Part 1: LockBit 2.0 ransomware bugs and database recovery attempts
By Danielle_Veluz
Published: 2022-03-11 · Archived: 2026-04-06 00:09:58 UTC
"}},"componentScriptGroups({\"componentId\":\"custom.widget.SocialSharing\"})":
{"__typename":"ComponentScriptGroups","scriptGroups":
{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":
{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":
{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":
[]},"component({\"componentId\":\"custom.widget.MicrosoftFooter\"})":
{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":
[\"message:3254354\"],\"name\":\"BlogMessagePage\",\"props\":
{},\"url\":\"https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery-attempts/3254354\"}}})":{"__typename":"ComponentRenderResult","html":"
"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":
{"__typename":"ComponentScriptGroups","scriptGroups":
{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":
{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":
{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":
[]},"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageCoverImage\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeTitle\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageTimeToRead\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/tags/TagList\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagList-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 1 of 35

shared/client/components/users/UserAvatar-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751117"}],"cachedText({\"lastModified\":\"1775111751117\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751117"}]},"Theme:customTheme1":
{"__typename":"Theme","id":"customTheme1"},"User:user:-1":
{"__typename":"User","id":"user:-1","entityType":"USER","eventPath":"community:gxcuf89792/user:-1","uid":-1,"login":"Anonymous","email":"","ava
{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ss
[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":
{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues"
["true","false"]},"dateDisplayFormat":
{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":
{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","po
["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1775111738044":{"__typename":"CachedAsset","id":"pages-1775111738044","value":
[{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename"
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"WorkstreamsPage","type":"COMMUNITY","urlPath":"/workstreams","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageRes
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1730819800000,"localOverride":null,"page":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 2 of 35

{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CreateUserGroup.Page","type":"COMMUNITY","urlPath":"/c/create-user-group/page","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"Pag
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResourc
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"}
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescripto
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"Pag
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResou
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"}
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"Pa
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageRes
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 3 of 35

{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__t
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou
{"lastUpdatedTime":1730819800000,"localOverride":null,"page":
{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typen
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typena
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"Pa
{"lastUpdatedTime":1730819800000,"localOverride":null,"page":
{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"Page
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageRes
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageD
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"P
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"P
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111738044,"localOverride":null,"page":
{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"Pa
components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find
community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot
find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this
site.","userBannedReason":"You have been banned for the following reason:
{reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 4 of 35

{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":
{"title":"Loading..."},"localOverride":false},"Rank:rank:25":
{"__typename":"Rank","id":"rank:25","position":3,"name":"Former
Employee","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:1020973":
{"__typename":"User","id":"user:1020973","uid":1020973,"login":"Danielle_Veluz","deleted":false,"avatar":
{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xMDIwOTczLTM1MzU2Nmk0RjZERkFFMjJEN
{"__ref":"Rank:rank:25"},"email":"","messagesCount":3,"biography":null,"topicsCount":3,"kudosReceivedCount":23,"kudosGivenCount":30,"kudosWei
{"__typename":"RegistrationData","status":null,"registrationTime":"2021-04-08T12:04:34.046-
07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"Category:category:microsoft-security-product":{"__typename":"Category","id":"category:microsoft-security-product","entityType":"CATEGORY","displayId":"microsoft-security-product","nodeType":"category","depth":4,"title":"Microsoft Security","shortTitle":"Microsoft Security","parent":
{"__ref":"Category:category:microsoft-security"}},"Category:category:top":
{"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle"
{"__typename":"Category","id":"category:communities","entityType":"CATEGORY","displayId":"communities","nodeType":"category","depth":1,"paren
{"__ref":"Category:category:top"},"title":"Communities","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","entityType":"CATEGORY","displayId":"products-services","nodeType":"category","depth":2,"parent":
{"__ref":"Category:category:communities"},"title":"Products","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","entityType":"CATEGORY","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":
{"__ref":"Category:category:products-services"},"title":"Microsoft Security","shortTitle":"Microsoft
Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSecurityExperts":
{"__typename":"Blog","id":"board:MicrosoftSecurityExperts","entityType":"BLOG","displayId":"MicrosoftSecurityExperts","nodeType":"board","depth
{"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":
{"__typename":"TagNodeProperties","tagsEnabled":
{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"PRESET_ONLY","description":"","title":"Microsoft
Security Experts Blog","shortTitle":"Microsoft Security Experts Blog","parent":{"__ref":"Category:category:microsoft-security-product"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":
{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:microsoft-security-product"}}]},"userContext":
{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme":
{"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard":
{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key"
[]}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium
[]}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lit
[]}}},"linkProperties":
{"__typename":"LinkProperties","isExternalLinkWarningEnabled":false}},"BlogTopicMessage:message:3254354":
{"__typename":"BlogTopicMessage","uid":3254354,"subject":"Part 1: LockBit 2.0 ransomware bugs and database recovery
attempts","id":"message:3254354","entityType":"BLOG_ARTICLE","eventPath":"category:microsoft-security-product/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSecurityExperts/message:3254354","revisionNum":10,"repliesCount":0,"author":
{"__ref":"User:user:1020973"},"depth":0,"hasGivenKudo":false,"board":
{"__ref":"Blog:board:MicrosoftSecurityExperts"},"conversation":
{"__ref":"Conversation:conversation:3254354"},"messagePolicies":
{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithi
[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.li
[]}},"canReply":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied","key":"error.lithium.polici
[]}},"canAcceptSolution":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied","k
[]}},"canRejectSolution":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied"
[]}},"canTag":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied","key":"error.lithium.policie
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 5 of 35

[]}},"canEdit":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.action_allow.edit_message.accessDenied","key":"error.lithium.policies.forums.
[]}},"canKudo":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied","key":"error.lithium.policies.kudo
[]}}},"contentWorkflow":
{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":
{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnTo
{"__ref":"ModerationData:moderation_data:3254354"},"teaser":"
Microsoft Incident Response (formerly DART/CRSP) researchers have uncovered “buggy code” and critical inconsistencies
in the new version of the LockBit ransomware as a result of an engagement with a customer afflicted with LockBit 2.0. This
post serves to illustrate the steps that Microsoft Incident Response researchers took to uncover this faulty crypto, and the
efforts made to overcome and eventually restore, as much as was possible, the destroyed database files of this affected
customer.
\n","body":"
Research by: Nino and Team Torstino (Microsoft Incident Response (formerly DART/CRSP))
\n\n
Disclaimer: The technical information contained in this article is provided for general informational and educational
purposes only and is not a substitute for professional advice. Accordingly, before taking any action based upon such
information, we encourage you to consult with the appropriate professionals. We do not provide any kind of guarantee of a
certain outcome or result based on the information provided. Therefore, the use or reliance of any information contained in
this article is solely at your own risk.
\n\n
LockBit 2.0 ransomware has been one of the leading ransomware strains over the last six months. Recently, the FBI issued a
flash alert outlining the technical aspects and tactics, techniques, and procedures (TTPs) associated with the LockBit 2.0
affiliate-based ransomware-as-a-service.
\n\n
Suffice it to say, a plethora of detailed research around this ransomware emerged as a result of version \"2.0\", which
surfaced back in the summer of 2021. All these public reports and technical undertakings, however, fail to mention a critical
aspect of this ransomware strain that Microsoft Incident Response researchers have discovered and is something often not
discussed when bringing up the topic of ransomware: “buggy code”, and the unpredictable consequences that it can induce.
\n\n
This post illustrates a much more direct attempt at ransomware recovery targeting MSSQL databases, where we uncovered
and further exploited bugs present in the LockBit 2.0 ransomware code, up to the point where we were able to revert the
encryption process for these database files and restore them back to a functioning state. This is often an impossible task to
carry out, given that it implies breaking decades of practical research into cryptography-- not simply in theory, but in actual
implementation.
\n\n
This two-part blog series will outline all the steps taken and challenges overcome, in order to restore the damaged database
files that served as a critical core of this customer’s infrastructure.
\n\n\n
We uncovered critical inconsistencies with the logic of this ransomware upon our first interaction with a LockBit 2.0
afflicted customer, who, incidentally, also purchased the software capable of restoring the destruction the ransomware is
known to wreak, known as \"the decryptor\" aspect of ransomware.
\n\n
The unfortunate customer was soon to find out that the claims the affiliate-based ransomware distributor made, about paying
the ransom resolves to obtaining the decryptor capable of restoring the effects of the encryption, were very dubious in their
assertions. Upon attempting to use this purchased decryptor to restore critical database files, the customer was met with very
disappointing results and was perplexed as to why the restoration of these database files was not going as expected, and
what steps to take next.
\n\n
At some point, Microsoft Incident Response became engaged with this customer, obtained access to both the encryptor and
decryptor aspects of the ransomware, and with suspicions that \"faulty crypto” was at play, analysis commenced.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 6 of 35

\n\n\n
One of the first things we can do to make our lives easier when suspecting faulty encryption/decryption is to first avoid the
urge of digging into any literature regarding the densely obtuse aspects of cryptography, or even more menacingly, modern
cryptography. Instead, use the power that Sysinternals handy-dandy Procmon provides in monitoring file I/O with the hopes
of spotting any kind of anomalies or inconsistencies when either the encryptor or decryptor is running.
\n\n
Through this monitoring we should get a quick (correct) picture of how the encryption/decryption algorithm is implemented,
assuming that it is not doing all of this in memory and indeed going through the I/O manager as is generally the case.
\n\n
For instance, Figure 1 shows the encryptor in action on a test dummy file we created. It’s worth noting, when assuming
faulty crypto algorithms are at play, to test on a variety of file sizes to see how/if they pan out differently. We often see a
common mistake on larger sized files (at least 4GB or greater), especially in 32-bit encryptors, not understanding that the
larger the file size gets, the closer we get, and eventually cross, into signed territory. These mistakes can lead to incorrect
checks on file sizes, how the internal file pointer is set, and so on, that can introduce unintended corruption by the encryptor.
Something to always keep an eye out for.
\n\n
Figure 1. Test #1 of the encryptor in action
\n\n
Test #1: high-level observations
\n
\n
It increases the file size
\n
It only encrypts the first 0x1000 bytes from the start of the header (in theory, enough to kill off any header metadata)
\n
Appends some data at the end of the original file size (0x200 bytes)
\n
Appends a .lockbit extension to the original filename
\n
\n\n
Spoiler: The data that it appends to the end of the encrypted file is the required decryption information that the decryptor
utilizes as part of its restoration process. Each file is encrypted with a unique 16-byte initialization vector (IV) and AES256
key. Both are stored, encrypted with a modified cha-cha dance, at the end of each individual encrypted file. The decryptor in
turn knows how to find this “decryption blob”, extract the unique IV and AES256 key, and then leverage them for the
decryption. Other data is stored as well in these blobs, such as the original file size and the AES block size.
\n\n
Our test #1 from the Procmon output in Figure 1 shows that the encryptor alters the original size of the file it is about to
corrupt, so it is only appropriate that it retains this original information somewhere when the decryptor begins to attempt its
restoration process. At least this is the theory. In practice, as we’re soon to find out, something quite different has the
potential of happening.
\n\n
Testing the 1GB file was a good start, but let’s try a much larger file and again, observe the behavior of the encryptor
through Procmon.
\n\n
Figure 2. Test #2 for encryptor in action
\n\n
Test #2: high-level observations:
\n
\n
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 7 of 35

