LockBit (ACBD, LockBit 2.0 - .lockbit, .lock2bits, .luckyday) Support Topic

The recent filebin link is from me - Since dyndragon's files were more than a week old it was empty. Was in a hurry and just uploaded from the existing link - oops.

Submitted the file to a couple sites to analyze: https://www.hybrid-analysis.com/sample/70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6/5de68fd5147c6120bb7d5d0c

 

 

RDP is

Whoops, so I did get it right the first time, sorry. Yeah indeed RDP is abused a lot in the last couple of weeks/months...

You didn't find any other suspicious files on the machines by any chance, did you? That was the case with two other users here on the forum with MedusaLocker (they found port / netshare scanners and mimikatz related tools).

There's another sample called Ricks72.exe with the SHA-256

Should I reupload my files? I didn't find any binaries or executables, I only uploaded samples of the encrypted and unencrypted files with the ransom notes.

Process Hacker 2 was installed and an additional file on the desktop - 'Text.txt' but was a 0-byte file. They pushed past SCEP and hooked a net admin credential - Nothing on the network stood a chance.

I haven't looked much further into the one with the remnants. Was primarily focused on making sure it was stopped and preserving what I could. The Ricks75.exe was in quarantine when I managed to get SCEP back up.

Hello,

Two of my computers got encrypted with the same Restore-My-Files.txt (.abcd) ransomware.

They got lucky and got the computer that had all my backups. My network has 4 computers but only 2 got encrypted (1 computer + the server). They also deleted my Dropbox account which had other backups on it. (I'm currently waiting to see if Dropbox can restore my account)

I sent them an email because I need my files back so I guess it's going to cost me. (Don't know how much yet)

I would like to help the community so can you please direct me to the file sharing site you use and tell me exactly what you need.

(I'm sorry if this has already been answered but I haven't had much time in the past 24 hours to research)

Thank you in advance

Did they end up sending the password? Got 1 of my computers back ups with everything else.

 

Hello,

Two of my computers got encrypted with the same Restore-My-Files.txt (.abcd) ransomware.

They got lucky and got the computer that had all my backups. My network has 4 computers but only 2 got encrypted (1 computer + the server). They also deleted my Dropbox account which had other backups on it. (I'm currently waiting to see if Dropbox can restore my account)

I sent them an email because I need my files back so I guess it's going to cost me. (Don't know how much yet)

I would like to help the community so can you please direct me to the file sharing site you use and tell me exactly what you need.

(I'm sorry if this has already been answered but I haven't had much time in the past 24 hours to research)

Thank you in advance

I exchanged emails with them from several different accounts and they always started by asking for 3 bitcoins to decrypt the computers. It made no difference if it was 1 computer or 5 it was still 3 bitcoins. After a couple of exchanges they went down to 0.5 bitcoins. At that price we decided not to pay. 

Update :

After a couple of days with no contact they sent me emails on multiple different accounts and said they would reduce the price.

They ended up charging me 0.06 Bitcoin for 2 computers. I paid half (0.03) and the other half was paid after I decrypted the first computer.

They sent me a decryption file 5_decryptor.exe (129 kb in size) for the first computer and then a .rar file containing 9_decryptor.exe (129 kb) decrypt file for the second computer.

Both decryption files worked but they kept on crashing. I must of restarted each decryption file at least 50 times. (I'm not exaggerating)

In the end, I got my files back but now I need to reinstall windows on each computer because I have no idea what else the initial virus or the decryption files left on my computers. I do know that they installed Process Hacker 2 as well as leaving Mouse_Lock V22.exe and Mimikatz.exe programs on my desktop. (Both of which I couldn't find installed on the computer)

INeedlessI

 

The listed programs can be changed/renamed or only unpacked, without the use of standard installation tools.

 

Reinstalling the system may be necessary if some system and program files are affected.

Edited by Amigo-A, 20 January 2020 - 02:37 PM.

Hey |Needless|,

 

thanks for the update. Good to hear that you got your files back, but they could have easily ripped you off as well   Would it be possible for you to upload one of the decryptor files to Malshare and post the MD5 hashsum here for further analysis? Also it would be great if you could name the email addresses they used during the negotiations.  Thanks in advance

Edited by f0wL, 20 January 2020 - 05:16 PM.

Hi i got our Windows Server 2012 R2 infected with ransomware Lock bit . Anyone can help me decrypt the  files.

Thanks for your time.

There is no known method that I am aware of to decrypt files encrypted by ABCD - LockBit Ransomware without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced.

If feasible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ransomware victims should ignore all Google searches which provide numerous links to bogus and untrustworthy removal/decryption guides. After our experts tweet or write about a new variant, junk articles with misinformation are quickly written in order to goad victims into purchasing sham removal and decryption software. Only use trusted sources when searching for information.

Thanks! My only option is to pay the? What my chances are if a pay that they will give me a key and not run with money?

Most security experts will advise against paying the ransom demands or engage in negotiating a payment with the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data and every time a victim pays, the payment reinforces the criminals faith in their business model. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain and continue to target victims. Further, there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

I explain why in more detail in this topic which includes victim experiences relating to dealing with or negotiating with the malware developers.

I've been hit with what looks like a relatively new variant of lockbit. My files are have a .lockbit suffix, there is a new wallpaper that states my files are encrypted. I tried reading around the forums a bit (including how to post for help) but I'm sure you guys understand that I'm a bit flustered. I am really considering paying the ransom. Haven't tried contacting them yet but wanted people's thoughts on whether I should pay the ransom. Here is a link to several encrypted files and the ransom note. 

 

https://filebin.net/i1zde1rn9d7n9514

 

Please let me know what else I can do to get help. Thanks to everyone.