Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: New Infinity Stealer malware grabs macOS data via ClickFix lures

Featured Deal: Learn 71 languages in one science-backed app while it’s on sale

Latest Buyer's Guide: Best VPNs in 2025

LockBit 3.0 Black/CriptomanGizmo ([random 9 chars]; README.txt) Support Topic

Started by tcolaco , Dec 03 2022 04:43 AM

«
Prev

Please log in to reply

504 replies to this topic

#496 Adrien8956

Members
1 posts
OFFLINE

Local time:09:45 PM

Posted 22 January 2026 - 02:50 PM

Hello everyone,

I was the victim of ransomware today.

I haven't yet identified the source.

I have a NAS running OpenMediaVault and a Windows PC on the same network; both are infected and the files are encrypted.

An external SSD was also encrypted because it was connected to the computer.

Fortunately, I have a fairly recent backup of my photos and documents.

I'd like to understand how to find the source of the infection. Is it possible that it came from my OMV NAS?

And what should I do now? Can the spread continue?

Thank you in advance for your help, and sorry for my English; I'm writing from France.

File name : 5tLqowS7i.README

All my files : name.extension.5tLqowS7i

If your data is accidentally encrypted, please contact us as soon as possible, otherwise your data may be permanently deleted.

And your data will be made public on the Internet!

You can contact me by email.

>>>> Your personal decryption ID: af2f43e82b4da6349e9e9f9f9f9f9f9f9f9f9f9f9f

Email: smlth.lisa87@tutamail.com

Once you have completed the payment, we will decrypt it for you within 24 hours.

>>>> We only accept virtual currency USDT/BTC transactions. You need to prepare virtual currency in advance, and we will provide you with a payment address.

>>>> After the payment is completed, please send a photo of the payment to the mailbox smlth.lisa87@tutamail.com

>>>> The payment has been completed and sent by mail. We will provide you with a decryption program

>>>> What guarantees that we will not deceive you?

We are not a politically motivated organization, we just need money.

If you pay, we will thank you and provide you with a decryption program, and your data will not be leaked.

After payment we will send you the decryption program immediately. Our reputation is very important to us.

Edited by Adrien8956, 22 January 2026 - 02:51 PM.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#497 quietman7

Bleepin' Gumshoe

Global Moderator
65,743 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:04:45 PM

Posted 22 January 2026 - 04:53 PM

Crypto malware (file encrypting ransomware) and other forms of malware spread via a variety of attack vectors and will evade, circumvent and/or deactivate (disable) your anti-virus and security measures by design before encrypting data. Criminals have shifted from widespread, indiscriminate distribution to highly targeted campaigns deployed via compromised Managed Security Service Provider (MSPs) and RDP brute force compromise both common attack vectors for servers particularly by those involved with the development and spread of ransomware. Section 2 in this topic explains the most common methods crypto malware is typically delivered and spread.

Note: For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities, exploiting security vulnerabilities and software are common attack vectors.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

Back to top

#498 wlkweek

Members
1 posts
OFFLINE

Local time:04:45 AM

Posted 12 February 2026 - 12:58 AM

qfMTJLChz.README.txt 273bytes 5 downloadshi all, may i know how to get the DECRYPTION ID. i also get the random 9 number.

Back to top

#499 quietman7

Bleepin' Gumshoe

Global Moderator
65,743 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:04:45 PM

Posted 12 February 2026 - 06:42 AM

The encryption is secure and the criminal's master private key (session key) is needed for decryption. Without the criminal's master private key (session key), decryption is impossible.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

Back to top

#500 1989Andrey1989

Members
1 posts
OFFLINE

Local time:11:45 PM

Posted 19 March 2026 - 06:57 AM

Hello everyone, the files have been encrypted .8PbsCcHuo. There was no ransom note. There was no ransom image on the desktop. How can I decrypt the files?? The executable file is still in the TEMP folder

Back to top

#501 al1963

Members
1,224 posts
OFFLINE

Local time:03:45 AM

Posted 19 March 2026 - 07:27 AM

@1989Andrey1989,

The ransomware executable does not contain the private key needed to decrypt files. According to the configuration file, wallpaper was disabled, but set_icons was enabled, meaning the icons for encrypted files will be those specific to Lockbit encryption. The ransom note was also disabled.

Back to top

#502 doush

Members
2 posts
OFFLINE

Local time:10:45 PM

Posted 22 March 2026 - 02:23 PM

Hello everyone.

I have been hit with a ransomware. While I was negotiating with them a few months ago, I had to break due to health issues. Than I wrote them back but their email addresses are not working anymore.

Veeam backup was hacked and all the ESXI in the inventory.

I have uploaded the ransom note and the encrypted file.

Whats different is this part

+ 247fastdeal@cryptolab.net +

+ ID:TY90PI

My ID does not look like a hash string.

I made them decrypt a single file for proof. I have both the decrypted file and the encrypted file if someone needs to take a look if it is reversable.