Starts off like our first test but ends drastically different
\n
Procmon curiously does not generate a Result for the WriteFile operation when appending the decryption blob
\n
It seems to further encrypt, at 65,536-byte intervals, more data
\n
\n
Having some clear differences from our first test run, the second one intrigues us enough to continue digging deeper with the
suspicion that something is seriously not right here. It gets even more intriguing when we try to view the call stack for the
WriteFile operations that follow the instance where Procmon was unable to tell us the Result of appending the decryption
blob.
\n\n
Figure 3. Viewing the call stack for the WriteFile operations
\n\n
Every WriteFile operation following the empty Result in the yellow highlighted row looks like the Event Properties box on
the right: empty. This is very strange indeed and requires a deeper introspection than Procmon can give us. Before departing
from the almighty Procmon, it continues to show its worth by providing us with a valuable vantage point of where to begin
looking at: the call stack. We can see that at offset +0xA0842 is where we presumably never return from.
\n\n
Now feels like the right time to introduce our favorite toolset for any deep troubleshooting into the picture: Time Travel
Debugging (TTD)
\n\n\n
Prior to introducing the TTD framework into the picture, we will first load the encryptor into IDA Pro and go to that offset
identified by Procmon to observe the code at that location. Doing so, we can see that we are at the return address of what is a
call to ntdll!NtWriteFile. Depending on what we can further spot in the disassembly or decompilation, the following plan is
to re-run the encryptor again, but this time under the control of TTTracer to generate some runtime data that we can work
against.
\n\n
Figure 4. Code responsible for writing the encrypted contents back to disk
\n\n
Let’s also show the cleanup decompilation of this piece of code as well, to observe at a higher level.
\n\n
Figure 5. Decompilation of Figure 4
\n\n
As shown in both Figure 4 and 5, we can spot that something is off here; the NTSTATUS return value for the write file is
not handled correctly. In fact, it’s flat-out wrong. One way that we can demonstrate the consequence of this improper
handling of the write file operation is to ask whether the encryptor operates asynchronously. The reasons for introducing this
in our inquiry will be explained shortly.
\n\n
But if we do dig a bit into the binary inside IDA, we can confirm the asynchrony of the encryptor, implemented through I/O
completion ports. The actual file encryption is done via a callback routine executed as a thread, and very interestingly for the
debugging enthusiasts, hidden threads.
\n\n\n\n
What this call to NtSetInformationThread does is set the HideFromDebugger flag inside the internal, executive thread
structure, which guarantees that the debugger will never receive any debug events for this thread, effectively missing the
controllable execution of these threads. Something to be aware of when attempting to debug this encryptor in the traditional
manner. Since we plan to use TTTracer, these anti-debug shenanigans are moot, and we can ignore them completely.
\n\n
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 8 of 35

This is great and all, but what exactly is the issue here with the NTSTATUS value? First, LockBit 2.0 devs mistakenly
assume all unsuccessful NTSTATUS values are signed. For instance, the following ones are very relevant to the encryptor
given its asynchronous behavior and are clearly not negative numbers.
\n\n
Figure 7. NTSTATUS values
\n\n
Second, and more importantly, they entirely neglect the handling of pending I/O operations: STATUS_PENDING. And
given the asynchronous nature of I/O on Windows, this in theory could be every file I/O operation. Further, given that the
encryption is carried out asynchronously as well through I/O completion ports, ntdll!NtWriteFile can and will return
STATUS_PENDING, which the caller must properly account for. How does one account for it? Patience. (See
WaitForSingleObject and ZwWaitForSingleObject)
\n\n
Not doing so will lead to unpredictable and potentially destructive behavior as LockBit 2.0 is mistakenly assuming success
after each write operation when the return value is not signed. When multiple threads are at play, which they will be, you
now create a situation that can result in all these worker threads writing at unpredictable intervals. Seems like a minor
ordeal, but because of this mishandling, the entire stability of the encryptor is now in question. These effects naturally spill
over to the decryptor as well.
\n\n
IO_STATUS_BLOCK
\n
NtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL);
);
\n
The operating system implements support routines that write IO_STATUS_BLOCK values to caller-supplied output buffers.
For example, see ZwOpenFile or NtOpenFile. These routines return status codes that might not match the status codes in
the IO_STATUS_BLOCK structures. If one of these routines returns STATUS_PENDING, the caller should wait for the
I/O operation to complete, and then check the status code in the IO_STATUS_BLOCK structure to determine the final
status of the operation.
\n\n
If the routine returns a status code other than STATUS_PENDING, the caller should rely on this status code instead of the
status code in the IO_STATUS_BLOCK structure.
\n\n\n
Having now identified at least one critical flaw that can result in faulty crypto, let’s shift our attention to the decryption
process itself, because our primary goal is to confirm, and then hopefully implement, a capacity to do what the purchased
decryptor was supposed to do.
\n\n
From the customer, we were given several MSSQL encrypted database files which had the potential of being correctly
decrypted. The reason that we can make such a claim is that the required decryption information (recall our earlier Procmon
adventures) was still intact somewhere in the file. Not where it’s supposed to be, but it’s there, nonetheless. This
misplacement, a direct result of the improper handling of the write file operation outlined above, is what causes the
decryptor to miss retrieving this blob of data. This mishandling can even unwittingly truncate or expand the original file
size. Simply having the decryption blob information present in the encrypted binary does not really mean anything at this
stage of what we’re trying to accomplish.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 9 of 35

\n\n
One of the first things that we tried to get the decryptor up and running accurately, was to remove all the data that follows
the decryption blob in the encrypted database file, giving it the appearance of being “correctly” appended, as it was
originally intended to be. We then ran the decryptor against it (under TTTracer) to see what would happen. We failed to
decrypt the file with this approach but with the resulting TTD trace, we have a window to peek into and identify the flaws in
our wishful approach.
\n\n
Figure 8. The decryption blob was found, but it’s not at the end/tail of the file as it’s supposed to be
\n\n
Going through the generated trace file, we were able to identify that the decryptor does indeed find the decryption blob
correctly now and furthermore, is able to successfully decrypt it to acquire the necessary IV and AES key for decryption.
However, the file still does not get decrypted. Digging deeper, we identified the issue being in how it tries to compare two
LARGE_INTEGERs, that of the incoming, encrypted file size and the AES block size stored in the decryption blob data that
it assumed it appended correctly.
\n\n
Figure 9. File size and the encrypted database file we’re working against
\n\n
// disassembly responsible for initiating this sequence, by storing the incoming file size
.text:00428721 mov esi, dword ptr [eax+lb_encrypt_file_t.og_filesz] ; fetch the LowerPart of the file size
.text:00428724 mov eax, [eax+lb_encrypt_file_t.og_filesz.anonymous_0.HighPart] ; fetch the HighPart of the fil
.text:00428727 mov [esp+1Ch], eax ; store the HighPart of the file size
.text:0042872B lea eax, [esp+3E8h+var_268]
.text:00428732 push eax
.text:00428733 mov [esp+18h], esi ; save the LowerPart of the file size// in the TTD trace, looking at the inc
00428724 8b4024 mov eax,dword ptr [eax+24h]
ds:002b:1c9e0024=00000013
0:014> dd @eax
1c9e0000 00000000 00000000 00000000 00000000
1c9e0010 00000000 00000000 00000000 00000000
1c9e0020 fffec200 00000013 00000000 00000001// size of the incoming file
0:014> dt ntdll!_LARGE_INTEGER 1c9e0020 QuadPart
0x00000013`fffec200
+0x000 QuadPart : 0n85899264512
// code that does the check after the offset has been calculated from the decryption blob
.text:004288E6 mov eax, [esi+lb_encrypt_file_t.byte_offset.anonymous_0.HighPart]
.text:004288E9 add edx, ecx
.text:004288EB adc edi, eax
.text:004288ED cmp [esp+1Ch], edx ; now check the LowerPart
.text:004288F1 jnz __size_check_fail_cleanup
.text:004288F7 cmp [esp+18h], edi ; now check the HigherPart
.text:004288FB jnz __size_check_fail_cleanup __success_go_for_decryption_of_encrypted_content// go to the loca
0:014> dx @$calls(0x4288ED).First().TimeStart.SeekTo()
Time Travel Position: 1CC3E8:F20 [Unindexed] Index
0:014> u . l4
decryptor+0x288ed:
004288ed cmp dword ptr [esp+1Ch],edx ; compare against LowerPart
004288f1 jne __size_check_fail_cleanup ; they have to match, otherwise decryption is skipped
004288f7 cmp dword ptr [esp+18h],edi ; compare against the HighPart
004288fb jne __size_check_fail_cleanup ; they have to match, otherwise decryption is skipped
0:014> r edx
edx=00000200 ; AES block size calculated out of the data inside the decryption blob
0:014> dd @esp+1c l1
1a73fb9c fffec200 ; LowPart of incoming file size, failing when being compared to the size of the decryption b
0:014> r edi
edi=
00000014 ; very revealing, this tells us where the decryption blob should actually be (what the HighPart shoul
0:014> dd @esp+18 l1
1a73fba4 00000013 ; HighPart, we see our cutting off all the data after the decryption blob breaks the logic h
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 10 of 35

