{
	"id": "53f0cf1a-20e9-425e-8b0b-e2c928c568af",
	"created_at": "2026-04-06T00:06:12.461743Z",
	"updated_at": "2026-04-10T13:12:29.301398Z",
	"deleted_at": null,
	"sha1_hash": "41fda3aa41ccf8149a6b374ff38d55264b223cbb",
	"title": "malware-notes/Ransomware/Lockbit.md at master · albertzsigovits/malware-notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94553,
	"plain_text": "malware-notes/Ransomware/Lockbit.md at master ·\r\nalbertzsigovits/malware-notes\r\nBy albertzsigovits\r\nArchived: 2026-04-05 16:46:05 UTC\r\nRansom gates\r\nlockbitkodidilol.onion\r\nlockbitks2tvnmwk.onion\r\nRansom note\r\nRestore-My-Files.txt\r\nRansom extension\r\n.lockbit\r\nE-mail\r\nondrugs@firemail.cc\r\nPersistence\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\XO1XADpO01\r\nMutex\r\nGlobal{BEF590BE-11A6-442A-A85B-656C1081E04C}\r\nExecuted commands\r\nbcdedit /set {default} recoveryenabled No\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nvssadmin delete shadows /all /quiet\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin delete catalog -quiet\r\nwevtutil cl system\r\nwevtutil cl security\r\nwevtutil cl application\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 1 of 11\n\nwmic SHADOWCOPY /nointeractive\r\nwmic shadowcopy delete\r\nping 1.1.1.1 -n 22 \u003e Nul \u0026 \"%s\"\r\nping 127.0.0.7 -n 3 \u003e Nul \u0026 fsutil file setZeroData offset=0 length=524288 \"%s\" \u0026 Del /f /q \"%s\"\r\nRegistry keys\r\nSOFTWARE\\LockBit\r\nSOFTWARE\\LockBit\\full\r\nSOFTWARE\\LockBit\\Public\r\nFolders skip-list\r\n$windows.~bt\r\nintel\r\nmsocache\r\n$recycle.bin\r\n$windows.~ws\r\ntor browser\r\nboot\r\nsystem volume information\r\nperflogs\r\ngoogle\r\napplication data\r\nwindows\r\nwindows.old\r\nappdata\r\nWindows nt\r\nMsbuild\r\nMicrosoft\r\nAll users\r\nMozilla\r\nFiles skip-list\r\nntldr\r\nntuser.dat.log\r\nbootsect.bak\r\nautorun.inf\r\nService stop-list\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 2 of 11\n\nwrapper\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nSqlservr\r\nsqlagent\r\nsqladhlp\r\nCulserver\r\nRTVscan\r\nsqlbrowser\r\nSQLADHLP\r\nQBIDPService\r\nIntuit.QuickBooks.FCS\r\nQBCFMonitorService\r\nsqlwriter\r\nmsmdsrv\r\ntomcat6\r\nzhudongfangyu\r\nvmware-usbarbitator64\r\nvmware-converter\r\ndbsrv12\r\ndbeng8\r\nMSSQL$MICROSOFT##WID\r\nMSSQL$VEEAMSQL2012\r\nSQLAgent$VEEAMSQL2012\r\nSQLBrowser\r\nSQLWriter\r\nFishbowlMySQL\r\nMSSQL$MICROSOFT##WID\r\nMySQL57\r\nMSSQL$KAV_CS_ADMIN_KIT\r\nMSSQLServerADHelper100\r\nSQLAgent$KAV_CS_ADMIN_KIT\r\nmsftesql-Exchange\r\nMSSQL$MICROSOFT##SSEE\r\nMSSQL$SBSMONITORING\r\nMSSQL$SHAREPOINT\r\nMSSQLFDLauncher$SBSMONITORING\r\nMSSQLFDLauncher$SHAREPOINT\r\nSQLAgent$SBSMONITORING\r\nSQLAgent$SHAREPOINT\r\nQBFCService\r\nQBVSS\r\nYooBackup\r\nYooIT\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 3 of 11\n\nsvc$\r\nMSSQL\r\nMSSQL$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\nbedbg\r\nPDVFSService\r\nBackupExecVSSProvider\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nMVArmor\r\nMVarmor64\r\nstc_raw_agent\r\nVSNAPVSS\r\nVeeamTransportSvc\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nAcronisAgent\r\nARSM\r\nAcrSch2Svc\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nWSBExchange\r\nMSExchange\r\nMSExchange$\r\nLanmanWorkstation\r\nWebClient\r\nProcess kill-list\r\nwxServer\r\nwxServerView\r\nsqlmangr\r\nRAgui\r\nsupervise\r\nCulture\r\nDefwatch\r\nwinword\r\nQBW32\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 4 of 