LockBit 3.0 Black / CriptomanGizmo ([random 9 chars]; README.txt) Support Topic

Any files that are encrypted with the original LockBit 3.0 (LockBit Black) ransomware (a spin-off from BlackMatter) will have TWO strings of random 7.random 9 character extensions appended to the end of the encrypted data file and typically will leave files (ransom notes) which include the same second string [random 9 characters].README.txt, [random 9 characters].bmp  as part of its name as explained here (Figure 3) and here (Figure 10-11). These are some examples.

.CDtU3Eq.HLJkNskOq
.qwYkH3L.HLJkNskOq
HLJkNskOq.README.txt
HLJkNskOq.bmp

According to CISA CYBERSECURITY ADVISORY: non-LockBit affiliates were able to use LockBit 3.0 after its builder was leaked in Sep 2022. In December 2023 it was reported LockBit ransomware now poaching BlackCat, NoEscape affiliates.

Any files that are encrypted with LockBit 3.0 (Black) / CriptomanGizmo ransomware (used by affiliate or non-LockBit affiliates after its builder was leaked) will have a random 9 character alpha-numerical extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name as explained here by Amigo-A (Andrew Ivanov).  These are some examples.

.hZiV1YwzR
.3WbzmF0CC
.JxxLLpPns
hZiV1YwzR.README.txt
3WbzmF0CC.README.txt
JxxLLpPns.README.txt

Your personal DECRYPTION ID: 495927C9CC58D8A36B47827EAE1AEA72
»» Your personal DECRYPTION ID: 9FE85D4F9C7EA210F904E9BC55F74ECA
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
specify your ID - 6800F4848694EC5B39B3525AF9F34521
report your ID - C7EC9516C90F63DF285
YOU LOCK-ID: 7565BD6495000673051C5B6F24EE1B30

There is no known method to decrypt files encrypted by most LockBit 3 (Black) ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from those who created the ransomware. However, rivitna has had some success obtaining the private keys for several LockBit 3 (Black) variants so he may be able to help some victims. A limited number of private keys were retrieved by rivitna after victims paid the ransom and uploaded those keys/decryptor to the public domain where he was able to access them.

.

 
 
Hello guys. 
We got in new case of ransomware attack. Is wasn´t detected by ID Ransomware. 
 
SHA1: d4d23959c6892e0690e7cd73ff01f7e7f9189015
 
Extension: .[/size]JxxLLpPns
 
I´ll leave the ransom note bellow. Did anyone are aware of this Ransomware? 
 
                         ~~~ Hello ****************** ~~~
 
All of your files are encrypted.
It is IMPOSSIBLE to decrypt files without decryption keys.
Do not rename files or use third-party decryptors - this can permanently change the files, in which case even we can't help you.
You can restore everything with a personal decryptor program, which you can buy from us by contacting
email:
 
 
help_havaneza@cryptolab.net
help_havaneza@bastardi.net
    
    
As proof of the presence of the decryption key, a file up to 4 MB in size and not being an archive or a database file can be decrypted for free.
 
 
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
 
>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
 
>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Edited by quietman7, 04 June 2024 - 07:11 AM.

Is .JxxLLpPns the full appended extension or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or an ID number with a name (.[a7fth62bc1].[Ricardo Milos]) preceding the extension?

 

What is the actual name of the ransom note?

 

Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database).

Hello quietman7,

Thanks for you answer. 

Yes, .JxxLLpPns is the full appended extension, no ID or email. (example; bck_query.sql.JxxLLpPns)

The Ransom note has the name "JxxLLpPns.README" .

I´ll try to get versions of the files not encrypted and send it as soon as possible. 

 

Is .JxxLLpPns the full appended extension or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or an ID number with a name (.[a7fth62bc1].[Ricardo Milos]) preceding the extension?

 

What is the actual name of the ransom note?

 

Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database).

 

Unfortunately, we don´t have any "non-encrypted" versions of the files. In this case, the client was working directly on their NAS and the only copy they had was in another NAS in the same network.. so, nothing escaped. 

Then attach the ZIP archive with 2 encrypted files of different types (image and text) and the ransom note.