\n\n
Based on the TTD trace, simply cutting off all the data that follows the decryption blob won’t work either, but we can spot
what the issue is and even where the decryption blob is originally supposed to be: minimum at offset 0x1400000000 in the
file. The high part of the large integer for the incoming file is at offset 0x1300000000, but it fails when compared to the
original size that was calculated out of the decryption blob: 0x1400000000. But even before that, the comparison of
0xfffec200 and 0x200 also fails, since it’s expecting to have correctly calculated the AES block size, which it did not.
\n\n
Realizing this, we decided to “push” the decryption blob up to its proper offset, and then again cut off all the data that
followed it, to recreate the encrypted file once more into what should be its originally intended structure. Once done, we re-run it through the decryptor and excitedly await the results.
\n\n
Figure 10. Correctly aligning the decryption blob before we re-run the decryptor against it
\n\n
Upon running the decryptor this time around, we successfully decrypted the file!
\n\n
decryptor_pp+0x288ed:
004288ed cmp dword ptr [esp+0Ch],edx ss:002b:0271fb9c=00000200
0:007> r edx
edx=00000200// edx, as expected is 0x200
0:007> dd @esp+c l1
0271fb9c 00000200 // aes block size has correctly been calculated this time
0:007> t // step into, to validate the jne
decryptor_pp+0x288f1:
004288f1 jne decryptor_pp+0x28c0a (00428c0a) [br=0]
0:007> r zf
zf=1
0:007> t // step into to compare the next check for the HighPart
decryptor_pp+0x288f7:
004288f7 397c2414 cmp dword ptr [esp+14h],edi ss:002b:0271fba4=00000014
0:007> dd @esp+14 l1
0271fba4 00000014 // we see that they're the same, and the decryptor works as expected
0:007> r edi
edi=00000014
0:007> t
0:007> r zf
zf=1
\n\n
Figure 11. (L) Encrypted file; (R) Successfully decrypted file
\n\n
While this has the deceptive appearance of some kind of success, we must remain ever cognizant of the fatal bug that’s
inside the encryptor. The critical flaw by these ransomware developers in misunderstanding how NTSTATUS values work,
and the consequences they can have for naïve thread synchronization. Given that we don’t want to be unwitting victims of
naivety ourselves, we quickly realized that the immensity of the problem was just now slowly starting to reveal itself.
\n\n\n
In the second part of this series, we will shift our focus to outlining the issues that the decryptor poses, uncover the file
structure of the database files that we’re dealing with, throw in a little bit of crypto magic into play, and take the necessary
steps to achieve our ultimate goal: the successful restoration of all encrypted database files.
\n","body@stringLength":"33160","rawBody":"
Research by: Nino and Team Torstino (Microsoft Incident Response (formerly DART/CRSP))
\n\n
Disclaimer: The technical information contained in this article is provided for general informational and educational
purposes only and is not a substitute for professional advice. Accordingly, before taking any action based upon such
information, we encourage you to consult with the appropriate professionals. We do not provide any kind of guarantee of a
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 11 of 35

certain outcome or result based on the information provided. Therefore, the use or reliance of any information contained in
this article is solely at your own risk.
\n\n
LockBit 2.0 ransomware has been one of the leading ransomware strains over the last six months. Recently, the FBI issued a
flash alert outlining the technical aspects and tactics, techniques, and procedures (TTPs) associated with the LockBit 2.0
affiliate-based ransomware-as-a-service.
\n\n
Suffice it to say, a plethora of detailed research around this ransomware emerged as a result of version \"2.0\", which
surfaced back in the summer of 2021. All these public reports and technical undertakings, however, fail to mention a critical
aspect of this ransomware strain that Microsoft Incident Response researchers have discovered and is something often not
discussed when bringing up the topic of ransomware: “buggy code”, and the unpredictable consequences that it can induce.
\n\n
This post illustrates a much more direct attempt at ransomware recovery targeting MSSQL databases, where we uncovered
and further exploited bugs present in the LockBit 2.0 ransomware code, up to the point where we were able to revert the
encryption process for these database files and restore them back to a functioning state. This is often an impossible task to
carry out, given that it implies breaking decades of practical research into cryptography-- not simply in theory, but in actual
implementation.
\n\n
This two-part blog series will outline all the steps taken and challenges overcome, in order to restore the damaged database
files that served as a critical core of this customer’s infrastructure.
\n\n
Background
\n
We uncovered critical inconsistencies with the logic of this ransomware upon our first interaction with a LockBit 2.0
afflicted customer, who, incidentally, also purchased the software capable of restoring the destruction the ransomware is
known to wreak, known as \"the decryptor\" aspect of ransomware.
\n\n
The unfortunate customer was soon to find out that the claims the affiliate-based ransomware distributor made, about paying
the ransom resolves to obtaining the decryptor capable of restoring the effects of the encryption, were very dubious in their
assertions. Upon attempting to use this purchased decryptor to restore critical database files, the customer was met with very
disappointing results and was perplexed as to why the restoration of these database files was not going as expected, and
what steps to take next.
\n\n
At some point, Microsoft Incident Response became engaged with this customer, obtained access to both the encryptor and
decryptor aspects of the ransomware, and with suspicions that \"faulty crypto” was at play, analysis commenced.
\n\n
Our observations on the encryptor and identifying its anomalies
\n
One of the first things we can do to make our lives easier when suspecting faulty encryption/decryption is to first avoid the
urge of digging into any literature regarding the densely obtuse aspects of cryptography, or even more menacingly, modern
cryptography. Instead, use the power that Sysinternals handy-dandy Procmon provides in monitoring file I/O with the hopes
of spotting any kind of anomalies or inconsistencies when either the encryptor or decryptor is running.
\n\n
Through this monitoring we should get a quick (correct) picture of how the encryption/decryption algorithm is implemented,
assuming that it is not doing all of this in memory and indeed going through the I/O manager as is generally the case.
\n\n
For instance, Figure 1 shows the encryptor in action on a test dummy file we created. It’s worth noting, when assuming
faulty crypto algorithms are at play, to test on a variety of file sizes to see how/if they pan out differently. We often see a
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 12 of 35

common mistake on larger sized files (at least 4GB or greater), especially in 32-bit encryptors, not understanding that the
larger the file size gets, the closer we get, and eventually cross, into signed territory. These mistakes can lead to incorrect
checks on file sizes, how the internal file pointer is set, and so on, that can introduce unintended corruption by the encryptor.
Something to always keep an eye out for.
\n\n
Figure 1. Test #1 of the encryptor in action
\n\n
Test #1: high-level observations
\n
\n
It increases the file size
\n
It only encrypts the first 0x1000 bytes from the start of the header (in theory, enough to kill off any header metadata)
\n
Appends some data at the end of the original file size (0x200 bytes)
\n
Appends a .lockbit extension to the original filename
\n
\n\n
Spoiler: The data that it appends to the end of the encrypted file is the required decryption information that the decryptor
utilizes as part of its restoration process. Each file is encrypted with a unique 16-byte initialization vector (IV) and AES256
key. Both are stored, encrypted with a modified cha-cha dance, at the end of each individual encrypted file. The decryptor in
turn knows how to find this “decryption blob”, extract the unique IV and AES256 key, and then leverage them for the
decryption. Other data is stored as well in these blobs, such as the original file size and the AES block size.
\n\n
Our test #1 from the Procmon output in Figure 1 shows that the encryptor alters the original size of the file it is about to
corrupt, so it is only appropriate that it retains this original information somewhere when the decryptor begins to attempt its
restoration process. At least this is the theory. In practice, as we’re soon to find out, something quite different has the
potential of happening.
\n\n
Testing the 1GB file was a good start, but let’s try a much larger file and again, observe the behavior of the encryptor
through Procmon.
\n\n
Figure 2. Test #2 for encryptor in action
\n\n
Test #2: high-level observations:
\n
\n
Starts off like our first test but ends drastically different
\n
Procmon curiously does not generate a Result for the WriteFile operation when appending the decryption blob
\n
It seems to further encrypt, at 65,536-byte intervals, more data
\n
\n
Having some clear differences from our first test run, the second one intrigues us enough to continue digging deeper with the
suspicion that something is seriously not right here. It gets even more intriguing when we try to view the call stack for the
WriteFile operations that follow the instance where Procmon was unable to tell us the Result of appending the decryption
blob.
\n\n
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 13 of 35

Figure 3. Viewing the call stack for the WriteFile operations
\n\n
Every WriteFile operation following the empty Result in the yellow highlighted row looks like the Event Properties box on
the right: empty. This is very strange indeed and requires a deeper introspection than Procmon can give us. Before departing
from the almighty Procmon, it continues to show its worth by providing us with a valuable vantage point of where to begin
looking at: the call stack. We can see that at offset +0xA0842 is where we presumably never return from.
\n\n
Now feels like the right time to introduce our favorite toolset for any deep troubleshooting into the picture: Time Travel
Debugging (TTD)
\n\n
What exactly is the issue?
\n
Prior to introducing the TTD framework into the picture, we will first load the encryptor into IDA Pro and go to that offset
identified by Procmon to observe the code at that location. Doing so, we can see that we are at the return address of what is a
call to ntdll!NtWriteFile. Depending on what we can further spot in the disassembly or decompilation, the following plan is
to re-run the encryptor again, but this time under the control of TTTracer to generate some runtime data that we can work
against.
\n\n
Figure 4. Code responsible for writing the encrypted contents back to disk
\n\n
Let’s also show the cleanup decompilation of this piece of code as well, to observe at a higher level.
\n\n
Figure 5. Decompilation of Figure 4
\n\n
As shown in both Figure 4 and 5, we can spot that something is off here; the NTSTATUS return value for the write file is
not handled correctly. In fact, it’s flat-out wrong. One way that we can demonstrate the consequence of this improper
handling of the write file operation is to ask whether the encryptor operates asynchronously. The reasons for introducing this
in our inquiry will be explained shortly.
\n\n
But if we do dig a bit into the binary inside IDA, we can confirm the asynchrony of the encryptor, implemented through I/O
completion ports. The actual file encryption is done via a callback routine executed as a thread, and very interestingly for the
debugging enthusiasts, hidden threads.
\n\n\n\n
What this call to NtSetInformationThread does is set the HideFromDebugger flag inside the internal, executive thread
structure, which guarantees that the debugger will never receive any debug events for this thread, effectively missing the
controllable execution of these threads. Something to be aware of when attempting to debug this encryptor in the traditional
manner. Since we plan to use TTTracer, these anti-debug shenanigans are moot, and we can ignore them completely.
\n\n
This is great and all, but what exactly is the issue here with the NTSTATUS value? First, LockBit 2.0 devs mistakenly
assume all unsuccessful NTSTATUS values are signed. For instance, the following ones are very relevant to the encryptor
given its asynchronous behavior and are clearly not negative numbers.
\n\n
Figure 7. NTSTATUS values
\n\n
Second, and more importantly, they entirely neglect the handling of pending I/O operations: STATUS_PENDING. And
given the asynchronous nature of I/O on Windows, this in theory could be every file I/O operation. Further, given that the
encryption is carried out asynchronously as well through I/O completion ports, ntdll!NtWriteFile can and will return
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 14 of 35

STATUS_PENDING, which the caller must properly account for. How does one account for it? Patience. (See
WaitForSingleObject and ZwWaitForSingleObject)
\n\n
Not doing so will lead to unpredictable and potentially destructive behavior as LockBit 2.0 is mistakenly assuming success
after each write operation when the return value is not signed. When multiple threads are at play, which they will be, you
now create a situation that can result in all these worker threads writing at unpredictable intervals. Seems like a minor
ordeal, but because of this mishandling, the entire stability of the encryptor is now in question. These effects naturally spill
over to the decryptor as well.
\n\n
IO_STATUS_BLOCK
\n
NtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL);
);
\n
The operating system implements support routines that write IO_STATUS_BLOCK values to caller-supplied output buffers.
For example, see ZwOpenFile or NtOpenFile. These routines return status codes that might not match the status codes in
the IO_STATUS_BLOCK structures. If one of these routines returns STATUS_PENDING, the caller should wait for the
I/O operation to complete, and then check the status code in the IO_STATUS_BLOCK structure to determine the final
status of the operation.
\n\n
If the routine returns a status code other than STATUS_PENDING, the caller should rely on this status code instead of the
status code in the IO_STATUS_BLOCK structure.
\n\n
About the broken decryptor (and decrypting files that it couldn’t)
\n
Having now identified at least one critical flaw that can result in faulty crypto, let’s shift our attention to the decryption
process itself, because our primary goal is to confirm, and then hopefully implement, a capacity to do what the purchased
decryptor was supposed to do.
\n\n
From the customer, we were given several MSSQL encrypted database files which had the potential of being correctly
decrypted. The reason that we can make such a claim is that the required decryption information (recall our earlier Procmon
adventures) was still intact somewhere in the file. Not where it’s supposed to be, but it’s there, nonetheless. This
misplacement, a direct result of the improper handling of the write file operation outlined above, is what causes the
decryptor to miss retrieving this blob of data. This mishandling can even unwittingly truncate or expand the original file
size. Simply having the decryption blob information present in the encrypted binary does not really mean anything at this
stage of what we’re trying to accomplish.
\n\n
One of the first things that we tried to get the decryptor up and running accurately, was to remove all the data that follows
the decryption blob in the encrypted database file, giving it the appearance of being “correctly” appended, as it was
originally intended to be. We then ran the decryptor against it (under TTTracer) to see what would happen. We failed to
decrypt the file with this approach but with the resulting TTD trace, we have a window to peek into and identify the flaws in
our wishful approach.
\n\n
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 15 of 35

