lockbit

General

Target

bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b
Size

372KB
Sample

241228-cmp8datnes
MD5

6c5dcbdf374073249f3477d0fd439039
SHA1

ed2165fe0e5ed5c608230f6c125713d2a0934c28
SHA256

bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b
SHA512

d75b96e95f6972013c41c99cb54e892ee7f7ee54e996465d0ef2f2d21ba9941869b7b06c49bbdcf36814f19ef0105475aea99c3f49098a5f44bcb810bbf21c0f
SSDEEP

6144:MLKewcnJHLFaz1ZXmkjr7ZVyf9Mcfj0bGGCM:Dfwh6ZXmk/fcfo

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFBA0EF8B29B8365F1 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFBA0EF8B29B8365F1 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFBA0EF8B29B8365F1

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFBA0EF8B29B8365F1

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note

Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8841DD9B0AC925FFBA0EF8B29B8365F1 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFBA0EF8B29B8365F1 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFBA0EF8B29B8365F1

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFBA0EF8B29B8365F1

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFAD5DAE847638CEB3 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFAD5DAE847638CEB3 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFAD5DAE847638CEB3

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFAD5DAE847638CEB3

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note

Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8841DD9B0AC925FFAD5DAE847638CEB3 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFAD5DAE847638CEB3 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFAD5DAE847638CEB3

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFAD5DAE847638CEB3

Targets

- Target
  
  bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b
- Size
  
  372KB
- MD5
  
  6c5dcbdf374073249f3477d0fd439039
- SHA1
  
  ed2165fe0e5ed5c608230f6c125713d2a0934c28
- SHA256
  
  bb894171229d21637bc00c3360afcbf4aa4973e1ca61f424cc15a8f26a06956b
- SHA512
  
  d75b96e95f6972013c41c99cb54e892ee7f7ee54e996465d0ef2f2d21ba9941869b7b06c49bbdcf36814f19ef0105475aea99c3f49098a5f44bcb810bbf21c0f
- SSDEEP
  
  6144:MLKewcnJHLFaz1ZXmkjr7ZVyf9Mcfj0bGGCM:Dfwh6ZXmk/fcfo
Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (9341) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2