Hello  Amigo-A, 

Thanks for you message. Just sent you by private message the files. 

Hope you can find something about it. 

I have checked the btc wallet and it shows as never got any payment on it. Maybe a new ransomware or a direct attack to this company. 

Edited by Amigo-A, 05 December 2022 - 05:48 AM.

Topic title changed to reflect naming convention and direct other victims to this support topic.

 

Of all the ones we've seen in the past few months, this one is the most suitable.

 

CriptomanGizmo Ransomware

 

They changed a few things, but some elements are similar.

None of the anti-virus companies and decryption specialists claimed to be able to decrypt the files.

There are no samples available yet.

 

After processing, the information will be added to the article.

 

Thanks for your answer Amigo-A

Glad I can help the comunity.

Hi,

i have been infected

the extension as topic

.O0bMlVixK

id ransomware report this:

SHA1: 4d286fc81bdc5431eeeb695fc021e7bbbfe1ef77

the message is this

            
                                                  YOUR FILES ARE ENCRYPTED!!!

For data recovery contact us you will need to pay us:
fireco@onionmail.com
firecorecoverfiles@msgsafe.io
Telegram: @firecorecoverfiles
https://t.me/firecorecoverfiles
1. In the first letter, indicate your personal ID!
2. In response, we will send you instructions.



    
>>>> Your personal DECRYPTION ID: 0777B8E4CB39B3525AF9F3457A9DAE63

---------------------------------------

Please Help

as attach a simple vgm file affected

What is the actual name of the ransom note?
 
At first glance this could be a new variant of Stop24/7 Ransomware which has been using a random extension appended to the end of the encrypted data filename and leaves files (ransom notes) named RECOVERY_INFORMATION.TXT.

The contents of your ransom note are those we typically see with this ransomware.

O0bMlVixK.README.txt

it did not affect .exe. and .dll

Based on the ransom note name, this is most likely CriptomanGizmo / LockBit 3.0 (Black) ransomware (used by affiliate or non-LockBit affiliates after its builder was leaked) which will have a random 9 character alpha-numerical extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.hZiV1YwzR
hZiV1YwzR.README.txt
.3WbzmF0CC
3WbzmF0CC.README.txt
.JxxLLpPns
JxxLLpPns.README.txt

> 0777B8E4CB39B3525AF9F3457A9DAE63

Hello. To decrypt files, follow these instructions:

    1. Price.

    5000 $ (american dollars) for decrypting all your files, or for part of your files, the price is the same.

    We accept only BITCOIN payments. (It is a decentralized digital currency)

    2. Be careful please.

    Do not change the encrypted file extension.

    Do not try to decrypt your files with programs from the internet, these programs don't work.

    If you decide to try any decryption programs, please make a copy of the encrypted files before doing so.

    Only our email has the keys to decrypt your files. Do not believe other people.

    3. Test decryption as a guarantee

    We will decrypt 1 any, not important file, as proof of decryption.

    File for test no more than 1 megabyte (not archived). If in our opinion you send an important file,

    we have the right to refuse to decrypt it and ask you to send another file.

    4. Decryption process:

    We are waiting for payment to our Bitcoin wallet. As soon as we receive the money we will send you:

    a) Program for decryption.

     Instructions for decrypting and securing your computer.

    5. Websites where you can buy bitcoins:

    www.bitpapa.com

    www.coinmama.com 

    www.paxful.com

    www.localbitcoins.com

    www.abra.com

    Big list of websites https://www.wikijob.co.uk/content/trading/cryptocurrency/places-to-buy-bitcoin#20-local-bitcoins

    PLEASE DO NOT USE COINBASE! Because through COINBASE you can send them only after two weeks of authorization.

    Websites for CHINA: https://www.huobi.io/ https://bitpay.com/

Not many criminals send an email in addition to the ransom note.
 
Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database). Alternatively, you can use a third-party file hosting service to upload the files and provide a link or send a PM with a link to Amigo-A.
 
Click the More Reply Options button in the bottom right corner of the Board Editor...then click the Browse... button under Attach Files.