Figure 8. The decryption blob was found, but it’s not at the end/tail of the file as it’s supposed to be
\n\n
Going through the generated trace file, we were able to identify that the decryptor does indeed find the decryption blob
correctly now and furthermore, is able to successfully decrypt it to acquire the necessary IV and AES key for decryption.
However, the file still does not get decrypted. Digging deeper, we identified the issue being in how it tries to compare two
LARGE_INTEGERs, that of the incoming, encrypted file size and the AES block size stored in the decryption blob data that
it assumed it appended correctly.
\n\n
Figure 9. File size and the encrypted database file we’re working against
\n\n
// disassembly responsible for initiating this sequence, by storing the incoming file size
.text:00428721 mov esi, dword ptr [eax+lb_encrypt_file_t.og_filesz] ; fetch the LowerPart of the file size
.text:00428724 mov eax, [eax+lb_encrypt_file_t.og_filesz.anonymous_0.HighPart] ; fetch the HighPart of the fil
.text:00428727 mov [esp+1Ch], eax ; store the HighPart of the file size
.text:0042872B lea eax, [esp+3E8h+var_268]
.text:00428732 push eax
.text:00428733 mov [esp+18h], esi ; save the LowerPart of the file size// in the TTD trace, looking at the inc
00428724 8b4024 mov eax,dword ptr [eax+24h]
ds:002b:1c9e0024=00000013
0:014> dd @eax
1c9e0000 00000000 00000000 00000000 00000000
1c9e0010 00000000 00000000 00000000 00000000
1c9e0020 fffec200 00000013 00000000 00000001// size of the incoming file
0:014> dt ntdll!_LARGE_INTEGER 1c9e0020 QuadPart
0x00000013`fffec200
+0x000 QuadPart : 0n85899264512
// code that does the check after the offset has been calculated from the decryption blob
.text:004288E6 mov eax, [esi+lb_encrypt_file_t.byte_offset.anonymous_0.HighPart]
.text:004288E9 add edx, ecx
.text:004288EB adc edi, eax
.text:004288ED cmp [esp+1Ch], edx ; now check the LowerPart
.text:004288F1 jnz __size_check_fail_cleanup
.text:004288F7 cmp [esp+18h], edi ; now check the HigherPart
.text:004288FB jnz __size_check_fail_cleanup __success_go_for_decryption_of_encrypted_content// go to the loca
0:014> dx @$calls(0x4288ED).First().TimeStart.SeekTo()
Time Travel Position: 1CC3E8:F20 [Unindexed] Index
0:014> u . l4
decryptor+0x288ed:
004288ed cmp dword ptr [esp+1Ch],edx ; compare against LowerPart
004288f1 jne __size_check_fail_cleanup ; they have to match, otherwise decryption is skipped
004288f7 cmp dword ptr [esp+18h],edi ; compare against the HighPart
004288fb jne __size_check_fail_cleanup ; they have to match, otherwise decryption is skipped
0:014> r edx
edx=00000200 ; AES block size calculated out of the data inside the decryption blob
0:014> dd @esp+1c l1
1a73fb9c fffec200 ; LowPart of incoming file size, failing when being compared to the size of the decryption b
0:014> r edi
edi=
00000014 ; very revealing, this tells us where the decryption blob should actually be (what the HighPart shoul
0:014> dd @esp+18 l1
1a73fba4 00000013 ; HighPart, we see our cutting off all the data after the decryption blob breaks the logic h
\n\n
Based on the TTD trace, simply cutting off all the data that follows the decryption blob won’t work either, but we can spot
what the issue is and even where the decryption blob is originally supposed to be: minimum at offset 0x1400000000 in the
file. The high part of the large integer for the incoming file is at offset 0x1300000000, but it fails when compared to the
original size that was calculated out of the decryption blob: 0x1400000000. But even before that, the comparison of
0xfffec200 and 0x200 also fails, since it’s expecting to have correctly calculated the AES block size, which it did not.
\n\n
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 16 of 35

Realizing this, we decided to “push” the decryption blob up to its proper offset, and then again cut off all the data that
followed it, to recreate the encrypted file once more into what should be its originally intended structure. Once done, we re-run it through the decryptor and excitedly await the results.
\n\n
Figure 10. Correctly aligning the decryption blob before we re-run the decryptor against it
\n\n
Upon running the decryptor this time around, we successfully decrypted the file!
\n\n
decryptor_pp+0x288ed:
004288ed cmp dword ptr [esp+0Ch],edx ss:002b:0271fb9c=00000200
0:007> r edx
edx=00000200// edx, as expected is 0x200
0:007> dd @esp+c l1
0271fb9c 00000200 // aes block size has correctly been calculated this time
0:007> t // step into, to validate the jne
decryptor_pp+0x288f1:
004288f1 jne decryptor_pp+0x28c0a (00428c0a) [br=0]
0:007> r zf
zf=1
0:007> t // step into to compare the next check for the HighPart
decryptor_pp+0x288f7:
004288f7 397c2414 cmp dword ptr [esp+14h],edi ss:002b:0271fba4=00000014
0:007> dd @esp+14 l1
0271fba4 00000014 // we see that they're the same, and the decryptor works as expected
0:007> r edi
edi=00000014
0:007> t
0:007> r zf
zf=1
\n\n
Figure 11. (L) Encrypted file; (R) Successfully decrypted file
\n\n
While this has the deceptive appearance of some kind of success, we must remain ever cognizant of the fatal bug that’s
inside the encryptor. The critical flaw by these ransomware developers in misunderstanding how NTSTATUS values work,
and the consequences they can have for naïve thread synchronization. Given that we don’t want to be unwitting victims of
naivety ourselves, we quickly realized that the immensity of the problem was just now slowly starting to reveal itself.
\n\n
Coming up in Part 2
\n
In the second part of this series, we will shift our focus to outlining the issues that the decryptor poses, uncover the file
structure of the database files that we’re dealing with, throw in a little bit of crypto magic into play, and take the necessary
steps to achieve our ultimate goal: the successful restoration of all encrypted database files.
\n","kudosSumWeight":4,"postTime":"2022-03-11T10:01:44.690-08:00","images":
{"__typename":"AssociatedImageConnection","edges":
[{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDE","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAyOWkxNzQ4OEZBOEIxQjk1OUE1?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDI","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5Mmk3ODY2RjM5NjMxRjEzRDQz?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDM","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5NGk4RTcyOEE2Rjc2RUZBRTc5?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDQ","node":
{"__ref":"AssociatedImage:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 17 of 35

{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5NWkxNUNGRkRDQjY1QTg5NUQ0?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDU","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5OGkwNUNBQUNFOTUzMkQ5Rjkw?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDY","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5OWkxMUNCOTgwMEZBQTZBMUU2?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDc","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwMWkxQTc2RkUzQUIzQjRGMDND?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDg","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwM2k5QUFGMzJFOENDM0U2RDBB?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDk","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwNWk3OThFMTdCMUIxMkIwMjQx?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDEw","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxN2kwQ0UyNzA5NzhCQTJDMjI2?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDEx","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxMmkyOTcwOTUwQTA0OTAwMUJF?
revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDEy","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxOWlENDFGMDY0ODUwMkQ5OEM3?
revision=10\"}"}}],"totalCount":12,"pageInfo":
{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":
{"__typename":"AttachmentConnection","pageInfo":
{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":
[]},"tags":{"__typename":"TagConnection","pageInfo":
{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":
[{"__typename":"TagEdge","cursor":"MjYuMXwyLjF8b3wxMHxfTlZffDE","node":
{"__typename":"Tag","id":"tag:microsoft detection and response team (dart)","text":"microsoft detection and response team
(dart)","time":"2022-01-04T09:00:00.029-
08:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":12,"rawTeaser":"
Microsoft Incident Response (formerly DART/CRSP) researchers have uncovered “buggy code” and critical inconsistencies
in the new version of the LockBit ransomware as a result of an engagement with a customer afflicted with LockBit 2.0. This
post serves to illustrate the steps that Microsoft Incident Response researchers took to uncover this faulty crypto, and the
efforts made to overcome and eventually restore, as much as was possible, the destroyed database files of this affected
customer.
\n","introduction":"","coverImage":null,"coverImageProperties":
{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision":
{"__ref":"Revision:revision:3254354_10"},"latestVersion":
{"__typename":"FriendlyVersion","major":"3","minor":"0"},"metrics":
{"__typename":"MessageMetrics","views":25974},"read":false,"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"pl
{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":
[]},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies":
{"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog
[]}}},"archivalData":null,"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}}})":
{"__typename":"RevisionConnection","totalCount":10}},"Conversation:conversation:3254354":
{"__typename":"Conversation","id":"conversation:3254354","solved":false,"topic":
{"__ref":"BlogTopicMessage:message:3254354"},"lastPostingActivityTime":"2023-05-22T13:45:48.259-
07:00","lastPostTime":"2022-03-11T10:01:44.690-
08:00","unreadReplyCount":0,"isSubscribed":false},"ModerationData:moderation_data:3254354":
{"__typename":"ModerationData","id":"moderation_data:3254354","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":nu
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAyOWkxNzQ4OEZBOEIxQjk1OUE1?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAyOWkxNzQ4OEZB
revision=10","title":"MSFT_SCI_Comprehensive_Security_01.jpg","associationType":"TEASER","width":539,"height":301,"altText":null},"AssociatedI
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5Mmk3ODY2RjM5NjMxRjEzRDQz?
revision=10\"}":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 18 of 35

