marc1200 0 Posted December 27, 2023 Share Posted December 27, 2023 Hello, My pc was infected with cyberfear@decryptor. The extension is SEXAXGLSY. Are there decryptor tools available to decrypt this ransomware? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted December 27, 2023 Administrators Share Posted December 27, 2023 Please provide: 1, Logs collected with ESET Log Collector 2, A couple of encrypted files (ideally Office documents) 3, The ransomware note with payment instruction. Link to comment Share on other sites More sharing options...
marc1200 0 Posted December 27, 2023 Author Share Posted December 27, 2023 Okay, can i send them to you via email? Link to comment Share on other sites More sharing options...
marc1200 0 Posted December 27, 2023 Author Share Posted December 27, 2023 Here are the files, i just read that i can attach them here Files.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted December 27, 2023 Administrators Share Posted December 27, 2023 Unfortunately ESET was not installed when logs were collected. Please install ESET, run a full disk scan and then collect fresh logs with ELC. Also provide logs collected with the tool that I'll supply you with via a private message. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 27, 2023 Share Posted December 27, 2023 Strong suspicion the ransomware is LockBit 3 (LockBit Black)/CriptomanGizmo; Quote Unfortunately, there is no known method that I am aware of to decrypt files encrypted by LockBit 3 (LockBit Black)/CriptomanGizmo as noted here without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. https://www.bleepingcomputer.com/forums/t/790513/i-need-help-identifying-ransomware-lockbit-3-blackcriptomangizmo/ . Link to comment Share on other sites More sharing options...
marc1200 0 Posted December 28, 2023 Author Share Posted December 28, 2023 22 hours ago, Marcos said: Unfortunately ESET was not installed when logs were collected. Please install ESET, run a full disk scan and then collect fresh logs with ESET Log Collector. Also provide logs collected with the tool that I'll supply you with via a private message. I provided the files to you privately Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,394 Posted December 28, 2023 Administrators Solution Share Posted December 28, 2023 Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible. ESET was probably not installed at the time of encryption. An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?): C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000 TeamViewer was installed 2 days prior to the encryption. UAC is disabled. Make sure to enable it. Also we recommend enabling detection of potentially unsafe applications. Nightowl 1 Link to comment Share on other sites More sharing options...
marc1200 0 Posted December 28, 2023 Author Share Posted December 28, 2023 Eset was unfortunately not installed The folders you mention are folders downloaded after the ransomware attack. because i read itman suggestion to look at lockbit 3.0 decryptor. Teamviewer was already installed. User account control is most likely disabled by the infection Security detection also. It looks like they ransomware disabled activation, user account control and security services. They deleted the required files for the services. I save the files encrypted files on another disk for possible future decryption and clean install windows. Link to comment Share on other sites More sharing options...
safety 8 Posted January 16 Share Posted January 16 (edited) On 12/28/2023 at 8:26 PM, Marcos said: Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible. ESET was probably not installed at the time of encryption. An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?): C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000 TeamViewer was installed 2 days prior to the encryption. UAC is disabled. Make sure to enable it. Also we recommend enabling detection of potentially unsafe applications. If the builder was launched on the victim’s device, you need to look for these files on the disk, possibly among deleted files. As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder. DECRYPTION_ID.txt LB3.exe LB3Decryptor.exe LB3_pass.exe LB3_ReflectiveDll_DllMain.dll LB3_Rundll32.dll LB3_Rundll32_pass.dll Password_dll.txt Password_exe.txt priv.key pub.key here the LB3.exe file is enough for encryption, and LB3Decryptor.exe or priv.key for decryption Edited January 16 by safety Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted January 16 Most Valued Members Share Posted January 16 5 hours ago, safety said: If the builder was launched on the victim’s device, you need to look for these files on the disk, possibly among deleted files. As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder. DECRYPTION_ID.txt LB3.exe LB3Decryptor.exe LB3_pass.exe LB3_ReflectiveDll_DllMain.dll LB3_Rundll32.dll LB3_Rundll32_pass.dll Password_dll.txt Password_exe.txt priv.key pub.key here the LB3.exe file is enough for encryption, and LB3Decryptor.exe or priv.key for decryption But I doubt any kind of decryptor would be on the hard disk , unless the attackers made a mistake Link to comment Share on other sites More sharing options...
safety 8 Posted January 16 Share Posted January 16 (edited) 5 hours ago, Nightowl said: But I doubt any kind of decryptor would be on the hard disk , unless the attackers made a mistake 1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk. Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims. >>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9 >>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343 >>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22 >>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9 Edited January 16 by safety Nightowl 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted January 16 Most Valued Members Share Posted January 16 1 hour ago, safety said: 1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk. I understand , I didn't know that , thanks bro Link to comment Share on other sites More sharing options...
Recommended Posts