LockBit ransomware warns to pay the ransom or it publishes files onlineRansomware SummaryRansomware operation in detailLockbit launches a website to leak victims’ dataRansomware distribution explained: how to protect yourself or your company?LockBit ransomware developers push new versionsThe initial versionFebruary 2020 version uses .lockbit extensionNew versions can self-replicateLockBit 2.0 version (July 2021)Remove LockBit ransomware safely and restore your files
The Restore-My-Files.txt ransom note tells the victim that all of his/hers important files are encrypted. According to the note, there is only one way to get files back – contact the criminals, send one encrypted file to them, receive its decrypted version (this is done to prove that the decryption tool exists), then pay for a decryption software and recover files. In other words, LockBit developers corrupt victim’s files temporarily, then ask the victim to pay a ransom to set the data free using a decryption software and private decryption key. The message says that the file used for decryption testing should not exceed 1MB in size. The virus’ developers insist that using third-party software will cause permanent data loss, and also inform about scammers who claim to decrypt files for a certain price (usually higher than the ransom itself), but pay with victim’s money to the original ransomware developers instead. The ransom note also says that the victim should send identical messages to both provided emails – goodmen@countermail.com and goodmen@cock.li. It is pretty ironical that the email boxes created by the cyber criminals use “goodmen” as username. However, based on virus version, the ransom might contain a different contact email address. Currently known Lockbit ransomware contact emails are:
pcabcd@countermail.com;recoverymanager@cock.li;goodmen@cock.li;goodmen@countermail.com.
The LockBit ransomware note also includes a personal ID in the message. The personal ID is a lengthy string of characters, which is used to identify the infected host among all other victims. The described ransomware is essentially similar to other ransom-demanding virus examples, such as COPA, STOP/DJVU, PHOBOS, NEMTY or NEFILIM. All of such programs infect victim’s computer or network silently, apply crypto-ciphers on personal or work files, then leave text files with a message from the attackers. The ransom notes usually demand paying large sums of money, typically starting at $500, in Bitcoin. The cybercriminals demand payments in such currency because it helps to keep their anonimity.
Ransomware Summary
Ransomware operation in detail
An in-depth LockBit ransomware analysis was recently provided by McAfee Labs. According to researchers, this particular ransomware variant often relies on brute force attacks to infiltrate a web server containing an outdated VPN service. After gaining access to Administrator’s account, it isn’t hard to compromise the whole computer network with ransomware then. The attacker then would run a specific PowerShell command to download LockBit ransomware in a form of a .png file (rs35.png for .NET 3.5 version and rs40.png for .NET 4 version) from a compromised website. The PNG file contains a header of a portable executable (PE), which is a .NET launcher. The file contains a lenghty AES-encrypted base64 string which contains the executable for the actual ransomware program. The virus is designed to bypass User Account Control windows and access Service Manager, which helps to terminate unwanted processes (such as security programs), delete Volume Shadow Copies and Recycle bin contents. Some examples of services that LockBit attempts to stop are: Symantec Antivirus, Norton Antivirus, Apache TomCat, and others. The virus then starts the encryption procedure, and drops ransom notes along its way through the system. LockBit ransomware also creates several keys on the infected system, containing values full and public. These keys will be saved to HKEY_CURRENT_USER\SOFTWARE\LockBit. The purpose of creating these keys is to identify the victim host in the future. Finally, the ransomware changes desktop wallpaper with the attacker’s message.
Lockbit launches a website to leak victims’ data
In September 2020, Lockbit ransomware operators introduced a double-extortion tactic to convince victims pay the ransom sooner, and launched a data leak website to upload victims’ files. To understand what do we mean by saying “double-extortion”, let us explain how the majority of ransomware viruses operate. Previously, the main factor that many ransomware developers used to leverage for their benefit is victim’s fear to lose access to personal files forever. However, in 2020, cybercriminals introduced another tactic to push victims (home users and companies) even harder – they threaten to leak information stolen from computers online. This is known as double-extortion tactic. The administrators of the infamous virus have posted a link in a dark web forum, leading to their new domain that is supposed to publish leaked data from victimized companies. Lockbit ransomware operators were confirmed members of MAZE ransomware cartel, sharing their experience as well as data leakage site. However, for unknown reasons they have decided to release their own leak site. The site currently contains links to published files stolen from two companies:
Yaskawa Electric Corporation. Japanese manufacturer of servos, motion controllers, industrial robots, switches and AC motor drives.Overseas Express. Shipping company. Leaked data includes 5.8 customer records (full customer data leak), contains names, addresses, phone numbers, emails, tracking numbers and other data.
