Flamingo_unlock Ransomware (.lAeSUZDqb, lAeSUZDqb.README.txt)

1.

This happened through an Adobe Acrobat Zip I downloaded from telegram page
(Can share page link privately to experts on the forum upon request)

 

give a link to download the file through private messages, perhaps the file is still available.

2. The logo is uniquely linked to the Lockbit Black v3/CryptomanGizmo ransomware

3. If you still have a modified desktop (desktop background), please show us a screenshot of the desktop.

4. If it's Lockbit v3, and all users' encryption comes with the same extension, it's possible that the decryptor can be suitable for all cases, so if someone decides to buy the decryptor, please share with other victims.

Edited by al1963, 23 August 2023 - 03:16 AM.

... have attached the Ransom Note and the Logo All Files infected by the .lAeSUZDqb

The image does look similar to LockBit 3.0 (LockBit Black) as shown here by PCrisk

 and Hacker News.

However, as also noted by PCrisk (and Trend Micro), LockBit 3.0 encrypted files typically will be renamed with TWO strings of random.random characters appended to the end of the encrypted file and leave files (ransom notes) named with the same second string [random characters].README.txt, [random characters].bmp. 

.CDtU3Eq.HLJkNskOq
.PLikeDC.HLJkNskOq
.qwYkH3L.HLJkNskOq
HLJkNskOq.README.txt
HLJkNskOq.bmp

Edited by quietman7, 23 August 2023 - 02:44 PM.

That explains the similarities.
 
CriptomanGizmo Ransomware examples.

<filename>.hZiV1YwzR
<filename>.3WbzmF0CC
<filename>.JxxLLpPns
hZiV1YwzR.README.txt
3WbzmF0CC.README.txt
JxxLLpPns.README.txt

Flamingo_unlock

<filename>.lAeSUZDqb
lAeSUZDqb.README.txt

He may have used Lockbit v3 Black Builder to create his sample.

In this case, the configuration file config.json can be modified.

This file allows you to create your own ransom note.

If you remove this line from the default note

Y>>>>our personal DECRYPTION ID: %s

 

then the ID string with ID will not be displayed in the ransom note.

By default "encrypt_filename": false, If this parameter is changed to "true", the original name in the encrypted file will be replaced with a random one.

By default "print_note": true If you change this parameter to "false" - the ransom note will not be printed.

By default "set_wallpaper": true, If you change this parameter to "false:" - the message "Lockbit Black. All your important files are stolen and encrypted!....." will not be displayed on the desktop.

By default "set_icons": true, If you change this parameter to "false: - the standard icon "B" will not be displayed on files

---------

The fact that the extension remains constant in all known cases suggests that it encrypts different clients with the same sample. This is both good and bad. The bad news is that LB3Decryptor was created in advance on your device. Well - the fact that for all victims there can be one and the same decoder.

Edited by al1963, 24 August 2023 - 05:41 AM.

Interesting analysis based on LB3Black samples from Kaspersky Lab.

"We found that 77 samples make no reference to a “Lockbit” string"

https://securelist.com/lockbit-ransomware-builder-analysis/110370/

Pues estoy en la misma situación de los compañeros anteriores, el pasado 21 de agosto fui víctima del tal flamingo voy a intentar subir los archivos que pedis por si hubiera solución que los entendidos pudieran ayudarnos a desencriptar los archivos afectados.

solamente consigo adjuntar la nota de texto, he intentado subiros un archivo encriptado y el mismo desencriptado pero o no sé hacerlo porque no me deja adjuntarlos

Espero vuestra respuesta , ojalá tengamos suerte y los que entendeis podais guiarnos . Gracias de antemano.

Amigo-A Something like this happened to me

@pekkuu
 
.qQGCCtKXN and qQGCCtKXN.README.txt are related to CriptomanGizmo. Ransom note contents and email have been reported before although personal DECRYPTION ID number is different.
 

!!! ALL YOUR FILES ARE ENCRYPTED!!!
 
All your files, documents, photos, databases and other important files are encrypted.
The only way to recover your files is to get a decryptor.
To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter:
 
Email: decryptor@cyberfear.com
Telegram: https://t.me/decrypt_help
@decrypt_help
 
Warning.
* Do not rename encrypted files.
* Do not attempt to decrypt data using third party software, as this may result in permanent data loss.
* Do not contact other people, only we can help you and recover your data.
 
Your personal DECRYPTION ID: 5B5F20AF9F8AF766902D314D39CB62E0

 
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• CriptomanGizmo Ransomware (random extension) Support Topic

I can’t understand why a well-known ransomware family has different names.
"Flamingo_unlock" ransomware was created using leaked LockBit3 builder (version 2022-09-09 01:27:01).
CriptomanGizmo, Flamingo_unlock and etc aren't spin-offs from LockBit3 (Black), they are LockBit3 (Black)!!!

