domain where he was able to access them.

.

 
 
Hello guys. 
We got in new case of ransomware attack. Is wasn´t detected by ID Ransomware. 
 
SHA1: d4d23959c6892e0690e7cd73ff01f7e7f9189015
 
Extension: .[/size]JxxLLpPns
 
I´ll leave the ransom note bellow. Did anyone are aware of this Ransomware? 
 
                         ~~~ Hello ****************** ~~~
 
All of your files are encrypted.
It is IMPOSSIBLE to decrypt files without decryption keys.
Do not rename files or use third-party decryptors - this can permanently change the files, in which case even we can't help you.
You can restore everything with a personal decryptor program, which you can buy from us by contacting
email:
 
 
help_havaneza@cryptolab.net
help_havaneza@bastardi.net
    
    
As proof of the presence of the decryption key, a file up to 4 MB in size and not being an archive or a database file can be decrypted for free.
 
 
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
 
>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
 
>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!


Edited by quietman7, 04 June 2024 - 07:11 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 03 December 2022 - 05:00 AM

Is .JxxLLpPns the full appended extension or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or an ID number with a name (.[a7fth62bc1].[Ricardo Milos]) preceding the extension?
 
What is the actual name of the ransom note?
 
Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database).

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#3 tcolaco

tcolaco
  • Topic Starter

  •  Avatar image
  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 03 December 2022 - 05:14 AM


Is .JxxLLpPns the full appended extension or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or an ID number with a name (.[a7fth62bc1].[Ricardo Milos]) preceding the extension?

 
What is the actual name of the ransom note?
 
Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database).

 

Hello quietman7,

 

Thanks for you answer. 

Yes, .JxxLLpPns is the full appended extension, no ID or email. (example; bck_query.sql.JxxLLpPns)

 

The Ransom note has the name "JxxLLpPns.README" .

 

I´ll try to get versions of the files not encrypted and send it as soon as possible. 



#4 tcolaco

tcolaco
  • Topic Starter

  •  Avatar image
  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 03 December 2022 - 06:09 AM



 

Is .JxxLLpPns the full appended extension or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or an ID number with a name (.[a7fth62bc1].[Ricardo Milos]) preceding the extension?
 
What is the actual name of the ransom note?
 
Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database).

 

 

Unfortunately, we don´t have any "non-encrypted" versions of the files. In this case, the client was working directly on their NAS and the only copy they had was in another NAS in the same network.. so, nothing escaped. 



#5 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:12:55 PM

Posted 03 December 2022 - 02:37 PM

Then attach the ZIP archive with 2 encrypted files of different types (image and text) and the ransom note.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#6 tcolaco

tcolaco
  • Topic Starter

  •  Avatar image
  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 04 December 2022 - 08:04 AM

Then attach the ZIP archive with 2 encrypted files of different types (image and text) and the ransom note.

Hello  Amigo-A, 

 

Thanks for you message. Just sent you by private message the files. 

 

Hope you can find something about it. 

 

I have checked the btc wallet and it shows as never got any payment on it. Maybe a new ransomware or a direct attack to this company. 



#7 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:12:55 PM

Posted 05 December 2022 - 05:46 AM

Of all the ones we've seen in the past few months, this one is the most suitable.
 
 
They changed a few things, but some elements are similar.
None of the anti-virus companies and decryption specialists claimed to be able to decrypt the files.
There are no samples available yet.
 
After processing, the information will be added to the article.

Edited by Amigo-A, 05 December 2022 - 05:48 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#8 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 05 December 2022 - 09:31 AM

Topic title changed to reflect naming convention and direct other victims to this support topic.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#9 tcolaco

tcolaco
  • Topic Starter

  •  Avatar image
  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 05 December 2022 - 09:39 AM

 

Of all the ones we've seen in the past few months, this one is the most suitable.
 
 
They changed a few things, but some elements are similar.
None of the anti-virus companies and decryption specialists claimed to be able to decrypt the files.
There are no samples available yet.
 
After processing, the information will be added to the article.

