Jump to content

Pc infected with cyberfear@decryptor, SEXAXGLSY files


marc1200
Go to solution Solved by Marcos,

Recommended Posts

  • Administrators

Unfortunately ESET was not installed when logs were collected. Please install ESET, run a full disk scan and then collect fresh logs with ELC.

Also provide logs collected with the tool that I'll supply you with via a private message.

Link to comment
Share on other sites

Strong suspicion the ransomware is LockBit 3 (LockBit Black)/CriptomanGizmo;

Quote

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by LockBit 3 (LockBit Black)/CriptomanGizmo as noted here without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities.

https://www.bleepingcomputer.com/forums/t/790513/i-need-help-identifying-ransomware-lockbit-3-blackcriptomangizmo/ .

Link to comment
Share on other sites

22 hours ago, Marcos said:

Unfortunately ESET was not installed when logs were collected. Please install ESET, run a full disk scan and then collect fresh logs with ESET Log Collector.

Also provide logs collected with the tool that I'll supply you with via a private message.

I provided the files to you privately

Link to comment
Share on other sites

  • Administrators
  • Solution

Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible.

ESET was probably not installed at the time of encryption.

An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?):

C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main
C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main
C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000

TeamViewer was installed 2 days prior to the encryption.

UAC is disabled. Make sure to enable it.

Also we recommend enabling detection of potentially unsafe applications.

Link to comment
Share on other sites

Eset was unfortunately not installed 

The folders you mention are folders downloaded after the ransomware attack.

because i read itman suggestion to look at lockbit 3.0 decryptor.

Teamviewer was already installed.

User account control is most likely disabled by the infection

Security detection also. It looks like they ransomware disabled activation, user account control and security services.

They deleted the required files for the services.

I save the files encrypted files on another disk for possible future decryption and clean install windows.

Link to comment
Share on other sites

  • 3 weeks later...
On 12/28/2023 at 8:26 PM, Marcos said:

Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible.

ESET was probably not installed at the time of encryption.

An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?):

C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main
C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main
C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000

TeamViewer was installed 2 days prior to the encryption.

UAC is disabled. Make sure to enable it.

Also we recommend enabling detection of potentially unsafe applications.

If the builder was launched on the victim’s device, 
you need to look for these files on the disk, possibly among deleted files. 
As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder.

DECRYPTION_ID.txt
LB3.exe
LB3Decryptor.exe
LB3_pass.exe
LB3_ReflectiveDll_DllMain.dll
LB3_Rundll32.dll
LB3_Rundll32_pass.dll
Password_dll.txt
Password_exe.txt
priv.key
pub.key

here the LB3.exe file is enough for encryption, 
and LB3Decryptor.exe or priv.key for decryption
 
Edited by safety
Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, safety said:
If the builder was launched on the victim’s device, 
you need to look for these files on the disk, possibly among deleted files. 
As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder.

DECRYPTION_ID.txt
LB3.exe
LB3Decryptor.exe
LB3_pass.exe
LB3_ReflectiveDll_DllMain.dll
LB3_Rundll32.dll
LB3_Rundll32_pass.dll
Password_dll.txt
Password_exe.txt
priv.key
pub.key

here the LB3.exe file is enough for encryption, 
and LB3Decryptor.exe or priv.key for decryption
 

But I doubt any kind of decryptor would be on the hard disk , unless the attackers made a mistake

Link to comment
Share on other sites

5 hours ago, Nightowl said:

But I doubt any kind of decryptor would be on the hard disk , unless the attackers made a mistake

1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk.

LB3existHere.jpg.43dce3ee474026896a12a54d1007845a.jpg

Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims.

>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343
>>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9

 

 

Edited by safety
Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, safety said:

1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk.

I understand , I didn't know that , thanks bro

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...