Pc infected with cyberfear@decryptor, SEXAXGLSY files

[marc1200 0]

Hello,

My pc was infected with cyberfear@decryptor. The extension is SEXAXGLSY.

Are there decryptor tools available to decrypt this ransomware?

 

[Marcos 5,306]

Please provide:
1, Logs collected with ESET Log Collector
2, A couple of encrypted files (ideally Office documents)
3, The ransomware note with payment instruction.

[marc1200 0]

Okay, can i send them to you via email?

[marc1200 0]

Here are the files, i just read that i can attach them here 

Files.zip

[Marcos 5,306]

Unfortunately ESET was not installed when logs were collected. Please install ESET, run a full disk scan and then collect fresh logs with ELC.

Also provide logs collected with the tool that I'll supply you with via a private message.

[itman 1,760]

Strong suspicion the ransomware is LockBit 3 (LockBit Black)/CriptomanGizmo;

Quote

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by LockBit 3 (LockBit Black)/CriptomanGizmo as noted here without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities.

https://www.bleepingcomputer.com/forums/t/790513/i-need-help-identifying-ransomware-lockbit-3-blackcriptomangizmo/ .

[marc1200 0]

22 hours ago, Marcos said:

Unfortunately ESET was not installed when logs were collected. Please install ESET, run a full disk scan and then collect fresh logs with ESET Log Collector.

Also provide logs collected with the tool that I'll supply you with via a private message.

I provided the files to you privately

[Marcos 5,306]

Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible.

ESET was probably not installed at the time of encryption.

An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?):

C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main
C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main
C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000

TeamViewer was installed 2 days prior to the encryption.

UAC is disabled. Make sure to enable it.

Also we recommend enabling detection of potentially unsafe applications.

[marc1200 0]

Eset was unfortunately not installed 

The folders you mention are folders downloaded after the ransomware attack.

because i read itman suggestion to look at lockbit 3.0 decryptor.

Teamviewer was already installed.

User account control is most likely disabled by the infection

Security detection also. It looks like they ransomware disabled activation, user account control and security services.

They deleted the required files for the services.

I save the files encrypted files on another disk for possible future decryption and clean install windows.

[safety 8]

On 12/28/2023 at 8:26 PM, Marcos said:

Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible.

ESET was probably not installed at the time of encryption.

An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?):

C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main
C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main
C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000

TeamViewer was installed 2 days prior to the encryption.

UAC is disabled. Make sure to enable it.

Also we recommend enabling detection of potentially unsafe applications.

If the builder was launched on the victim’s device, 
you need to look for these files on the disk, possibly among deleted files. 
As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder.

DECRYPTION_ID.txt
LB3.exe
LB3Decryptor.exe
LB3_pass.exe
LB3_ReflectiveDll_DllMain.dll
LB3_Rundll32.dll
LB3_Rundll32_pass.dll
Password_dll.txt
Password_exe.txt
priv.key
pub.key

here the LB3.exe file is enough for encryption, 
and LB3Decryptor.exe or priv.key for decryption

Edited January 16 by safety

[Nightowl 206]

5 hours ago, safety said:

If the builder was launched on the victim’s device, 
you need to look for these files on the disk, possibly among deleted files. 
As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder.

DECRYPTION_ID.txt
LB3.exe
LB3Decryptor.exe
LB3_pass.exe
LB3_ReflectiveDll_DllMain.dll
LB3_Rundll32.dll
LB3_Rundll32_pass.dll
Password_dll.txt
Password_exe.txt
priv.key
pub.key

here the LB3.exe file is enough for encryption, 
and LB3Decryptor.exe or priv.key for decryption

But I doubt any kind of decryptor would be on the hard disk , unless the attackers made a mistake

[safety 8]

5 hours ago, Nightowl said:

But I doubt any kind of decryptor would be on the hard disk , unless the attackers made a mistake

1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk.

Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims.

>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343
>>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9

 

 

Edited January 16 by safety

[Nightowl 206]

1 hour ago, safety said:

1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk.

I understand , I didn't know that , thanks bro