Ransomware distribution explained: how to protect yourself or your company?
Ransomware threats such as LockBit virus or other similar malware (STOP/DJVU, PHOBOS, NEMTY) can spread via traditional distribution channels such as:
Infectious email attachments – obfuscated PDF, Word documents and other file types. Such emails typically have official-looking subject line and claim to deliver certain business-related document, such as invoice, report or similar. However, even if the attachment isn’t an EXE file, capabilities of documents nowadays allow insertion of JavaScript or Macros, both capable of downloading and executing an external file – malicious payload.Illegal downloads. Ransomware type threats can also be downloaded by the victim himself, in case one decides to get an illegal software version and activate it using a crack or keygen. One specific malware known to be using this particular distribution method is DJVU. Victims usually download the files via peer-to-peer download agents, for example, Torrent or eMule.Infected websites. Visiting compromised websites and clicking on a wrong link can instantly download malware to victim’s computer.
However, nowadays malware developers rely on a wide-range of intrusion tools. Often times, they leverage vulnerabilities in the target system (such as outdated software, weak security policy and practices in a company) to hack into the system and manually infect the computer network. Therefore, following best cyber security pratices nowadays is simply a must. Needless to say, you should only rely on official software download channels, use the latest versions of software and operating system, and avoid clicking on suspicious links/attachments when surfing the web. In addition, using a trustworthy anti-malware software with real-time protection is simply a must. To learn more about ways to avoid ransomware, please read this guide.
LockBit ransomware developers push new versions
As mentioned earlier, Lockbit ransomware pushes new versions as it is being sold as Ransomware-as-a-Service on the dark web. Therefore, any criminal with sufficient hacking knowledge can join the affiliate program and use the ransomware toolkit to push the virus for a broader audience. Cybersecurity experts have observed and analyzed changes to the virus’ variants, all listed below.
The initial version
The initial version of Lockbit ransomware uses .abcd file extension to mark encrypted data. A screenshot of folder with affected files is presented below. Text presented in Restore-My-Files.txt ransom note:
February 2020 version uses .lockbit extension
In February 2020, cybersecurity researchers notice a new variant of the virus which now marks encrypted files with .lockbit extension. The new version still uses Restore-My-Files.txt ransom note, but now points victims to a payment website available via Tor browser. Screenshot of file folder affected by Lockbit ransomware new variant: The slightly altered ransom note contents are shown below. The link given in the ransom note says to download Tor browser and access a provided website. The website includes a chat box which can be used to contact cybercriminals.
New versions can self-replicate
In May 2020, security researchers notice a new change in ransomware, which is now capable to self-replicate. Therefore, all computers on the same network will be affected by data encryption procedure. The virus connects to them via SMB (Server Message Block Protocol), then runs aforementioned Powershell commands to download and execute LockBit ransomware. As a consequence, after infecting more computers, the ransomware developers can ask for a larger ransom. It has also been noticed that new versions of the virus change desktop’s wallpaper with the one presented below.
LockBit 2.0 version (July 2021)
LockBit 2.0 ransomware is an updated variant that first emerged in July 2021. The malware uses AES + ECC to encrypt victim’s files and also uses .lockbit extension to mark locked files. The virus drops Restore-My-Files.txt ransom note, launches LockBit_Ransomware.hta file in a pop-up window, and changes victim’s desktop wallpaper with a ransom note-displaying image as well.
Remove LockBit ransomware safely and restore your files
If your computer has been infected, you must remove LockBit ransomware remains and check for additional malware on your computer. For this matter, we strongly recommend you to use the instructions given below and boot your PC into Safe Mode with Networking, then run (or if you don’t have, download) an anti-malware to delete all threats from your computer. Only after a successful LockBit virus removal you can plug your data backup device into the computer and start recovering your files. If you notice that the virus has damaged your Windows operating system files, you can repair them using RESTORO. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Alternative software recommendations
Malwarebytes Anti-Malware
Method 1. Enter Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove LockBit ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
