LockBit (ACBD, LockBit 2.0 - .lockbit, .lock2bits, .luckyday) Support Topic

As I have repeatedly said most security experts will advise against paying the ransom demands or engage in negotiating a payment with the malware developers for reasons expressed here and elsewhere by other victims.

This site claims to be able to restore Lockbit encrypted files... Are they a.) lying, b.) in league with the scammers, or c.) holding out on us and hording the decryptor for personal gain?

 

https://monstercloud.com/cyber-security/ransomware-removal/ 

Bleeping Computer cannot vouch for those who claim they can decrypt data or help in other ways. We have have no way of knowing the background, expertise and motives of all companies or individuals who indicate decryption is possible. We have no way of vetting whether a person has a true technical method of recovering files, is scamming users by just paying ransoms for the key, or are the ransomware operators themselves. For the same reason, members are discouraged from providing remote access to unknown individuals or to provide data that could potentially be stolen. We advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money or paying a fee to anyone. 
 
In regards to data recovery services specifically, they typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here. 
 
Some data recovery services operate more like scammers while others like Fast Data Recovery have been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Many of them instruct victims to submit one or two limited size files for free decryption as 100% proof they can decrypt the files with claims of 100% guaranteed success, collect the victim's money and are never heard from again. The criminals behind creating and spreading ransomware do the same.
 
Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services. Connecticut-based Coveware CEO Bill Siege refers to such data recovery services as "ransomware payment mills".
 
Please read my comments in this topic for information as to what we know about those who claim they can decrypt data including using and paying data recovery services.

Thank you very much for that excellent explanation and informative reply.

You're welcome.

What is the entry point for a LockBit infection, could it be an infected Word document? 

 

My EDR caught an infected word document at another customer's location, and I'm wondering if we just stopped a ransomware attack there.

 

Should I open a thread and upload that infected document?

Ransomlware and other forms of malware spread via a variety of attack vectors. According to BlackBerry Research and Intelligence Team (Threat Bulletin: Ransomware 2020 - State of Play)...criminals have shifted from widespread, indiscriminate distribution to highly targeted campaigns deployed via compromised Managed Security Service Provider (MSPs) and RDP brute force compromise both common attack vectors for servers particularly by those involved with the development and spread of ransomware. Another common method to spread ransomware is by using pirated software, adware bundles, fake/illegal activators for Windows & Office and other cracked software.
 
Section in this topic explains in more detail the most common methods crypto malware is typically delivered and spread.

is create

Create what?

has any decrypter been created?

LockBit ransomware admin identified, sanctioned in US, UK, Australia

Been a few years now since they hit me and we have moved on without all our previous data unfortunately.   Hopefully this reduces the incidents and the pain people go through in the future.

 

 

While law enforcement originally stated that they were able to obtain 1,000 decryption keys as part of Operation Cronos, today's announcement reveals that they were able to obtain an additional 1,500 decryption keys and are continuing to assist LockBit victims in recovering their files for free.

So are the decryption keys already available? How do I know that they have the key for my encrypted data, for example?