{ "id": "f308fa7d-59c3-413d-a4ae-e22129b3468b", "created_at": "2026-04-06T00:21:27.147924Z", "updated_at": "2026-04-10T03:26:47.084035Z", "deleted_at": null, "sha1_hash": "cf1a0c3501dcc37629db209619aa7c4b1c481189", "title": "Missed opportunity: Bug in LockBit ransomware allowed free decryptions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116658, "plain_text": "Missed opportunity: Bug in LockBit ransomware allowed free\r\ndecryptions\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-24 · Archived: 2026-04-05 20:27:14 UTC\r\nA member of the cybercriminal community has discovered and disclosed a bug in the LockBit ransomware that\r\ncould have been used for free decryptions.\r\nThe bug impacts LockBit, a ransomware-as-a-service (RaaS) operation that launched in January 2020 and through\r\nwhich the LockBit gang rents access to a version of their ransomware strain.\r\nCustomers of the LockBit RaaS, also known as \"affiliates,\" execute intrusions into corporate networks, where they\r\ndeploy the ransomware to encrypt files and demand a ransom from victims to provide a decryption key that\r\nunlocks their files.\r\nThrough a ransom note left on their desktop, LockBit victims are told to access a dark web portal where they can\r\nnegotiate the ransom payment. This \"payment\" portal also allows victims access to a one-time free decryption\r\noperation, so victims can confirm that the hackers have a legitimate and working copy of the decryption key.\r\nLockBit bug posted on cybercrime forum\r\nIn a message posted on an underground cybercrime forum today, a threat actor has posted details about a bug in\r\nLockBit's one-time free decryption mechanism that could have been abused for unlimited free decryptions.\r\n— 3xp0rt (@3xp0rtblog) March 16, 2021\r\nGiving legitimacy to the disclosure, the bug was made public by Bassterlord, a suspected Russian-speaking threat\r\nactor who previously served as an affiliate for the LockBit ransomware gang, but also other rival RaaS operations,\r\nsuch as REvil, Avaddon, and RansomExx.\r\nWith details about the bug being posted in such a public manner, Bassterlord's actions have also sparked a\r\ndiscussion among security professionals about the proper way of reporting bugs in ransomware strains.\r\nJohn Fokker, Head of Cyber Investigations \u0026 Principal Engineer at security firm McAfee, told The Record that\r\nthe proper way would be to report any ransomware-related bugs to a security vendor or the No More Ransom\r\nproject.\r\nBoth security vendors and the No More Ransom project have well-established mechanisms in place to take\r\nadvantage of this information and help ransomware victims without alerting the ransomware authors, Fokker said.\r\nThe McAfee exec said the advice applies to both independent security researchers but also underground threat\r\nactors looking to sabotage their rivals. ;)\r\nhttps://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/\r\nPage 1 of 3\n\nBug expected to be patched\r\nJust like in previous instances when a bug in ransomware code was exposed, the LockBit gang is now expected to\r\npatch the issue within days, making future free decryption operations impossible. The LockBit portal was also\r\nconspicuously down all day today, suggesting that fixes are possibly being implemented, Marcelo Rivero, a\r\nMalware Intelligence Analyst at security firm Malwarebytes told The Record.\r\nIn addition, several other members of the security community have also told The Record that the LockBit bug was\r\nsomething they were not aware of and which could have been very useful.\r\nIt may not have been possible to decrypt large batches of files at once without alerting the LockBit crew, but the\r\nbug could have been used to decrypt selected sensitive files for which backups did not exist.\r\nCurrently, the LockBit ransomware is one of the most active ransomware groups today. Security firm Coveware\r\nlisted the LockBit ransomware as one of the top 15 ransomware strains in Q4 2020.\r\nAccording to data provided by the ID-Ransomware platform, the LockBit operation still infects tens of victims\r\nevery week.\r\nLockBit submissions to ID-Ransomware service (Image via MalwareHunterTeam)\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/\r\nhttps://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/" ], "report_names": [ "missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434887, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf1a0c3501dcc37629db209619aa7c4b1c481189.pdf", "text": "https://archive.orkl.eu/cf1a0c3501dcc37629db209619aa7c4b1c481189.txt", "img": "https://archive.orkl.eu/cf1a0c3501dcc37629db209619aa7c4b1c481189.jpg" } }