lockbit

General

Target

c6e5a9f39bfc6dc46c2eb7a786948e9d111ddbec5e157c8081f7c22b7d6b3c78.zip
Size

168KB
Sample

250110-pzxt7svjft
MD5

7cd7674bcc4460deea815b10127e8e14
SHA1

72c88131f1160190fb0311c3d5ce7b1300c860c5
SHA256

192a20e5740cf683ec11f991532c652085502809370987ce5cd37aab99034fa9
SHA512

a758c19abf5af4c048e6eb802e4d1cfe8de4f9d92c2f3d744a0ea5550489a4af65fec3c0d15af7a4ec39a79e13af1e8f22c32c367be5e6d55299381498271bc0
SSDEEP

3072:4zZfVx5N/yiQMbWOQpw3gjktELtbQEtZk/hn350KfiDXzcVpJpd8W4h4PvaEX:4zvN/nJbWbEmiLEEhp0KaDXzkJpdD4mr

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?ADDD79899D34FB7495CCDCC32510FE5C | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?ADDD79899D34FB7495CCDCC32510FE5C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.com/?ADDD79899D34FB7495CCDCC32510FE5C

http://lockbitks2tvnmwk.onion/?ADDD79899D34FB7495CCDCC32510FE5C

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note

Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link -http://lockbit-decryptor.com/?ADDD79899D34FB7495CCDCC32510FE5CFollow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it.Open link in Tor Browser -http://lockbitks2tvnmwk.onion/?ADDD79899D34FB7495CCDCC32510FE5CThis link only works in Tor Browser!Follow the instructions on this pageLockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the siteDo not rename encrypted files.Do not try to decrypt using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our).Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.Tor Browser user manualhttps://tb-manual.torproject.org/about

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?ADDD79899D34FB74B0B8625ADEB884DC | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?ADDD79899D34FB74B0B8625ADEB884DC This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.com/?ADDD79899D34FB74B0B8625ADEB884DC

http://lockbitks2tvnmwk.onion/?ADDD79899D34FB74B0B8625ADEB884DC

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note

Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link -http://lockbit-decryptor.com/?ADDD79899D34FB74B0B8625ADEB884DCFollow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it.Open link in Tor Browser -http://lockbitks2tvnmwk.onion/?ADDD79899D34FB74B0B8625ADEB884DCThis link only works in Tor Browser!Follow the instructions on this pageLockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the siteDo not rename encrypted files.Do not try to decrypt using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our).Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.Tor Browser user manualhttps://tb-manual.torproject.org/about

Targets

- Target
  
  c6e5a9f39bfc6dc46c2eb7a786948e9d111ddbec5e157c8081f7c22b7d6b3c78.exe
- Size
  
  247KB
- MD5
  
  81d9cac2627d252af11b3ced0f2928d8
- SHA1
  
  1d19670a5eb9ba2399bcb9a967fad24cd75b1f2a
- SHA256
  
  c6e5a9f39bfc6dc46c2eb7a786948e9d111ddbec5e157c8081f7c22b7d6b3c78
- SHA512
  
  6b210647985289a2f8bd4c240013617d9e68834a171bff39b4f03982df2253d2ab43bfd3770af9129f956756dd0ff491f067c6d7ab6f371622d3a2f51968a8de
- SSDEEP
  
  3072:J1rxNteUB+mcyAdSnsMObgqyoGGeV1EZyOdBDT0ynl0Xp8K7:J1rxN5B6mBugqafEpBDT0ylQp
Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (9324) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2