{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5Mmk3ODY2RjM5
revision=10","title":"Fig1_lockbit_test
encryptor.jpg","associationType":"BODY","width":1989,"height":348,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5NGk4RTcyOEE2Rjc2RUZBRTc5?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5NGk4RTcyOEE2R
revision=10","title":"Fig2_lockbit_test 2
encryptor.jpg","associationType":"BODY","width":2166,"height":481,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5NWkxNUNGRkRDQjY1QTg5NUQ0?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5NWkxNUNGRkRD
revision=10","title":"Fig3_lockbit_viewing call
stack.jpg","associationType":"BODY","width":2164,"height":1063,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5OGkwNUNBQUNFOTUzMkQ5Rjkw?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5OGkwNUNBQUN
revision=10","title":"Fig4_lockbit_codewriting.jpg","associationType":"BODY","width":2166,"height":826,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5OWkxMUNCOTgwMEZBQTZBMUU2?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NDk5OWkxMUNCOTg
revision=10","title":"Fig5_lockbit_decompilation.jpg","associationType":"BODY","width":2164,"height":424,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwMWkxQTc2RkUzQUIzQjRGMDND?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwMWkxQTc2RkUz
revision=10","title":"Fig6_lockbit_encryptor multi-threading.jpg","associationType":"BODY","width":2170,"height":973,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwM2k5QUFGMzJFOENDM0U2RDBB?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwM2k5QUFGMzJF
revision=10","title":"Fig7_lockbit_NTSTATUS
values.jpg","associationType":"BODY","width":2152,"height":684,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwNWk3OThFMTdCMUIxMkIwMjQx?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAwNWk3OThFMTdC
revision=10","title":"Fig8_lockbit_decrpytion blob
found.jpg","associationType":"BODY","width":1407,"height":1582,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxN2kwQ0UyNzA5NzhCQTJDMjI2?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxN2kwQ0UyNzA5N
revision=10","title":"Fig9_lockbit_file
size.jpg","associationType":"BODY","width":1111,"height":790,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxMmkyOTcwOTUwQTA0OTAwMUJF?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxMmkyOTcwOTUw
revision=10","title":"Fig10_lockbit_aligning decryption
blob.jpg","associationType":"BODY","width":987,"height":1158,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxOWlENDFGMDY0ODUwMkQ5OEM3?
revision=10\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zMjU0MzU0LTM1NTAxOWlENDFGMDY
revision=10","title":"Fig11_lockbit_encrypted and decrypted
file.jpg","associationType":"BODY","width":1504,"height":454,"altText":null},"Revision:revision:3254354_10":
{"__typename":"Revision","id":"revision:3254354_10","lastEditTime":"2023-05-22T13:45:48.259-
07:00"},"CachedAsset:theme:customTheme1-1774596246126":{"__typename":"CachedAsset","id":"theme:customTheme1-
1774596246126","value":{"id":"customTheme1","animation":
{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51,
1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":
["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":
{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnN
{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(-
-lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabled
-lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 19 of 35

white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid
transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *
0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *
0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid
transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid
transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),
0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-
s), calc(var(--lia-bs-gray-900-l) *
0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid
transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid
transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *
0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *
0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid
transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid
transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),
0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderT
{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px
hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--
lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s),
var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":
{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":
{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageF
-lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--
lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--
lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 20 of 35

weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#bc341b","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesT
{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCC
-lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":
{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--
lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":
{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":
{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":
{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#fffff
solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":
{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":
{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#
{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe
UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20
-lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":
{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","s
{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":
{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(-
-lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),
0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),
0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),
0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) -
10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":
{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":
{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typ
solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 21 of 35

sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(-
-lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxS
-lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h),
var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%,
50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collap
-lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":
{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":
{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem
1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"
0%, 100%,
0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":
{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","custo
53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%,
0.4)","diffRemovedColor":"hsla(9, 74%, 47%,
0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageIt
-lia-bs-gray-700)","tableBorderStyle":"solid","tableCellPaddingX":"5px","tableCellPaddingY":"5px","tableTextColor":"var(--lia-bs-body-color)","tableVerticalAlign":"middle","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":
{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":
{"fontFamilyBase":"Segoe
UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold
[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},
{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},
{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},
{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},
{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":
[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":
{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename"
{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":
{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLighte
shared/client/components/common/Loading/LoadingDot-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111751117","value":
{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSecurityExperts-1775111749559":
{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSecurityExperts-1775111749559","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps":
{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":
["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":
{"community.widget.breadcrumbWidget":
{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOC
{"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var
-lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"Ma
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 22 of 35

{"main":[],"side":[{"id":"custom.widget.UnregisteredCTAWidget","className":null,"props":
{"widgetVisibility":"anonymousOnly","useTitle":true,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.UnregisteredCT
components/common/EmailVerification-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1775111751117","value":{"email.verification.title":"Email Verification
Required","email.verification.message.update.email":"To participate in the community, you must first verify your email
address. The verification email was sent to {email}. To change your email, visit My
Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email
address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1775111751117","value":{"title":"{contextMessageSubject} |
{communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog
Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1775111735106"
{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1775111735106","value":
{"id":"Common","header":{"backgroundImageProps":
{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"
[{"id":"community.widget.navbarWidget","props":
{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"style":
{"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"400","controllerHighlightColor":"hsla(30, 100%,
50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"14px","linkBoxShadowHover":"none","backgroundO
-lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"30px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom
solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"flex-start","linkColor":"var(--lia-bs-body-color)","collapseMenuDividerBg":"var(--lia-nav-link-color)","dropdownPaddingTop":"10px","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(-
-lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-primary)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","controllerTextHoverColor":
-lia-nav-controller-icon-hover-color)","paddingTop":"15px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--
lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"links":{"sideLinks":[],"logoLinks":[],"mainLinks":[{"children":
[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":
[],"linkType":"EXTERNAL","id":"community-hub-link","url":"/Directory","target":"SELF"},{"children":
[{"linkType":"INTERNAL","id":"Common-microsoft365-link","params":
{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-link","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft-security-link","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-teams-link","params":
{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-azure-link","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoftintune-link","params":
{"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-exchange-link","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-server-link","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-outlook-link","params":
{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"},
{"linkType":"EXTERNAL","id":"Common_Enntvz-view-all-products-link","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"products-link","url":"/","target":"SELF"},
{"children":[{"linkType":"INTERNAL","id":"Common-education-sector-link","params":
{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-partner-community-link","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-healthcare-and-life-sciences-link","params":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 23 of 35

{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-i-t-ops-talk-link","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-public-sector-link","params":
{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoftfor-nonprofits-link","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-io-t-link","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-mvp-link","params":{"categoryId":"mvp"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-mechanics-link","params":
{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-driving-adoption-link","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-learn-for-educators-link","params":{"categoryId":"microsoft-learn-for-educators"},"routeName":"CategoryPage"}],"linkType":"EXTERNAL","id":"topics-link","url":"/","target":"SELF"},
{"children":[],"linkType":"EXTERNAL","id":"all-blogs-link","url":"/Blogs","target":"SELF"},{"children":
[],"linkType":"EXTERNAL","id":"all-events-link","url":"/Events","target":"SELF"},{"children":
[{"linkType":"INTERNAL","id":"Skills-Hub-link","params":{"categoryId":"skills-hub"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Skills-Hub-Blog","params":{"boardId":"skills-hub-blog","categoryId":"skills-hub"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"ms-learn-ext-LD","url":"/category/skills-hub?
tab=grouphub","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-dynamics","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-m365","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},
{"linkType":"EXTERNAL","id":"ms-learn-ext-security","url":"https://docs.microsoft.com/learn/topics/sci/?
wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-pp","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-github","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},
{"linkType":"EXTERNAL","id":"ms-learn-ext-teams","url":"https://docs.microsoft.com/learn/teams/?
wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-net","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},
{"linkType":"EXTERNAL","id":"ms-learn-ext-azure","url":"https://docs.microsoft.com/learn/azure/?
WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"Skills-Hub","params":
{"categoryId":"skills-hub"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"Common-community-info-center-link","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-usergroups-link","params":
{"categoryId":"usergroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-community-news-desk-link","params":{"categoryId":"CommunityNewsDesk"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-global-community-initiative-link","params":{"categoryId":"microsoft-global-community-initiative"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"Common-gxcuf89792-
community","params":
{},"routeName":"CommunityPage"}]},"showSearchIcon":true,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},
{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.CommunityBanner","props":
{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"Qu
{"id":"custom.widget.ChatbotWidget","props":
{"customComponentId":"custom.widget.ChatbotWidget","cDisplay_form":true,"useBackground":false},"__typename":"QuiltComponent"},
{"id":"custom.widget.HeroBanner","props":
{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"w
{"backgroundImageProps":
{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"
[{"id":"custom.widget.SocialSharing","props":
{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},
{"id":"custom.widget.MicrosoftFooter","props":
{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__ty
components/common/ActionFeedback-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1775111751117","value":
{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed
to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could
not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not
Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been
deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a
member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked
due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes
Saved","editedGroupHub.message":"Your group has been
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 24 of 35

updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not
receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been
deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to
use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be
redirected to the homepage","resetTokenExpired.title":"Reset Password Link has
Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid
URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try
again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is
closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has
been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you
are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access
Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't
exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new
activity and reminded as the event approaches","eventInterested.title":"Responded as
Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event
approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does
not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing
Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is
archived","redirectToRelatedPage.message":"The content you are trying to access is
archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived
Content"},"localOverride":false},"CachedAsset:component:custom.widget.CommunityBanner-en-us-1774596318997":
{"__typename":"CachedAsset","id":"component:custom.widget.CommunityBanner-en-us-1774596318997","value":
{"component":{"id":"custom.widget.CommunityBanner","template":
{"id":"CommunityBanner","markupLanguage":"REACT","style":null,"texts":null,"defaults":{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.CommunityBanner","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":
en-us-1774596318997":{"__typename":"CachedAsset","id":"component:custom.widget.ChatbotWidget-en-us-1774596318997","value":{"component":{"id":"custom.widget.ChatbotWidget","template":
{"id":"ChatbotWidget","markupLanguage":"REACT","style":null,"texts":{"chatbot.references.title":"Related
Articles","chatbot.welcome.title":"Welcome!","chatbot.welcome.description":"I'm here to help you explore and discover
great content.","chatbot.welcome.prompt":"Ask me a question or choose a suggestion below to get
started:","chatbot.welcome.cta":"Let's dive in—what would you like to discover today?","chatbot.status.typing":"Assistant
is typing…","chatbot.status.error":"error","chatbot.error.response":"Failed to get response. Please try
again.","chatbot.error.processing":"There was an error processing your message.","chatbot.error.configuration":"API URL
not configured","chatbot.error.network":"Network error occurred. Please check your connection and try
again.","chatbot.error.timeout":"Request timed out. Please try again.","chatbot.error.emptyResponse":"I couldn't generate a
response. Please try rephrasing your question.","chatbot.buttons.send":"Send","chatbot.buttons.close":"Close
chat","chatbot.buttons.newChat":"Start new chat","chatbot.buttons.collapse":"Collapse chat
panel","chatbot.buttons.expand":"Expand chat panel","chatbot.buttons.fullscreen":"Enter
fullscreen","chatbot.buttons.exitFullscreen":"Exit fullscreen","chatbot.buttons.like":"Like this
response","chatbot.buttons.dislike":"Dislike this response","chatbot.buttons.removeLike":"Remove
like","chatbot.buttons.removeDislike":"Remove dislike","chatbot.aria.chatInput":"Chat
input","chatbot.aria.sendMessage":"Send message","chatbot.aria.openChat":"Open chat
assistant","chatbot.aria.closeChat":"Close chat assistant","chatbot.defaults.title":"Ask Tech
Community","chatbot.defaults.subtitle":"Ask questions – get answers","chatbot.defaults.entryHeading":"Find
answers","chatbot.defaults.entrySubtext":"Ask the agent","chatbot.defaults.placeholder":"Type your
message…","chatbot.defaults.initialMessage":"Hi! I'm your assistant. Ask me something or pick a suggestion above to
begin.","chatbot.suggestions.findBlogs":"Find insightful blogs","chatbot.suggestions.exploreEvents":"Explore upcoming
events","chatbot.suggestions.startJourney":"Start your journey with something new","chatbot.dialog.endConversation":"End
conversation","chatbot.dialog.confirmEndConversation":"Do you want to end this conversation and start
over?","chatbot.dialog.endConversationButton":"End
conversation","chatbot.dialog.cancel":"Cancel","chatbot.error.genericServiceUnavailable":"The service is currently
unavailable. Please try again later.","chatbot.error.noResults":"We could not find any information related to your query. Try
rephrasing your query."},"defaults":{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.ChatbotWidget","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 25 of 35

