Lockbit勒索病毒家族详情
本帖最后由 Potato 于 2022-8-9 11:42 编辑相关阅读:
Lockbit2.0勒索病毒样本分析
LockBit3.0勒索病毒样本分析
勒索病毒家族名称:LockBit勒索病毒家族
是否支持解密:否
详情:
被加密文件:
被加密文件后缀格式: 后缀被修改为.lockbit
勒索提示信息:
文件名:Restore-My-Files.txt
文件内容 :
-------------------------------------------------------------------------------
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?D0407AC9D97C78CB877AF2CD7347934A
This link only works in Tor Browser!
| 3. Follow the instructions on this page
###Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our)
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org
# Tor Browser user manual https://tb-manual.torproject.org/about
-------------------------------------------------------------------------------
防护建议:
1.多台机器,不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性,并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制,并进行定期备份
4.定期检测系统和软件中的安全漏洞,及时打上补丁。
5.定期到服务器检查是否存在异常。查看范围包括:
a)是否有新增账户
b) Guest是否被启用
c) Windows系统日志是否存在异常
d)杀毒软件是否存在异常拦截情况
6.安装安全防护软件,并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件,如果已经被杀毒软件拦截查杀,不要添加信任继续运行。
~~~ computer has been compromised ~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
my contact information:
Telegram: https://t.me/AMPLEADIN
MAIL: TAXASFSHWKASJFBUWBSJA@protonmail.com
You need to pay 1000000 usdt
>>>> What guarantees that we will not deceive you?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
Life is too short to be sad. Be not sad, money, it is only paper.
If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.
Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.
>>>> The ransom you need to pay
You need to pay 1000000 usdt
>>>> I hope you will contact as soon as possible
>>>> He will be deleted the next day
>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
>>>> comminicate
Please contact me as soon as possible:
https://t.me/AMPLEADIN
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
############## YOUR FILES WERE ENCRYPTED##############
--
YOUR FILES ARE SAFE! ONLY MODIFIED :: AES
WE STRONGLY RECOMMEND you NOT to use any Decryption Tools.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
--
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
We guarantee that you can recover all your files safely and easily. All you.
need to do is submit the payment and purchase the decryption software.
--
OUR EMAIL ADDRESS
Q6uBdWWuu4@proton.me
quvn5llxkk@mailfence.com
JnSeYvZw34@onionmail.org
Hw2k0SZdxa@msgsafe.io
And send us your id: FDAB251EED112FD1B3B3B3B4B4B4B4B4
--
HOW to understand that we are NOT scammers?
Before paying you can send us up to 2 files for free decryption.
The total size of files must be less than 5MB(non archived).
Files should not contain valuable information. (databases, backups, large excel sheets, etc.)
--
Please contact us within 3 days to purchase the decryption software, otherwise the price of the decryption software will be doubled.
########################################################
Your ID: D15622D73ACBA26F8D0EF1EF93002A4C
Your files has been encrypted!
>>> What's happened?
ALL YOUR FILES ARE STOLEN AND ENCRYPTED.
To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us.
>>> What guarantees?
Before paying you can send us up to 2 files for free decryption.
The total size of files must be less than 2MB(non archived).
files should not contain valuable information. (databases, backups, large excel sheets, etc.)
>>> CONTACT US:
Please write an email to all: Hw2k0SZdxa@msgsafe.io & JnSeYvZw34@onionmail.org & pGU2NJ4TQk@mail2tor.com
Write your ID in the title of your message
>>> ATTENTION!
Do not rename or modify encrypted files.
Do not try to decrypt using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
We use strong encryption, nobody can restore your files except us.
The price depends on how fast you contact with us.
remember to hurry up, within 24 hours the private key is worth $2000 USD in bitcoins (BTC), after 24 hours send an email inquiry.
All your stolen data will be loaded into cybercriminal forums/blogs if you do not pay ransom.
If you do not pay the ransom we will attack your company repeatedly again.
你的文件已经被加密了!
>> 发生了什么事?
你的所有文件都被盗并被加密。
为了恢复你的数据,不允许数据泄漏,只有通过向我们购买私人密钥才能实现。
>> 什么保证?
在付款之前,你可以向我们发送最多2个文件,以便免费解密。
文件的总大小必须小于2MB(非归档)。
文件不应包含有价值的信息。(数据库、备份、大的EXCEL表等)
>> 联系我们:
请写一封邮件给所有:Hw2k0SZdxa@msgsafe.io & JnSeYvZw34@onionmail.org & pGU2NJ4TQk@mail2tor.com
在信息的标题中写上你的ID
>> 注意!
不要重命名或修改加密的文件。
不要尝试使用第三方软件解密,这可能会导致永久性数据丢失。
在第三方的帮助下解密您的文件可能会导致价格上涨(他们在我们的基础上增加他们的费用)。
我们使用强大的加密技术,除了我们,没有人可以恢复你的文件。
价格取决于你与我们联系的速度。
记得抓紧时间,在24小时内,私人密钥价值2000美元的比特币(BTC),24小时后发送电子邮件查询。
如果你不支付赎金,你所有被盗的数据将被加载到网络犯罪的论坛/博客。
如果你不支付赎金,我们将再次反复攻击你的公司。
Hello Leedarson!
Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. We are not associated with LockBit although we use their reliable locker.
All you need to do is contact us and pay.
Our communication process:
1. You contact us via email or Tox.
2. We send you a list of files that were stolen
3. We decrypt 3 files to confirm that our decryptor works.
4. We agree on the amount, which must be paid using BTC.
5. We delete your files, we give you a decryptor.
6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
Recommendations:
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
Contacts:
Email: unrasolo1970@proton.me
Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
* If you want to contact us via Tox you need to download it from this link: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
YOUR ID: E309B6BED9024A514442A832128CF4A7
If you refuse to pay or do not get in touch with us, we start publishing your files.