All file extensions are .WnxgOBilZ

I would really use any suggestion

WnxgOBilZ.README.txt

+----------------------------------------------------------------------------------------------------------------------+

+ Dear Customer, +

+ +

+ If you are reading this message, it means that: +

+ - your network infrastructure has been compromised, +

+ - critical data was leaked, +

+ - files are encrypted +

+ +

+----------------------------------------------------------------------------------------------------------------------+

+ +

+ 1. THE FOLLOWING IS STRICTLY FORBIDDEN +

+ +

+ 1.1 EDITING FILES ON HDD. +

+ -Renaming, copying or moving any files could DAMAGE the cipher and decryption will be impossible. +

+ +

+ 1.2 USING THIRD-PARTY SOFTWARE. +

+ -Trying to recover with any software can also break the cipher and file recovery will become a problem. +

+ +

+ 1.3 SHUTDOWN OR RESTART THE PC. +

+ -Boot and recovery errors can also damage the cipher. +

+ Sorry about that, but doing so is entirely at your own risk. +

+ +

+----------------------------------------------------------------------------------------------------------------------+

+ +

+ 2. EXPLANATION OF THE SITUATION +

+ +

+ 2.1 HOW DID THIS HAPPEN +

+ +

+ The security of your IT perimeter has been compromised (it's not perfect at all). +

+ +

+ We encrypted your workstations and servers to make the fact +

+ of the intrusion visible and to prevent you from hiding critical data leaks. +

+ +

+ We spent a lot of time researching and finding out the most important directories +

+ of your business, your weak points. +

+ +

+ We have already downloaded a huge amount of critical data and analyzed it. +

+ Now its fate is up to you, it will either be deleted or sold, or shared with the media. +

+ +

+ As a confirmation of the leak, +

+ we will send you 5 any files from the stolen data list of your choice +

+ +

+ 2.2 VALUABLE DATA WE USUALLY STEAL: +

+ - Databases, legal documents, personal information. +

+ - Audit reports. +

+ - Any financial documents +

+ - Work files and corporate correspondence. +

+ - Any backups. +

+ - Confidential documents. +

+ +

+ 2.3 TO DO LIST (best practies) +

+ - Contact us as soon as possible. +

+ - Purchase our decryption tool and decrypt your files. There is no other way to do this. +

+ - Realize that dealing with us is the shortest way to success and secrecy. +

+ - Give up the idea of using decryption help programs, otherwise you will destroy the system permanently. +

+ - Avoid any third-party negotiators and recovery groups. They can become the source of leaks. +

+ +

+----------------------------------------------------------------------------------------------------------------------+

+ +

+ 3. POSSIBLE DECISIONS +

+ +

+ 3.1 NOT MAKING THE DEAL +

+ - After 3 days starting tomorrow your leaked data will be Disclosed or sold. +

+ - We will also send the data to all interested supervisory organizations and the media. +

+ - Decryption key will be deleted permanently and recovery will be impossible. +

+ - Losses from the situation can be measured based on your annual budget. +

+ +

+ 3.2 MAKING THE WIN-WIN DEAL +

+ - You will get the only working Decryption Tool and the how-to-use Manual. +

+ - You will get our guarantees (with log provided) of non-recovarable deletion of all your leaked data. +

+ - You will get our guarantees of secrecy and removal of all traces related to the deal in the Internet. +

+ - You will get our security report on how to fix your security breaches. +

+ +

+----------------------------------------------------------------------------------------------------------------------+

+ +

+ 4. HOW TO CONTACT US +

+ +

+ 247fastdeal@cryptolab.net +

+ ID:TY90PI +

+----------------------------------------------------------------------------------------------------------------------+

+ +

+ 5. RESPONSIBILITY +

+ +

+ 5.1 Breaking critical points of this offer will cause: +

+ - Deletion of your decryption keys. +

+ - Immediate sale or complete Disclosure of your leaked data. +

+ - Notification of government supervision agencies, your competitors and clients. +

+ +

+----------------------------------------------------------------------------------------------------------------------+

Attached Files

WnxgOBilZ.README.txt 10.61KB 2 downloads
DNS-46.30.176.21_D7172.vbm.zip 50.02KB 1 downloads

Edited by quietman7, 22 March 2026 - 06:49 PM.

Back to top

#503 quietman7

Bleepin' Gumshoe

Global Moderator
65,743 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:04:45 PM

Posted 22 March 2026 - 06:48 PM

Any files that are encrypted with most newer variants of LockBit 3.0 Black will have a [random 9 alpha-numerical character] extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name.

In your case, the criminals have used a .[random 8 alpha-numerical char] extension together with the same [random 8 char]-README.txt so you appear to be dealing with a different ransomware.

If fact, the contents of your ransom note look similar to those I have seen used by both 8Base ransomware and a Conti-based ransomware variant.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

Back to top

#504 rte24

Members
1 posts
OFFLINE

Local time:03:45 PM

Posted 22 March 2026 - 11:42 PM

Add me to the list of people hit with Lockbit 3.0/Black. My desktop PC at home was attacked. Thankfully, my QNAP NAS was spared from infection. I have the PC offline now and am doing some digging. Microsoft sent me an email at 9:20am today about suspected malware activity and they were right. OneDrive was easy to restore. I don't have many files on this computer and I've already purchased a new SSD to reinstall on. I've attached a couple files and the ransom note. Any help would be appreciated. Thanks!

Attached Files

LdUCwolik.README.zip 28.77KB 1 downloads

Back to top

#505 quietman7

Bleepin' Gumshoe

Global Moderator
65,743 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:04:45 PM

Posted 26 March 2026 - 10:23 AM

The encryption is secure and the criminal's master private key (session key) is needed for decryption.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click