C77L/X77C Ransomware (.[<email>].[random 8]; .[ID-random 8][<email>]) Support

Hello I am new to this community so I apologize if I miss format my post. I have attached the file that the criminals have left. Opening any of the encrypted files with notepad shows "LockedByX77" then proceeded with a bunch of corrupted text. 

I tried uploading an encrypted file but the website says "Error You aren't permitted to upload this kind of file" so I have changed it from the .y6y to .txt

#Restore-My-Files.txt contents

The two attacker emails that are mentioned:
 

This is C77L ransomware

@ Auracomputer
 

I have merged your topic into the primary support topic for victims of this ransomware.

@ Auracomputer
 

I have merged your topic into the primary support topic for victims of this ransomware.

Thank you so much. I apologize for making a different post I just didn't know what type of ransomware has infected my computer. So apologies on my end.

You're welcome.

Hi guys! Please help me to identify what ransomware has encrypted my files
All files has names like this

tb73.8382_front.psd.[ID-BAE12624][recovery-data09@protonmail.com].mz4

The "tb73.8382_front.psd" is an original file name.
If i open the psd file as txt i see this header "LockedByX77C"
And i also have a txt file with the following instructions
 

 

>>> ALL YOUR IMPORTANT FILES ARE STOLEN AND ENCRYPTED <<<

 

Important:

- We have downloaded your files. Your data will be leaked within the next 72 hours.

- Contact us immediately to prevent data leakage and recover your files.

 

Your Decryption ID: BAE12624

 

Contact:

- Email-1: recovery-data09@protonmail.com

- Email-2: Emilygoodgirl09@gmail.com

- Telegram: @Data_recovery09

 

Do not message data recovery companies, they will scam you.

If you have a data recovery palace, send a message to the email or Telegram ID.

 

If you don't message us within 72 hours and don't agree with us, we will leak all your files and publish them on famous sites!!

 

Warning:

- Tampering with files or using third-party tools WILL cause permanent damage.

- Act fast! The price will increase if you delay.

 

Free Decryption:

- Send 3 small files (max 1MB) for free decryption.

Hi guys! Please help me to identify what ransomware has encrypted my files
All files has names like this

tb73.8382_front.psd.[ID-BAE12624][recovery-data09@protonmail.com].mz4

The "tb73.8382_front.psd" is an original file name.
If i open the psd file as txt i see this header "LockedByX77C"
And i also have a txt file with the following instructions

It's C77L ransomware

@PsuchO
 
I have split away (merged) your posting and related comments into the primary support topic for victims of this ransomware.

@PsuchO
 
I have split away (merged) your posting and related comments into the primary support topic for victims of this ransomware.

Yes, thanks

 

Hi guys! Please help me to identify what ransomware has encrypted my files
All files has names like this

tb73.8382_front.psd.[ID-BAE12624][recovery-data09@protonmail.com].mz4

The "tb73.8382_front.psd" is an original file name.
If i open the psd file as txt i see this header "LockedByX77C"
And i also have a txt file with the following instructions

It's C77L ransomware

 

Is that existing any solution? I need only recovery my PSD files

Edited by PsuchO, 23 July 2025 - 02:33 AM.

There is no known method that I am aware of to decrypt files. The encryption is secure and the criminal's master private key is needed for decryption. Without the master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (e.g. RSA, AES, Salsa20, ChaCha20, EDA2, ECDH, ECC, ECIES or combination of encryptions) that cannot be brute-forced.

Hello, i left my pc turned on deactivating bitlocker while i left with my family. When i returned like 6 hours later all icons were broken, thinking it was an error i restarted my pc and when several cmd windows appeared disconnected it from the internet. None of the files had their extensions changed, but all are encrypted.

I attach the #Restore-My-Files.txt file and several examples.

OS Windows 11 Pro

I have already tried with NO more ransom and id ransomware but didnt give me any result.

I just wanna know if those files can be decrypted and saved.

#Restore-My-Files.txt contents

Using ID Ransomware was always more preferable than NoMoreRansom since it could identify ransomware which added a prefix instead of an extension and more accurately identified ransomware by filemarkers if applicable. However, neither ID Ransomware or NoMoreRansom are as accurate as they were in past years so both are prone to false identifications.
 
What extension was appended to your encrypted files?
 
This looks to be a variant of C77L/X77C Ransomware which will have an .[<email>].[random 8 hex char] or .[ID-random 8 hex char][<email>].[random 3 char] extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named #Recover-Files.txt, #Restore-My-Files.txt, READ-ME-Nullhexxx.txt as explained here by rivitna (Andrey Zhdanov). The [random 8 hex] character is the 32-bit serial number of volume C and crypto scheme is: AES-256 CBC - RSA-2048. These are examples.

.[nullhex@2mail.co].8AA60918
.[mrdarkness@onionmail.org].40D5BF0A 
.[ID-BAE12624][recovery-data09@protonmail.com].mz4

The name and contents of your ransom note are similar to what we have seen with other variants of this ransomware
 
C77L ransom notes are known to use a Decryption ID which is the same as the [random 8] (volume C serial number) included to the encrypted data file name.

\\\\ Your ID :  {8AA60918}
\\\\ Your ID :  {40D5BF0A}
Your Decryption ID: CE744A63
Your Decryption ID: BAE12624

Your ransom note includes a Decryption ID like those listed above.

 Your Decryption ID: 20BF7A67

There are no changed sufix, except for one file that had the mail and serial of the disc and the extension .eig . Sorry for my ignorance, as i'm not informed on this situations, is there a way to decrypt it?

Probably, this is, after all, C77L Ransomware

Edited by Amigo-A, 18 August 2025 - 10:16 AM.