 

Thanks for your answer Amigo-A

 

Glad I can help the comunity.



#10 3mz

3mz

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 28 January 2023 - 01:58 PM

Hi,

i have been infected

 

the extension as topic

.O0bMlVixK

 

id ransomware report this:

 

SHA1: 4d286fc81bdc5431eeeb695fc021e7bbbfe1ef77

 

 

the message is this

 

            
                                                  YOUR FILES ARE ENCRYPTED!!!

For data recovery contact us you will need to pay us:
fireco@onionmail.com
firecorecoverfiles@msgsafe.io
Telegram: @firecorecoverfiles
https://t.me/firecorecoverfiles
1. In the first letter, indicate your personal ID!
2. In response, we will send you instructions.



    
>>>> Your personal DECRYPTION ID: 0777B8E4CB39B3525AF9F3457A9DAE63

 

---------------------------------------

 

Please Help

as attach a simple vgm file affected

 

 



#11 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 28 January 2023 - 02:26 PM

What is the actual name of the ransom note?
 
At first glance this could be a new variant of Stop24/7 Ransomware which has been using a random extension appended to the end of the encrypted data filename and leaves files (ransom notes) named RECOVERY_INFORMATION.TXT.

The contents of your ransom note are those we typically see with this ransomware.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#12 3mz

3mz

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 28 January 2023 - 02:32 PM

O0bMlVixK.README.txt

 

it did not affect .exe. and .dll



#13 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 28 January 2023 - 03:06 PM

Based on the ransom note name, this is most likely CriptomanGizmo / LockBit 3.0 (Black) ransomware (used by affiliate or non-LockBit affiliates after its builder was leaked) which will have a random 9 character alpha-numerical extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.hZiV1YwzR
hZiV1YwzR.README.txt
.3WbzmF0CC
3WbzmF0CC.README.txt
.JxxLLpPns
JxxLLpPns.README.txt

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#14 3mz

3mz

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 28 January 2023 - 04:07 PM

this is the email received
.................
 
 
recover files <firecorecoverfiles@msgsafe.io>
 

 

> 0777B8E4CB39B3525AF9F3457A9DAE63

 

Hello. To decrypt files, follow these instructions:

 

    1. Price.

    5000 $ (american dollars) for decrypting all your files, or for part of your files, the price is the same.

    We accept only BITCOIN payments. (It is a decentralized digital currency)

 

    2. Be careful please.

    Do not change the encrypted file extension.

    Do not try to decrypt your files with programs from the internet, these programs don't work.

    If you decide to try any decryption programs, please make a copy of the encrypted files before doing so.

    Only our email has the keys to decrypt your files. Do not believe other people.

 

    3. Test decryption as a guarantee

    We will decrypt 1 any, not important file, as proof of decryption.

    File for test no more than 1 megabyte (not archived). If in our opinion you send an important file,

    we have the right to refuse to decrypt it and ask you to send another file.

 

    4. Decryption process:

    We are waiting for payment to our Bitcoin wallet. As soon as we receive the money we will send you:

    a) Program for decryption.

    B) Instructions for decrypting and securing your computer.

 

    5. Websites where you can buy bitcoins:

    www.bitpapa.com

    www.coinmama.com 

    www.paxful.com

    www.localbitcoins.com

    www.abra.com

 

    Big list of websites https://www.wikijob.co.uk/content/trading/cryptocurrency/places-to-buy-bitcoin#20-local-bitcoins

    PLEASE DO NOT USE COINBASE! Because through COINBASE you can send them only after two weeks of authorization.

    Websites for CHINA: https://www.huobi.io/ https://bitpay.com/

 

 


#15 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 28 January 2023 - 04:19 PM

Not many criminals send an email in addition to the ransom note.
 
Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database). Alternatively, you can use a third-party file hosting service to upload the files and provide a link or send a PM with a link to Amigo-A.
 
Click the More Reply Options button in the bottom right corner of the Board Editor...then click the Browse... button under Attach Files.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif





3 user(s) are reading this topic

1 members, 2 guests, 0 anonymous users


    mkqqq