LockBit 3.0 Black / CriptomanGizmo ([random 9 chars]; README.txt) Support Topic

This is the message that i receive on my server:

            
                                                  YOUR FILES ARE ENCRYPTED!!!

For data recovery contact us you will need to pay us:
firecorecoverfiles@msgsafe.io
fireco@onionmail.com
Telegram: @firecorecoverfiles
https://t.me/firecorecoverfiles
1. In the first letter, indicate your personal ID!
2. In response, we will send you instructions.



    
>>>> Your personal DECRYPTION ID:

Case reference SHA1: 7104e214a5b8696f2ed8ba96dd423e268063093c

Edited by Prosal, 14 April 2023 - 07:24 AM.

Any assistance would be appriciated

Hello

This is the message i received

Hello. To decrypt files, follow these instructions:

    1.  Price.
    6000 $ (american dollars) for decrypting all your files, or for part of your files, the price is the same.
    We accept only BITCOIN payments. (It is a decentralized digital currency)

    2.  Be careful please.
    Do not change the encrypted file extension.
    Do not try to decrypt your files with programs from the internet, these programs don't work.
    If you decide to try any decryption programs, please make a copy of the encrypted files before doing so.
    Only our email has the keys to decrypt your files. Do not believe other people.

    3.  Test decryption as a guarantee
    We will decrypt 1 any, not important file, as proof of decryption.
    File for test no more than 1 megabyte (not archived). If in our opinion you send an important file,
    we have the right to refuse to decrypt it and ask you to send another file.

    4.  Decryption process:
    We are waiting for payment to our Bitcoin wallet. As soon as we receive the money we will send you:
    a)     Program for decryption.
         Instructions for decrypting and securing your computer.

    5.  Websites where you can buy bitcoins:
    www.bitpapa.com
    www.coinmama.com
    www.paxful.com
    www.localbitcoins.com
    www.abra.com

    Big list of websites https://www.wikijob.co.uk/content/trading/cryptocurrency/places-to-buy-bitcoin#20-local-bitcoins
    PLEASE DO NOT USE COINBASE! Because through COINBASE you can send them only   after two weeks of authorization.
    Websites for CHINA: https://www.huobi.io/ https://bitpay.com/

www.wikijob.co.uk (https://www.wikijob.co.uk/content/trading/cryptocurrency/places-to-buy-bitcoin)
10 Best Places to Buy Bitcoin in 2023, Revealed!

With our top 10 list of the best places to buy bitcoin in the UK you will find the right bitcoin buying platform for your needs.

The files extensions are .kFJdr0qI0

Recovery file name is kFJdr0qI0.README.txt

Most likely CriptomanGizmo / LockBit 3.0 (Black) ransomware (used by affiliate or non-LockBit affiliates after its builder was leaked) which will have a random 9 character alpha-numerical extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.hZiV1YwzR
hZiV1YwzR.README.txt
.3WbzmF0CC
3WbzmF0CC.README.txt
.JxxLLpPns
JxxLLpPns.README.txt

 
In your case...

.kFJdr0qI0
.kFJdr0qI0.README.txt

Edited by Amigo-A, 14 April 2023 - 01:31 AM.

This topic needs to be merged with the common CriptomanGizmo theme so that messages from affected users were focused in one place.

@Prosal

I have merged your topic into the primary support topic for victims of this ransomware.

i also got this in a .pdf file

LockBit Black Ransomware
Your data are stolen and encrypted
The data will be published on TOR website
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
and http://lockbitapt.uz if you do not pay the ransom
You can contact us and decrypt one file for free on these TOR sites
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
Decryption ID:

Edited by Prosal, 14 April 2023 - 07:23 AM.

are there any means to remediate this?

@Prosal

Crypto malware can be responsible for dual (multiple) infections since it will encrypt any directory or file it can read/write to regardless if previously encrypted by another ransomware or variant. Ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt (double-encrypt) them again and again if it has access. Even the same ransomware can encrypt data multiple times with different strains which may result in file corruption. That means dealing with all ransomwares, any ransom demand payments and different decryptors in order to decrypt data.

 
Decreasing your chances for recovering data with dual infections is that files may get corrupted multiple times, especially if the victim tried to use another victim's decryption key, removed the extension or attempted to fix the files by renaming them first. This typically results in more file corruption which complicates possible decryption. Further, using a faulty or incorrect decryptor (one intended for another specific type of ransomware) usually causes additional damage and/or even further corrupts the encrypted files, thus decreasing your chances for recovering data.
 
Unfortunately there is not much you can do in scenarios like this especially if any of the ransomwares are not decryptable.

My files were encrypted, there was a file 7RIUKJn6Z.README.txt with mail: mrboot@privyinternet.com
they requested 0.02 btc, after payment they sent files for decryption "lockbit 3(black)".

In the attached encrypted and decrypted files, a readme file and a decryption program, maybe someone will need it

https://www.sendspace.com/file/2m0cgf

Edited by -r-e-n-, 03 June 2023 - 10:19 PM.

@-r-e-n-

Could the files be decrypted with this decryptor and key? The priv.key is unlikely to help anyone else.