en-us-1774596318997":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1774596318997","value":{"component":{"id":"custom.widget.HeroBanner","template":
{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this
community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your
search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech
Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this
node","customField.teamsLink.title":"Microsoft teams link","customField.teamsLink.label":"Teams meeting
url"},"defaults":{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The
maximum number of items to display in the
carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.HeroBanner","form":{"fields":
[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi
{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul
{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti
{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n
{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max
Items","description":"The maximum number of items to display in the
carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":
[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":
[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":
{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},
{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to
{"id":"useBackground","type":"fieldset","as":null,"items":
[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"widgetVisibility","type":"fieldset","as":null,"items":
[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":
[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"id":"componentPropsGroup","type":"fieldset","as":null,"items":
[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The
maximum number of items to display in the
carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":
{"fields":
[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi
{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul
{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti
{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n
{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max
Items","description":"The maximum number of items to display in the
carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":
[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":
[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":
{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},
{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to
{"id":"useBackground","type":"fieldset","as":null,"items":
[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"widgetVisibility","type":"fieldset","as":null,"items":
[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":
[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"id":"componentPropsGroup","type":"fieldset","as":null,"items":
[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"fields":
[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 26 of 35

{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul
{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti
{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n
{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max
Items","description":"The maximum number of items to display in the
carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":
[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":
[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":
{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},
{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to
{"id":"useBackground","type":"fieldset","as":null,"items":
[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"widgetVisibility","type":"fieldset","as":null,"items":
[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":
[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"id":"componentPropsGroup","type":"fieldset","as":null,"items":
[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
en-us-1774596318997":{"__typename":"CachedAsset","id":"component:custom.widget.UnregisteredCTAWidget-en-us-1774596318997","value":{"component":{"id":"custom.widget.UnregisteredCTAWidget","template":
{"id":"UnregisteredCTAWidget","markupLanguage":"REACT","style":null,"texts":{"register.communityHub":"Welcome to
the {name} Community Hub. Sign in to like, participate, or start a conversation.","register.category":"Welcome to the
{name} Community Hub. Sign in to like, participate, or start a conversation.","register.discussionBoard":"Welcome to the
{name} space. Sign in to like, reply, or start a discussion.","register.blogSpace":"Welcome to the {name} space. Sign in to
like or comment on articles in this space.","register.eventSpace":"Welcome to the {name} space. Sign in to RSVP, add
events to your calendar, and join the conversation.","register.ideaSpace":"Welcome to the {name} space. Sign in to vote,
comment, or submit your own feedback.","buttonRegister":"Sign in","register.discussionBoardArticle":"Have a question or
insight to share? Sign in to join the discussion.","register.blogSpaceArticle":"Enjoying the article? Sign in to share your
thoughts.","register.eventSpaceArticle":"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the
discussion.","register.ideaSpaceArticle":"Sign in to submit ideas, upvote ideas, and join the conversation."},"defaults":
{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.UnregisteredCTAWidget","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":
en-us-1774596318997":{"__typename":"CachedAsset","id":"component:custom.widget.SocialSharing-en-us-1774596318997","value":{"component":{"id":"custom.widget.SocialSharing","template":
{"id":"SocialSharing","markupLanguage":"HANDLEBARS","style":".sharePage {\n display: flex;\n justify-content:
center;\n background: #d7d7d7;\n padding: 0px;\n height: 60px;\n}\n.singleSocialIcons {\n display: flex;\n gap: 12px;\n list-style-type: none;\n padding: 0px;\n margin: 0;\n}\n.containers {\n display: flex;\n gap: 30px;\n}\n\n.listIcon {\n align-content: center;\n}\n.headingShare {\n display: inline;\n margin-right: 25px;\n margin-bottom: 0px;\n font-size: 20px;\n
font-weight: 550;\n align-content: center;\n}\n\n@media (max-width: 990px) {\n .sharePage {\n display: flex;\n justify-content: center;\n }\n\n .containers {\n display: inline-block;\n justify-content: center;\n align-content: center;\n align-items:
center;\n }\n .headingShare {\n display: flex;\n justify-content: center;\n }\n .singleSocialIcons {\n
}\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media
websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.SocialSharing","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":"Adds buttons to share to various social media
websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":
{"css":".custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n background:
#d7d7d7;\n padding: 0;\n height: 3.75rem;\n}\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n display:
flex;\n gap: 0.75rem;\n list-style-type: none;\n padding: 0;\n margin:
0;\n}\n.custom_widget_SocialSharing_containers_6x3n8_15 {\n display: flex;\n gap:
1.875rem;\n}\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\n align-content:
center;\n}\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: inline;\n margin-right: 1.5625rem;\n
margin-bottom: 0;\n font-size: 1.25rem;\n font-weight: 550;\n align-content: center;\n}\n@media (max-width: 990px) {\n
.custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n }\n\n
.custom_widget_SocialSharing_containers_6x3n8_15 {\n display: inline-block;\n justify-content: center;\n align-content:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 27 of 35

center;\n align-items: center;\n }\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: flex;\n justify-content: center;\n }\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n }\n}\n","tokens":
{"sharePage":"custom_widget_SocialSharing_sharePage_6x3n8_1","singleSocialIcons":"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8","co
en-us-1774596318997":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1774596318997","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":
{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\r\n min-width: 280px;\r\n font-size:
15px;\r\n box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n &
*:before,\r\n & *:after {\r\n box-sizing: inherit;\r\n }\r\n a.c-uhff-link {\r\n color: #616161;\r\n word-break: break-word;\r\n
text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n &a:visited {\r\n text-decoration:
none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.c-uhff {\r\n background: #f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.c-uhff-nav {\r\n margin: 0 auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n &:before,\r\n
&:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n
padding-left: 12px;\r\n }\r\n .c-heading-4 {\r\n color: #616161;\r\n word-break: break-word;\r\n font-size: 15px;\r\n line-height: 20px;\r\n padding: 36px 0 4px;\r\n font-weight: 600;\r\n }\r\n .c-uhff-nav-row {\r\n .c-uhff-nav-group {\r\n display:
block;\r\n float: left;\r\n min-height: 1px;\r\n vertical-align: text-top;\r\n padding: 0 12px;\r\n width: 100%;\r\n zoom: 1;\r\n
&:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 12px;\r\n }\r\n }\r\n
@media only screen and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only
screen and (min-width: 1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.c-list.f-bare {\r\n font-size: 11px;\r\n line-height:
16px;\r\n margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n padding: 8px 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.c-uhff-base {\r\n background: #f2f2f2;\r\n margin: 0
auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 30px 5% 16px;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n
display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n a.c-uhff-ccpa,\r\n a.c-uhff-consumer {\r\n display: flex;\r\n float:
left;\r\n font-size: 11px;\r\n line-height: 16px;\r\n padding: 4px 24px 0 0;\r\n }\r\n a.c-uhff-ccpa:hover,\r\n a.c-uhff-consumer:hover {\r\n text-decoration: underline;\r\n }\r\n ul.c-list {\r\n font-size: 11px;\r\n line-height: 16px;\r\n float:
right;\r\n margin: 3px 0;\r\n color: #616161;\r\n li {\r\n padding: 0 24px 4px 0;\r\n display: inline-block;\r\n }\r\n }\r\n .c-list.f-bare {\r\n padding-left: 0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n
display: flex;\r\n flex-wrap: wrap;\r\n padding: 30px 24px 16px;\r\n }\r\n}\r\n\r\n.social-share {\r\n position: fixed;\r\n top:
60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index: 1000;\r\n}\r\n\r\n.sharing-options {\r\n list-style: none;\r\n
padding: 0;\r\n margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 50px;\r\n
border-radius: 0px 7px 7px 0px;\r\n}\r\n.linkedin-icon {\r\n border-top-right-radius: 7px;\r\n}\r\n.linkedin-icon:hover {\r\n
border-radius: 0;\r\n}\r\n\r\n.social-share-email-image:hover {\r\n border-radius: 0;\r\n}\r\n\r\n.social-link-footer:hover
.linkedin-icon {\r\n border-radius: 0;\r\n}\r\n.social-link-footer:hover .social-share-email-image {\r\n border-radius:
0;\r\n}\r\n\r\n.social-link-footer img {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n\r\n.social-share-list {\r\n width: 50px;\r\n}\r\n.social-share-rss-image {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s
ease;\r\n}\r\n.sharing-options li {\r\n width: 50px;\r\n height: 50px;\r\n padding: 8px;\r\n box-sizing: border-box;\r\n border:
2px solid white;\r\n display: inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border
0.3s ease; /* Smooth transition effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last
item */\r\n}\r\n\r\n.social-share-list-linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded
top right corner of first item*/\r\n}\r\n.social-share-list-facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.social-share-list-xicon {\r\n background-color: #000;\r\n}\r\n.social-share-list-reddit {\r\n background-color: #fc4404;\r\n}\r\n.social-share-list-bluesky {\r\n background-color: #f0f2f5;\r\n}\r\n.social-share-list-rss {\r\n background-color: #ec7b1c;\r\n}\r\n.social-share-list-mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last
item*/\r\n}\r\n.sharing-options li.social-share-list-mail {\r\n border-bottom: 2px solid white; /* Add bottom border only to
the last item */\r\n height: 52px; /* Increase last child height to make in align with the hover label */\r\n}\r\n.x-icon {\r\n
filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 20px !important;\r\n height: auto;\r\n padding-top: 5px
!important;\r\n}\r\n.bluesky-icon {\r\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition:
filter 0.3s ease;\r\n padding-top: 5px !important;\r\n width: 25px !important;\r\n}\r\n\r\n.share-icon {\r\n border: 2px solid
transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n\r\n.sharing-options li:hover {\r\n border: 2px solid
white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius: 0px;\r\n}\r\n.sharing-options li.social-share-list-mail:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n}\r\n\r\n.sharing-options
li:hover .label {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n box-sizing: border-box;\r\n border-left:
none;\r\n}\r\n\r\n.label {\r\n position: absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility:
hidden;\r\n transition: all 0.2s ease;\r\n color: white;\r\n border-radius: 0 10 0 10px;\r\n top: 50%;\r\n transform:
translateY(-50%);\r\n height: 52px;\r\n display: flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 10px
12px 15px 8px;\r\n border: 2px solid white;\r\n}\r\n.linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius:
5px; /* Rounded top right corner of first item*/\r\n}\r\n.facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.twitter {\r\n
background-color: black;\r\n color: white;\r\n}\r\n.reddit {\r\n background-color: #fc4404;\r\n}\r\n.mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.bluesky {\r\n
background-color: #f0f2f5;\r\n color: black;\r\n}\r\n.rss {\r\n background-color: #ec7b1c;\r\n}\r\n\r\n@media (max-width:
991px) {\r\n .social-share {\r\n display: none;\r\n }\r\n}\r\n","texts":{"heading.whatsNew":"What's
new","heading.store":"Microsoft
Store","heading.education":"Education","heading.business":"Business","heading.developer":"Developer &
IT","heading.company":"Company","link.whatsNew.surfacePro":"Surface Pro","aria.whatsNew.surfacePro":"Surface Pro
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 28 of 35