11\n\nQBDBMgr\r\nqbupdate\r\naxlbridge\r\nhttpd\r\nfdlauncher\r\nMsDtSrvr\r\njava\r\n360se\r\n360doctor\r\nwdswfsafe\r\nfdhost\r\nGDscan\r\nZhuDongFangYu\r\nQBDBMgrN\r\nmysqld\r\nAutodeskDesktopApp\r\nacwebbrowser\r\nCreative Cloud\r\nAdobe Desktop Service\r\nCoreSync\r\nAdobe CEF Helper\r\nnode\r\nAdobeIPCBroker\r\nsync-taskbar\r\nsync-worker\r\nInputPersonalization\r\nAdobeCollabSync\r\nBrCtrlCntr\r\nBrCcUxSys\r\nSimplyConnectionManager\r\nSimply.SystemTrayIcon\r\nfbguard\r\nfbserver\r\nONENOTEM\r\nwsa_service\r\nkoaly-exp-engine-service\r\nTeamViewer_Service\r\nTeamViewer\r\ntv_w32\r\ntv_x64\r\nTitanV\r\nSsms\r\nnotepad\r\nRdrCEF\r\noracle\r\nocssd\r\ndbsnmp\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 5 of 11\n\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nwordpad\r\nbedbh\r\nvxmon\r\nbenetns\r\nbengien\r\npvlsvr\r\nbeserver\r\nraw_agent_svc\r\nvsnapvss\r\nCagService\r\nDellSystemDetect\r\nEnterpriseClient\r\nVeeamDeploymentSvc\r\nExtension list\r\n.msstyles\r\n.sqlitedb\r\n.sqlite3\r\n.diagcab\r\n.diagcfg\r\n.diagpkg\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 6 of 11\n\n.sqlite\r\n.db-shm\r\n.db-wal\r\n.dacpac\r\n.theme\r\n.icns\r\n.lock\r\n.tmd\r\n.ckp\r\n.dbc\r\n.sql\r\n.mwb\r\n.rar\r\n.dbv\r\n.frm\r\n.mdf\r\n.dbt\r\n.qry\r\n.ndf\r\n.sdb\r\n.myd\r\n.mrg\r\n.db3\r\n.dbs\r\n.dbf\r\n.sdf\r\n.zip\r\n.rdp\r\n.bin\r\n.hlp\r\n.shs\r\n.drv\r\n.wpx\r\n.bat\r\n.rom\r\n.msc\r\n.spl\r\n.ps1\r\n.msu\r\n.ics\r\n.key\r\n.exe\r\n.dll\r\n.lnk\r\n.ico\r\n.hlp\r\n.sys\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 7 of 11\n\n.drv\r\n.cur\r\n.idx\r\n.ini\r\n.reg\r\n.mp3\r\n.386\r\n.cmd\r\n.ani\r\n.adv\r\n.msi\r\n.msp\r\n.com\r\n.nls\r\n.ocx\r\n.mpa\r\n.cpl\r\n.mod\r\n.hta\r\n.prf\r\n.rtp\r\nRansom note:\r\nAll your important files are encrypted!\r\nAny attempts to restore your files with the thrid-party software will be fatal for your files!\r\nRESTORE YOU DATA POSIBLE ONLY BUYING private key from us.\r\nThere is only one way to get your files back:\r\n| 1. Download Tor browser - https://www.torproject.org/ and install it.\r\n| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?\r\nThis link only works in Tor Browser!\r\n| 3. Follow the instructions on this page\r\n ### Attention! ###\r\n # Do not rename encrypted files.\r\n # Do not try to decrypt using third party software, it may cause permanent data loss.\r\n # Decryption of your files with the help of third parties may cause increased price(they add their fee to our)\r\n # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org\r\n # Tor Browser user manual https://tb-manual.torproject.org/about\r\n!!! We also download huge amount of your private data, including finance information, clients personal info, net\r\nSHA256\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 8 of 11\n\n0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76\r\n0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f\r\n0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335\r\n0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51\r\n13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0\r\n15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a\r\n1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18\r\n1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770\r\n256e2bf5f3c819e0add95147b606dc314bbcbac32a801a59584f43a4575e25dc\r\n26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739\r\n2b8117925b4b5b39192aaaea130426bda39ebb5f363102641003f2c2cb33b785\r\n3f29a368c48b0a851db473a70498e168d59c75b7106002ac533711ca