After 7 days the email will no longer be available, and the opportunity to receive the decryptor will also no longer be available.
YOUR FILES ARE ENCRYPTED!!!
For data recovery contact us you will need to pay us:
gameovercreation@cock.li
caypishijistor29@gmx.com
1. In the first letter, indicate your personal ID!
2. In response, we will send you instructions.
>>>> Your personal DECRYPTION ID: 8FAB6E0C0F8970F7E02F65A6975F787A
Hello Leedarson!
Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. We are not associated with LockBit although we use their reliable locker.
All you need to do is contact us and pay.
Our communication process:
1. You contact us via email or Tox.
2. We send you a list of files that were stolen
3. We decrypt 3 files to confirm that our decryptor works.
4. We agree on the amount, which must be paid using BTC.
5. We delete your files, we give you a decryptor.
6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
Recommendations:
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
Contacts:
Email: unrasolo1970@proton.me
Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
* If you want to contact us via Tox you need to download it from this link: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
YOUR ID: E309B6BED9024A5144944A84B40B7B10
If you refuse to pay or do not get in touch with us, we start publishing your files.
After 7 days the email will no longer be available, and the opportunity to receive the decryptor will also no longer be available.
YOUR NETWORK IS ENCRYPTED NOW
USE VEGtpN4krwJgWeeJ@proton.me | QSKhVaBPFv@onionmail.org TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
!! ALL YOUR FILES HAS BEEN ENCRYPTED !!!
You can't restore them without our encryptor.
Don't try to use any public tools, you could damage the encrypted files and lose them forever.
To make sure our encryptor works, contact us and encrypt one file for free.
Download TOX messenger: https://tox.chat/
Add friend in TOX, ID: BA7B15B33163FAA2C87040438AF6D232FC6EA3740033F2AE3EB2181C1454BD4AAE983BAF03FE
安全第一,就用360! 我的服务器中毒了,已经上传样本,有没有解决方法啊,我有源文件和加密后的文件 有解决方案吗? 中这个招的人这么少吗?我可真惨,唉。一晚上挂着360杀毒,在不断的查杀过程中也能中毒?
半夜硬盘狂响,以为等下就查毒查完了,谁知后面完蛋。桌面显示“mouse lokc",鼠标被锁定了,屏幕也乱七八杂了。文件全被加密了。 家族:Lockbit
被加密文件后缀:
黑客邮箱:Restore-My-Files.txt 家族:Lockbit
被加密文件后缀:
黑客邮箱:lockbitks2tvnmwk.onion 有源文件和被加密后的文件,能找出加密算法吗? 请技术人员查看未加密文件和加密后文件,看能不能找出解密方法,谢谢 .lb3czi这个加密后缀的病毒有点傻,电脑重启就不能启动了,原因是把启动文件也给加密(你说傻猪不傻猪),但技术是有的,火绒的启动程序还能被他给加密(服服服。。。),360和某管家就在那里看着,看到电脑死机他也不管。 啥时能出解密工具啊 你好,亲,我这里今天发现中了这个病毒,而且是公司的服务器,我改怎么解决呢,亲
你有办法么??
真的很着急 亲,你好,大师,你能帮我么,我的公司服务起中了这个病毒,里面一些有用的文件都打不开了,而是服务器上的 lockbit支付页面
你好,大师,我的个人电脑中了这个病毒,里面一些有用的文件都打不开了,现在有什么处理办法吗? 我个人也中了LOCKBIT,电脑一直在办公室放着的,没关机。双12晚上三点多下班回家 ,白天8:30到公司发现开机密码被改,自行破解密码后发现所有文件都被改成LOCKBIT,想尽一切办法进入他们提供的网站联系,说要4000刀。求能快点出来破解软件! 如果支付的网址打不开了,想恢复数扰也找不到“人”了。相当于限期3个月不交钱就撕票并且公开泄露你的数据。
一般情况下付款估计是有用的,找第三方估计只会加钱,他也联系不上黑客本人的。否则早就抓完了 以后建议大家弄个网盘自动备份+硬盘备份,光盘备份,三者齐下,不能偷懒 一年了,还解密不了,这位也真是挺厉害的
今天我也中招了,有解决办法了吗? 这个还没有解密出来么? ~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
Tor Browser Links:
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
Links for normal browser:
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
>>>>> What guarantee is there that we won't cheat you?
We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live
>>>>> You need to contact us and decrypt one file for free on TOR darknet sites with your personal ID
Download and install Tor Browser https://www.torproject.org/
Write to the chat room and wait for an answer, we'll guarantee a response from you. If you need a unique ID for correspondence with us that no one will know about, tell it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.
Tor Browser Links for chat:
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>> Your personal ID: CD95FDEBA4FE69C2B3FDB61F4059C990 <<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!
>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
They won't help and will only make things worse for you. In 3 years not a single member of our group has been caught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt your files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and are not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone on the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR and other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee donuts and get fatter and fatter. The police and the FBI don't care what losses you suffer as a result of our attack, and we will help you get rid of all your problems for a modest sum of money. Along with this you should know that it is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can be done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk, so the police will not do anything to you if someone pays the ransom for you. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.
>>>>> What are the dangers of leaking your company's data.
First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed.
Read more about the GDRP legislation::
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
>>>>> Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you.
We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
>>>> Very important! For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction.
>>>>> If you do not pay the ransom, we will attack your company again in the future. 有人解密成功的吗,付钱的,解密情况如何? 今天中了,服务器都加密了,自己电脑上的文件全打不开了都lockbit2.0。求问啥时候能解密,文件还比较重要都。
页:
[1]
2