What's new","link.whatsNew.surfaceLaptop":"Surface Laptop","aria.whatsNew.surfaceLaptop":"Surface Laptop What's
new","link.whatsNew.surfaceLaptopStudio2":"Surface Laptop Studio 2","aria.whatsNew.surfaceLaptopStudio2":"Surface
Laptop Studio 2 What's new","link.whatsNew.copilotOrganizations":"Copilot for
organizations","aria.whatsNew.copilotOrganizations":"Copilot for organizations What's
new","link.whatsNew.copilotPersonal":"Copilot for personal use","aria.whatsNew.copilotPersonal":"Copilot for personal
use What's new","link.whatsNew.aiInWindows":"AI in Windows","aria.whatsNew.aiInWindows":"AI in Windows What's
new","link.whatsNew.exploreProducts":"Explore Microsoft products","aria.whatsNew.exploreProducts":"Explore Microsoft
products What's new","link.whatsNew.windows11Apps":"Windows 11 apps","aria.whatsNew.windows11Apps":"Windows
11 apps What's new","link.store.accountProfile":"Account profile","aria.store.accountProfile":"Account profile Microsoft
Store","link.store.downloadCenter":"Download Center","aria.store.downloadCenter":"Download Center Microsoft
Store","link.store.support":"Microsoft Store support","aria.store.support":"Microsoft Store support Microsoft
Store","link.store.returns":"Returns","aria.store.returns":"Returns Microsoft Store","link.store.orderTracking":"Order
tracking","aria.store.orderTracking":"Order tracking Microsoft Store","link.store.certifiedRefurbished":"Certified
Refurbished","aria.store.certifiedRefurbished":"Certified Refurbished Microsoft Store","link.store.promise":"Microsoft
Store Promise","aria.store.promise":"Microsoft Store Promise Microsoft Store","link.store.flexiblePayments":"Flexible
Payments","aria.store.flexiblePayments":"Flexible Payments Microsoft
Store","link.education.microsoftInEducation":"Microsoft in education","aria.education.microsoftInEducation":"Microsoft in
education Education","link.education.devices":"Devices for education","aria.education.devices":"Devices for education
Education","link.education.teams":"Microsoft Teams for Education","aria.education.teams":"Microsoft Teams for Education
Education","link.education.m365":"Microsoft 365 Education","aria.education.m365":"Microsoft 365 Education
Education","link.education.howToBuy":"How to buy for your school","aria.education.howToBuy":"How to buy for your
school Education","link.education.training":"Educator training and development","aria.education.training":"Educator
training and development Education","link.education.deals":"Deals for students and parents","aria.education.deals":"Deals
for students and parents Education","link.education.ai":"AI for education","aria.education.ai":"AI for education
Education","link.business.microsoftAi":"Microsoft AI","aria.business.microsoftAi":"Microsoft AI
Business","link.business.security":"Microsoft Security","aria.business.security":"Microsoft Security
Business","link.business.dynamics":"Dynamics 365","aria.business.dynamics":"Dynamics 365
Business","link.business.m365":"Microsoft 365","aria.business.m365":"Microsoft 365
Business","link.business.powerPlatform":"Microsoft Power Platform","aria.business.powerPlatform":"Microsoft Power
Platform Business","link.business.teams":"Microsoft Teams","aria.business.teams":"Microsoft Teams
Business","link.business.m365Copilot":"Microsoft 365 Copilot","aria.business.m365Copilot":"Microsoft 365 Copilot
Business","link.business.smallBusiness":"Small Business","aria.business.smallBusiness":"Small Business
Business","link.developer.azure":"Azure","aria.developer.azure":"Azure Developer &
IT","link.developer.developerCenter":"Microsoft Developer","aria.developer.developerCenter":"Microsoft Developer
Developer & IT","link.developer.learn":"Microsoft Learn","aria.developer.learn":"Microsoft Learn Developer &
IT","link.developer.aiMarketplace":"Support for AI marketplace apps","aria.developer.aiMarketplace":"Support for AI
marketplace apps Developer & IT","link.developer.techCommunity":"Microsoft Tech
Community","aria.developer.techCommunity":"Microsoft Tech Community Developer &
IT","link.developer.marketplace":"Microsoft Marketplace","aria.developer.marketplace":"Microsoft Marketplace Developer
& IT","link.developer.marketplaceRewards":"Marketplace Rewards","aria.developer.marketplaceRewards":"Marketplace
Rewards Developer & IT","link.developer.visualStudio":"Visual Studio","aria.developer.visualStudio":"Visual Studio
Developer & IT","link.company.careers":"Careers","aria.company.careers":"Careers
Company","link.company.about":"About Microsoft","aria.company.about":"About Microsoft
Company","link.company.news":"Company news","aria.company.news":"Company news
Company","link.company.privacy":"Privacy at Microsoft","aria.company.privacy":"Privacy at Microsoft
Company","link.company.investors":"Investors","aria.company.investors":"Investors
Company","link.company.diversity":"Diversity and inclusion","aria.company.diversity":"Diversity and inclusion
Company","link.company.accessibility":"Accessibility","aria.company.accessibility":"Accessibility
Company","link.company.sustainability":"Sustainability","aria.company.sustainability":"Sustainability
Company","ccpa.label":"Your Privacy Choices","consumerhealthprivacy.label":"Consumer Health
Privacy","corp.sitemap":"Sitemap","corp.contact":"Contact
Microsoft","corp.privacy":"Privacy","corp.manageCookies":"Manage cookies","corp.terms":"Terms of
use","corp.trademarks":"Trademarks","corp.safetyEco":"Safety &
eco","corp.recycling":"Recycling","corp.aboutAds":"About our
ads","corp.microsoft":"Microsoft","social.linkedin.alt":"Share to LinkedIn","social.linkedin.label":"Share on
LinkedIn","social.facebook.alt":"Share to Facebook","social.facebook.label":"Share on Facebook","social.x.alt":"Share to
X","social.x.label":"Share on X","social.reddit.alt":"Share to Reddit","social.reddit.label":"Share on
Reddit","social.bluesky.alt":"Share to Blue Sky","social.bluesky.label":"Share on Bluesky","social.rss.alt":"Subscribe to
RSS","social.rss.label":"Share on RSS","social.email.alt":"Share to Email","social.email.label":"Share on
Email"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft
Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 29 of 35

{"applicablePages":[],"description":"The Microsoft
Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":
{"css":".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\r\n min-width: 17.5rem;\r\n font-size: 0.9375rem;\r\n
box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n & *:before,\r\n &
*:after {\r\n box-sizing: inherit;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\r\n color: #616161;\r\n
word-break: break-word;\r\n text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n
&a:visited {\r\n text-decoration: none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica
Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\r\n background:
#f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n
&:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width:
1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\r\n color:
#616161;\r\n word-break: break-word;\r\n font-size: 0.9375rem;\r\n line-height: 1.25rem;\r\n padding: 2.25rem 0
0.25rem;\r\n font-weight: 600;\r\n }\r\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\r\n
.custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\r\n display: block;\r\n float: left;\r\n min-height:
0.0625rem;\r\n vertical-align: text-top;\r\n padding: 0 0.75rem;\r\n width: 100%;\r\n zoom: 1;\r\n &:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n }\r\n @media only screen
and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only screen and (min-width:
1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n
margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n
padding: 0.5rem 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187
{\r\n background: #f2f2f2;\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 1.875rem 5% 1rem;\r\n
&:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n
a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\r\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\r\n display: flex;\r\n float: left;\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n padding: 0.25rem
1.5rem 0 0;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\r\n
a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\r\n text-decoration: underline;\r\n }\r\n
ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n float: right;\r\n
margin: 0.1875rem 0;\r\n color: #616161;\r\n li {\r\n padding: 0 1.5rem 0.25rem 0;\r\n display: inline-block;\r\n }\r\n }\r\n
.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n padding-left:
0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n display: flex;\r\n flex-wrap:
wrap;\r\n padding: 1.875rem 1.5rem 1rem;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n
position: fixed;\r\n top: 60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index:
1000;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\r\n list-style: none;\r\n padding: 0;\r\n
margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 3.125rem;\r\n border-radius: 0 0.4375rem 0.4375rem 0;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-top-right-radius: 7px;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover
.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\r\n width: 1.875rem;\r\n height: auto;\r\n transition: filter 0.3s
ease;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\r\n width:
3.125rem;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\r\n width: 1.875rem;\r\n height:
auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\r\n width:
3.125rem;\r\n height: 3.125rem;\r\n padding: 0.5rem;\r\n box-sizing: border-box;\r\n border: 2px solid white;\r\n display:
inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border 0.3s ease; /* Smooth transition
effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last item
*/\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\r\n background-color: #0474b4;\r\n
border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\r\n background-color: #3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\r\n background-color: #000;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431 {\r\n background-color: #fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\r\n background-color: #f0f2f5;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\r\n background-color: #ec7b1c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of
last item*/\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n height:
3.25rem; /* Increase last child height to make in align with the hover label */\r\n}\r\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\r\n filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 1.25rem !important;\r\n height: auto;\r\n
padding-top: 0.3125rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\r\n filter:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 30 of 35

invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition: filter 0.3s ease;\r\n padding-top: 0.3125rem
!important;\r\n width: 1.5625rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\r\n border:
2px solid transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\r\n border: 2px solid white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item
*/\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover
.custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n
box-sizing: border-box;\r\n border-left: none;\r\n}\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n position:
absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility: hidden;\r\n transition: all 0.2s ease;\r\n color:
white;\r\n border-radius: 0 10 0 0.625rem;\r\n top: 50%;\r\n transform: translateY(-50%);\r\n height: 3.25rem;\r\n display:
flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\r\n border: 2px
solid white;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first
item*/\r\n}\r\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\r\n background-color:
#3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\r\n background-color: black;\r\n color:
white;\r\n}\r\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\r\n background-color:
#fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last
item*/\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\r\n background-color: #f0f2f5;\r\n color:
black;\r\n}\r\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\r\n background-color: #ec7b1c;\r\n}\r\n@media (max-width: 991px) {\r\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n display: none;\r\n }\r\n}\r\n","tokens":
{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115","c-list":"custom_widget_MicrosoftFooter_c-list_qp4x5_155","f-bare":"custom_widget_MicrosoftFooter_f-bare_qp4x5_155","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213","c-uhff-consumer":"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215","social-share":"custom_widget_MicrosoftFooter_social-share_qp4x5_281","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317","social-share-email-image":"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371","social-share-list-linkedin":"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411","social-share-list-facebook":"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419","social-share-list-xicon":"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425","social-share-list-reddit":"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431","social-share-list-bluesky":"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437","social-share-list-rss":"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443","social-share-list-mail":"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449","x-icon":"custom_widget_MicrosoftFooter_x-icon_qp4x5_465","bluesky-icon":"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479","share-icon":"custom_widget_MicrosoftFooter_share-icon_qp4x5_493","label":"custom_widget_MicrosoftFooter_label_qp4x5_525","linkedin":"custom_widget_MicrosoftFooter_linkedin_qp4x5_317","faceb
components/community/Breadcrumb-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1775111751117","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent
page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1775111751117","value":{"messageMarkedAsSpam":"This post has been marked as
spam","messageMarkedAsSpam@board:TKB":"This article has been marked as
spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as
spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as
spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as
spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage
Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This
article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as
abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as
abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as
abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as
abuse","preModCommentAuthorText":"This comment will be published as soon as it is
approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 31 of 35

has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other
reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other
reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other
reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other
reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other
reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related
Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived
Content"},"localOverride":false},"Category:category:Exchange":
{"__typename":"Category","id":"category:Exchange","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":
{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":
{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":
{"__typename":"Category","id":"category:EducationSector","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":
{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":
{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":
{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":
{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":
{"__typename":"Category","id":"category:PublicSector","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":
{"__typename":"Category","id":"category:microsoft365","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":
{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":
{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":
{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":
{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits":
{"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":
{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot":
{"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":
{"__typename":"Category","id":"category:Windows","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management":
{"__typename":"Category","id":"category:Content_Management","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityNewsDesk":
{"__typename":"Category","id":"category:CommunityNewsDesk","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 32 of 35

{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-learn-for-educators":
{"__typename":"Category","id":"category:microsoft-learn-for-educators","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:mvp":
{"__typename":"Category","id":"category:mvp","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune":
{"__typename":"Category","id":"category:microsoftintune","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-global-community-initiative":
{"__typename":"Category","id":"category:microsoft-global-community-initiative","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:usergroups":
{"__typename":"Category","id":"category:usergroups","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:skills-hub":
{"__typename":"Category","id":"category:skills-hub","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:skills-hub-blog":
{"__typename":"Blog","id":"board:skills-hub-blog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"CachedAsset:text:en_US-components/community/Navbar-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1775111751117","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage
Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit
Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","windows-server":"Windows
Server","ms-learn-ext-security":"Microsoft Security","Common_Enntvz-i-t-ops-talk-link":"ITOps Talk","education-sector":"Education Sector","Common-external-link-9":"Microsoft 365","Common-external-link-8":"Dynamics
365","Common-external-link-7":"Skilling Room Directory","Common-external-link-6":"Events","Common-external-link-5":"Blogs","Common-external-link-4":"View All","Common-gxcuf89792-community":"Community","Common-external-link-3":"Topics","microsoft365":"Microsoft 365","Common_Enntvz-community-news-desk-link":"Community News
Desk","Common_Enntvz-azure-link":"Azure","Common-community-info-center-link":"Lounge","azure":"Azure","Common_Enntvz-windows-link":"Windows","Common_Enntvz-education-sector-link":"Education Sector","Common-windows-server-link":"Windows Server","products-link":"Products","Common_Enntvz-partner-community-link":"Microsoft Partner Community","microsoft-learn-blog":"Blog","Common-external-link-2":"View All","community-hub-link":"Community Hubs","Common-mvp-link":"Microsoft MVP Program","community-info-center":"Lounge","microsoft-endpoint-manager":"Microsoft
Intune","startupsat-microsoft":"Startups at Microsoft","ms-learn-ext-azure":"Azure","Common_Enntvz-content_management-link":"Content Management","ms-learn-ext-github":"Github","Common-microsoft365-
link":"Microsoft 365","Common-i-t-ops-talk-link":"ITOps Talk","Common_Enntvz-view-all-products-link":"View
All","Common-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative (MGCI)","all-events-link":"Events","Common_Enntvz-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common-external-link":"Community Hubs","Common-partner-community-link":"Microsoft Partner Community","Common-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common_Enntvz-microsoft-teams-link":"Microsoft Teams","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","Common-healthcare-and-life-sciences-link":"Healthcare and Life Sciences","planner":"Outlook","Common_Enntvz-exchange-link":"Exchange","healthcare-and-life-sciences":"Healthcare and Life Sciences","Common-external-link-10":"View All","Common-driving-adoption-link":"Driving Adoption","ms-learn-ext-pp":"Power Platform","Common_Enntvz-windows-server-link":"Windows
Server","Common-io-t-link":"Internet of Things (IoT)","Skills-Hub":"Skills Hub","microsoft-teams":"Microsoft
Teams","Common-outlook-link":"Outlook","Common_Enntvz-public-sector-link":"Public Sector","Common-windows-link":"Windows","all-blogs-link":"Blogs","communities":"Products","Common_Enntvz-usergroups-link":"User
Groups","Common_Enntvz-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative
(MGCI)","Skills-Hub-link":"Community","Common_Enntvz-io-t-link":"Internet of Things (IoT)","ms-learn-ext-m365":"Microsoft 365","Common_Enntvz-microsoft-mechanics-link":"Microsoft Mechanics","microsoft-learn-community":"Community","partner-community":"Microsoft Partner Community","Common-microsoft-mechanics-link":"Microsoft Mechanics","Common_Enntvz-healthcare-and-life-sciences-link":"Healthcare and Life
Sciences","microsoft-mechanics":"Microsoft Mechanics","Common-microsoft-security-link":"Microsoft
Security","Common-education-sector-link":"Education Sector","Skills-Hub-Blog":"Blog","i-t-ops-talk":"ITOps
Talk","microsoft-securityand-compliance":"Microsoft Security","Common_Enntvz-microsoftintune-link":"Microsoft
Intune","Common-azure-link":"Azure","Common-microsoftintune-link":"Microsoft Intune","Common_Enntvz-view-all-topics-link":"View All","Common-usergroups-link":"User Groups","Common-public-sector-link":"Public
Sector","Common_Enntvz-microsoft-security-link":"Microsoft Security","Common_Enntvz-outlook-link":"Outlook","Common_Enntvz-mvp-link":"Microsoft MVP Program","exchange":"Exchange","topics-link":"Topics","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","Common-microsoft-teams-link":"Microsoft Teams","s-m-b":"Nonprofit Community","Common_Enntvz-community-info-center-https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 33 of 35

link":"Lounge","Common_Enntvz-microsoft365-copilot-link":"Microsoft 365 Copilot","Common_Enntvz-microsoftfor-nonprofits-link":"Nonprofit Community","Common_Enntvz-microsoft365-link":"Microsoft 365","Common-content_management-link":"Content Management","ms-learn-ext-teams":"Teams","s-q-l-server":"Content
Management","products-services":"Products","Common-community-news-desk-link":"Community News Desk","ms-learn-ext-LD":"Skilling Room Directory","Common-exchange-link":"Exchange","Common-gxcuf89792-link":"Tech
Community","windows":"Windows","public-sector":"Public Sector","Common_Enntvz-driving-adoption-link":"Driving
Adoption","Common-microsoftfor-nonprofits-link":"Nonprofit Community","ms-learn-ext-net":".NET","ms-learn-ext-dynamics":"Dynamics 365","a-i":"AI and Machine Learning","outlook":"Microsoft 365
Copilot"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1775111751117","value":{"hamburgerLabelOpen":"Open Side Menu","hamburgerLabelClose":"Close Side
Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1775111751117","value":
{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo","linkAriaLabel":"Go to community home
page"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1775111751117","value":
{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/search/SpotlightSearchIcon-1775111751117","value":{"search":"Search"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1775111751117","value":{"title.login":"Sign
In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign
In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1775111751117","value":{"place":"Go back
to {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1775111751117","value":
{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"
{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show
More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","messageStatus":"Status:
","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added:
{status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse
replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing
information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match
what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1775111751117","value":{"leaveReply":"Leave a
reply...","leaveReply@board:BLOG@message:root":"Leave a
comment...","leaveReply@board:TKB@message:root":"Leave a
comment...","leaveReply@board:IDEA@message:root":"Leave a
comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies
are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this
topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned
off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking
me!"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1775111751117","value":{"ariaLabelClosed":"Press the down arrow to open the
menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1775111751117","value":
{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1775111751117","value":{"nodeTitle":"{nodeTitle, select, community
{Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1775111751117","value":{"minReadText":"{min} MIN
READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1775111751117","value":
{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1775111751117","value":
{"authorName":"View Profile: {author}","anonymous":"Anonymous","ariaLabel.rank":"Rank:
{rankName}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1775111751117","value":{"rankName":"{rankName}","userRank":"Author rank
{rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1775111751117":
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 34 of 35

{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1775111751117","value":
{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last
posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected
time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1775111751117","value":
{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message
{Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been
removed from the community.","videoProcessing":"Video is being processed. Please try again in a few
minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the
provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1775111751117","value":{"CustomField.default.label":"Value of
{name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1775111751117","value":
{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}}
{date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.
{minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1775111751117","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagList-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagList-1775111751117","value":{"showMoreFor":"Show more for {title}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1775111751117","value":{"repliesCount":"
{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:
components/messages/MessageAuthorBio-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1775111751117","value":{"sendMessage":"Send
Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name}
{type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1775111751117","value":
{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1775111751117","value":{"altTitle":"Icon for {rankName}
rank"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1775111751117","value":
{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1775111751117","value":{"noPrefix":"{date}","withPrefix":"Joined
{date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751117":
{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1775111751117","value":
{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1775111751117","value":{"description":"
{description}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751117":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1775111751117","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge
Base} IDEA {Ideas} OCCASION {Events} other {}}
icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":
{"boardId":"microsoftsecurityexperts","messageSubject":"part-1-lockbit-2-0-ransomware-bugs-and-database-recovery-attempts","messageId":"3254354"},"buildId":"VXuOn2D5MfObWEiRanLQ9","runtimeConfig":
{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","surveysEnabled":true,"openTelemetry":
{"clientEnabled":false,"configName":"o365","serviceVersion":"26.1.0","universe":"prod","collector":"http://localhost:4318","logLevel":"error","routeCha
["components_community_Navbar_NavbarWidget","components_community_Breadcrumb_BreadcrumbWidget","components_customComponent_Custo
[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js?
page.id=BlogMessagePage&entity.id=board%3Amicrosoftsecurityexperts&entity.id=message%3A3254354","strategy":"afterInteractive"}]}
Source: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/325435
4
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354
Page 35 of 35