5cfabf89\r\n410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677\r\n4acc0b5ed29adf00916dea7652bcab8012d83d924438a410bee32afbcdb995cc\r\n5b9bae348788cd2a1ce0ba798f9ae9264c662097011adbd44ecfab63a8c4ae28\r\n6292c2294ad1e84cd0925c31ee6deb7afd300f935004a9e8a7a43bf80034abae\r\n69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997\r\n83ab7a2bcac146db472f3b930c01af5b6d3d978ead7b14a9d0ac16e1a76e9f9d\r\n9bc98d15f243257c1b5bca59464abe68c680cd5482ba9f5082201dde41a016cf\r\na03326ac8efa930e10091a374d40ddab9f7c2f12246d6ef7983bad93256f1f3a\r\na0085da4a920e92d8f59fefa6f25551655ca911382b5e34df76a9333ac8b7214\r\na08fbf01d02097094b725101309b2bf7fefc2e27724654b840b87e091aa5c9b9\r\na1360645cf3113715cc023d2e4cf9f6f3a6278abcf4499f0ba7cd76c82839eb0\r\nc8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871\r\nce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f\r\ne3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877\r\nec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d\r\nffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d\r\nDecryptors\r\n09e956d140d6879cf7eacbb65dcbfbe1dea1961a31c5d0f834343ef2c886ccc1\r\n9bc98d15f243257c1b5bca59464abe68c680cd5482ba9f5082201dde41a016cf\r\nVT perks:\r\nvhash:\"015036656d5223z12z3e05031f1z37z406001a5zb7z\"\r\nimphash:\"be232aa2621354bf5dd7b405cc99198c\"\r\nYARA rules\r\nrule lockbit_clsids\r\n{\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 9 of 11\n\nstrings:\r\n$id1 = \"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\" ascii wide\r\n$id2 = \"{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}\" ascii wide\r\n$id3 = \"{02B49784-1CA2-436C-BC08-72FA3956507D}\" ascii wide\r\n$id4 = \"{BEF590BE-11A6-442A-A85B-656C1081E04C}\" ascii wide\r\ncondition:\r\n3 of them\r\n}\r\nrule lockbit_mutex\r\n{\r\nstrings:\r\n$mutex = \"XO1XADpO01\" ascii wide\r\ncondition:\r\nall of them\r\n}\r\nrule lockbit_uac\r\n{\r\nstrings:\r\n$uac0 = \"Elevation:Administrator!new:\" ascii wide\r\n$uac1 = \"DisplayCalibrator\" ascii wide\r\n$uac2 = \"Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration\" ascii wide\r\ncondition:\r\nall of them\r\n}\r\nrule lockbit_cmd\r\n{\r\nstrings:\r\n$cmd0 = \"vssadmin Delete Shadows /All /Quiet\" ascii wide\r\n$cmd1 = \"bcdedit /set {default} recoveryenabled No\" ascii wide\r\n$cmd2 = \"bcdedit /set {default} bootstatuspolicy ignoreallfailures\" ascii wide\r\n$cmd3 = \"wbadmin DELETE SYSTEMSTATEBACKUP\" ascii wide\r\n$cmd4 = \"wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\" ascii wide\r\n$cmd5 = \"wmic SHADOWCOPY /nointeractive\" ascii wide\r\n$cmd6 = \"wevtutil cl security\" ascii wide\r\n$cmd7 = \"wevtutil cl system\" ascii wide\r\n$cmd8 = \"wevtutil cl application\" ascii wide\r\ncondition:\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 10 of 11\n\n6 of them\r\n}\r\nrule lockbit_priv_masq\r\n{\r\nstrings:\r\n$masq = { ff 15 [1-4] 85 ?? 0f [1-5] 68 04 01 00 00 8d [1-5] 50 ff 15 [1-4] 8b [1-5] 8d [1-5]\r\n$priv = { ff 15 [1-4] 85 ?? 74 ?? 8d ?? ?? 50 8d ?? ?? 50 6a 00 ff 15 [1-4] 85 ?? 74 ?? 39 ??\r\ncondition:\r\n$masq or $priv\r\n}\r\nSource: https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md"
	],
	"report_names": [
		"Lockbit.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775433972,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41fda3aa41ccf8149a6b374ff38d55264b223cbb.pdf",
		"text": "https://archive.orkl.eu/41fda3aa41ccf8149a6b374ff38d55264b223cbb.txt",
		"img": "https://archive.orkl.eu/41fda3aa41ccf8149a6b374ff38d55264b223cbb.jpg"
	}
}