Babuk Locker Ransomware Support Topic (.babyk; How To Restore Your Files.txt)

​

Yours looks like the only report thus far.

 

An Internet search only reveals this topic.

I found my topic in Twitter

https://twitter.com/malwrhunterteam/status/1636495878251839489?s=20

and here for Babuk Ransomware Decrypter but I not try it. https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/

Edited by totoe, 17 March 2023 - 01:40 AM.

@totoe

Looks like this has been identified as a Babuk Ransomware variant so I have merged your topic into the primary support topic for victims of this randomware.

Edited by quietman7, 28 June 2023 - 08:05 AM.
Duplicate in 'Encryption' deleted.

@sensoresintegracion

We're sorry to hear that you've encountered encryption of your files.

Add some encrypted files and a ransom note to the archive, upload the archive to http://sendspace.com and give us the archive download link in your message.

The .crypt (.CRYPT) extension is more generic and has been used by several types of known ransomware to include to include BearCrypt, VoidCrypt/Chaos, Babuk, CONTI, Dharma (CrySiS), DonnaRenniCrypt, N3ww4v3/Mimic, DearCry, CryptXXX, DCRTR-WDM, 0kilobypt (Wiper/Eraser), Ransomnix, Xorist, ZariqaCrypt, Chimera, RansomwareTest, Gomasom (CryptInfinite) and some GlobeImposter variants. The .crypt extension is also used by many unidentified ransomwares.
 
Is .crYpt the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]), an ID number with a person's name (.[a7fth62bc1].[<name>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?

Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?

Thank you for your prompt answers, I add more information about my case.

I tried to get the ransomware ID on the following two web pages by uploading the required information but no success (unmodified file, modified file and ransom note)

!!! ATTENTION !!!


Your network is hacked and files are encrypted.
Including the encrypted data we also downloaded other confidential information:
Data of your employees, customers, partners, as well as accounting and
other internal documentation of your company.


All data is stored until you will pay.
After payment we will provide you the programs for decryption and we will delete your data.
If you refuse to negotiate with us (for any reason) all your data will be put up for sale.


What you will face if your data gets on the black market:
1) The personal information of your employees and customers may be used to obtain a loan or
purchases in online stores.
2) You may be sued by clients of your company for leaking information that was confidential.
3) After other hackers obtain personal data about your employees, social engineering will be
applied to your company and subsequent attacks will only intensify.
4) Bank details and passports can be used to create bank accounts and online wallets through 
which criminal money will be laundered.
5) You will forever lose the reputation.
6) You will be subject to huge fines from the government.
You can learn more about liability for data loss here:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://gdpr-info.eu/
Courts, fines and the inability to use important files will lead you to huge losses.
The consequences of this will be irreversible for you.
Contacting the police will not save you from these consequences,
but will only make your situation worse.


You can get out of this situation with minimal losses
To do this you must strictly observe the following rules:
DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files.
Such actions may DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it may also DAMAGE files.
DO NOT Shutdown or Reboot the system this may DAMAGE files.
DO NOT hire any third party negotiators (recovery/police, etc.)
You need to contact us as soon as possible and start negotiations.


Instructions for contacting our team:
Download & Install TOR browser: https://torproject.org
For contact us via LIVE CHAT open our
> Website:  http://e4ddzx7xhnsgx6xjrttc2lr2tduuuq27cuglzhg4gcbf4f7tb7mjarad.onion
> Login:    CLIENT
> Password: G9vwZahJ1htBHRxK1lLF
If Tor is restricted in your area, use VPN

Edited by sensoresintegracion, 07 June 2023 - 10:58 PM.

Looks to be a variation of crYptA3 Ransomware which is detected as part of the Babuk (Babuk Locker) Ransomware family. 
 
Avast Threat Labs created and released a free Babuk Decryption tool using leaked source code and leaked decryption keys for victims with files encrypted by the following extensions: .babuk, .babyk, .doydo.

• Babuk Decryptor download link

If the decryptor does not work on the variant you are dealing with, then there is no other known method that I am aware of to decrypt files encrypted by other variants of Babuk (Babuk Locker) Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. 

 
If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time.

I have merged your topic into the primary support topic for victims of this ransomware.

Hello,

I have been impacted by ransomware but I managed to get the decryptor and its source code. It's unfortunately a bugged ransomware decryptor (.exe) that is corrupting encrypted files when executed: some files get unlocked, some don't. It seems a matter of filesize.

Edited by amare224, 21 July 2023 - 03:01 PM.

@amare224
 
I have merged your topic into the primary support topic for victims of this ransomware.

I am not aware of anyone here working directly with the Avast Team but Demonslay335 (Michael Gillespie) and the site Admin of Bleeping Computer are subscribed to this thread and either one of them may contact you.

ANUBIZ LOCKER ransomware with .lomer extension

Any help to address this kind of ransomware and retrieve the encrypted files?

Edited by quietman7, 14 February 2024 - 10:40 AM.
Moved from Introductions

This is a variant of Babuk (Babuk Locker) Ransomware. The .lomer file extensions appended to the end of  encrypted data files was previously reported here? 

Babuk typically will leave files (ransom notes) named DECR.TXT, RestoreFiles.txt, Restore Files.txt, How To Restore Your Files.txt,  How_To_Restore_Your_Files.txt, Restore Files.txt, HowToRestore.txt, Recover_Your_Files.html, HowToDecryptYourFiles.txt, readme_for_unlock.txt, WhatHappened.txt.

These the contents of ANUBIZ LOCKER ransom note

I have merged your topic into the primary support topic for victims of this ransomware.

i been trying to search ransomware decryption tools on some website and noticed there's no way of decrypting those affected lomer file, not sure if this is the true.

database only i help you no cost , only free