LockBit ransomware removal and files decryptor By Will Wisser Posted on March 9, 2020 2 min read 0 2,835 LockBit, an emerging threat in the ransomware arena, uses the .lockbit extension to blemish encrypted files and drops Restore-My-Files.txt ransom note. What is the Lockbit ransomware? LockBit ransomware automated removal and data recovery LockBit ransomware manual removal and file recovery Ransomware Prevention Tips What is LockBit ransomware? Early reports of the LockBit file-encrypting nasty messing around with Windows users’ files date back to mid-October 2019. Back then, the infection concatenated the primitive .abcd string to encrypted items and it became obvious that the cybercriminal gang behind it had some solid background and strong skills in this niche. In late January 2020, the malefactors switched to using the .lockbit extension while the ransom note name Restore-My-Files.txt remained unaltered. This appears to be a firmly established variant that’s rapidly proliferating globally at the time of this publication. The size of the ransom depends on the number of affected computers or servers and volume of data that underwent malicious encryption. It typically ranges from 0.5 to 3 bitcoins ($4,500-$27,000). According to security analysts’ findings, LockBit is being promoted on the Dark Web as a Ransomware-as-a-Service. It means that crooks can “get a ride” by joining the RaaS that offers them a turnkey payload with a fair degree of customizability. Every ransom paid by a victim is split into a share of the affiliate and that of the ransomware author. Aside from the classic warning about data corruption through cryptography, the Restore-My-Files.txt rescue note created by LockBit ransomware on the plagued machine’s desktop and inside encrypted folders provides steps to recover the files. To get started, the victim is supposed to download Tor Browser, open their personal, uniquely generated .onion link in it, and use the payment page to contact the attackers. There is a chat feature built into the page so that the infected user can negotiate the recovery terms with LockBit operators. To reassure the person that the decryption works, the Tor page additionally includes “Trial decrypt” module. It allows the victim to upload a single encoded .lockbit extension file from the computer. There is a restriction regarding the file size, which should be up to 256 KB. The perpetrators claim they will send the victim the unencrypted copy of this item. However, even if they do, being confident that they will carry through with the promises about reinstating the rest of the data after the payment is risky business. In contrast to the growing trend of ransomware targeting the enterprise, healthcare industry, and local municipalities, LockBit zeroes in on individual users for the most part. This tactic defines the distribution mechanisms being employed. The primary attack vector is malicious spam. The felons harness botnets to send numerous ransomware-riddled emails in bulk, hoping that some recipients will get curious and open the attached file. The latter tends to be a Microsoft Word document that allegedly contains important information such as invoice details, shipment-related instructions, a job offer, or something similarly arresting. The trick is that the file is laced with contagious macros instantly executing the infection chain when enabled. In its original form, the attachment appears to be displayed incorrectly and the user is instructed to allow macros by clicking on a prompt in the upper part of the document. Instead of being able to read the contents, though, the unsuspecting person ends up authorizing the stealth contamination. As an extra leverage, newer editions of the LockBit ransom note include a warning about a purported instance of data theft. This is aligned with the recent quirk in the blackmail implementation where the attackers claim to have exfiltrated some files and threaten to leak them into the public domain unless the victim coughs up the ransom. In the case of LockBit, this element of pressure stems from the following phrase added to the Restore-My-Files.txt document: “We also download huge amount of your private data, including finance information, clients’ personal info, network diagrams, passwords and so on. Don’t forget about GDPR”. This new characteristic might be paving this strain’s way towards network attacks – notice the reference to customer-related data, something businesses should worry about in the first place. Also, European organizations take the General Data Protection Regulation (GDPR) compliance seriously, otherwise they run the risk of paying big fines. Although there haven’t been incident reports about LockBit plaguing companies’ computer networks so far, this may change anytime soon. All in all, this ransomware is a rapidly evolving cyber threat to end users and potentially to businesses. If it has raided a computer via data encryption, follow the steps below to remove the dangerous program and try to recover hostage files.