Spin-off implies further development. Babuk may be a spin-off, but LockBit3 is not.
Now more than 100 gangs use LockBit3 for attacks.

Flamingo_unlock sample
https://www.virustotal.com/gui/file/66c143f6ed237e162e1ed9c0213ea4eea7e87ef9f13876516917e522194e7a0b

Here is its LockBit3 config.json part:
 

{
  "bot": {
    "uid": "00000000000000000000000000000000",
    "key": "00000000000000000000000000000000"
  },
  "config": {
    "settings": {
      "encrypt_mode": "auto",
      "encrypt_filename": false,
      "impersonation": true,
      "skip_hidden_folders": false,
      "language_check": false,
      "local_disks": true,
      "network_shares": true,
      "kill_processes": true,
      "kill_services": true,
      "running_one": true,
      "print_note": true,
      "set_wallpaper": true,
      "set_icons": true,
      "send_report": false,
      "self_destruct": true,
      "kill_defender": true,
      "wipe_freespace": false,
      "psexec_netspread": false,
      "gpo_netspread": true,
      "gpo_ps_update": true,
      "shutdown_system": false,
      "delete_eventlogs": true,
      "delete_gpo_delay": 1
    },
...

You should classify groups, but not well-known malware families!

Edited by rivitna, 15 September 2023 - 05:49 PM.

Flamingo_unlock sample
https://www.virustotal.com/gui/file/66c143f6ed237e162e1ed9c0213ea4eea7e87ef9f13876516917e522194e7a0b

Here is its LockBit3 config.json part:..

 

Great! The sample was just not enough to claim that this was the result of the work of LB3Builder Black. Should we assume that for all these *.lAeSUZDqb cases the private key (and the LB3Decryptor.exe) is the same?
 

Edited by al1963, 15 September 2023 - 08:34 PM.

LockBit3 builder generates new RSA key pairs every time.

Ransom file extension is computed based on the RSA public key.

https://github.com/rivitna/Malware/blob/main/LockBit3/lb3_parse_cfg.py

# Decryption ID
decr_id = binascii.hexlify(rsa_pub_key[:8]).decode().upper()
print('decryption id: \"%s\"' % decr_id)
# GUID
guid = lb3_id.get_uuid_str(rsa_pub_key)
print('guid: \"%s\"' % guid)
# Ransom extension
victim_id = lb3_id.get_victim_id(guid)
print('ransom ext: \"%s\"' % ('.' + victim_id))
# Ransom note name
ransom_note_name = victim_id + '.' + RANSOM_NOTE_NAME
print('ransom note name: \"%s\"' % ransom_note_name)
# bot_id
bot_id = lb3_id.get_bot_id(guid, True)
print('bot_id: \"%s\"' % bot_id)
# Mutex name
mutex_name = lb3_id.get_bot_id(guid, False)
print('mutex name: \"Global\\%s\"' % mutex_name)

For this sample

https://www.virustotal.com/gui/file/66c143f6ed237e162e1ed9c0213ea4eea7e87ef9f13876516917e522194e7a0b

decryption id: "5517E4B5E9EDCE63"
guid: "{6A1D5A1E-86FC-23D1-936D-C63E94CEBCE1}"
ransom ext: ".lAeSUZDqb"
ransom note name: "lAeSUZDqb.README.txt"
bot_id: "45abd01c198ec9991ed08c400aa9df18"
mutex name: "Global\1cd0ab4599c98e19408cd01e18dfa90a"

Edited by rivitna, 16 September 2023 - 12:41 AM.

LockBit3 builder generates new RSA key pairs every time.

Ransom file extension is computed based on the RSA public key.

https://github.com/rivitna/Malware/blob/main/LockBit3/lb3_parse_cfg.py

# Decryption ID
decr_id = binascii.hexlify(rsa_pub_key[:8]).decode().upper()
print('decryption id: \"%s\"' % decr_id)
# GUID
guid = lb3_id.get_uuid_str(rsa_pub_key)
print('guid: \"%s\"' % guid)
# Ransom extension
victim_id = lb3_id.get_victim_id(guid)
print('ransom ext: \"%s\"' % ('.' + victim_id))
# Ransom note name
ransom_note_name = victim_id + '.' + RANSOM_NOTE_NAME
print('ransom note name: \"%s\"' % ransom_note_name)
# bot_id
bot_id = lb3_id.get_bot_id(guid, True)
print('bot_id: \"%s\"' % bot_id)
# Mutex name
mutex_name = lb3_id.get_bot_id(guid, False)
print('mutex name: \"Global\\%s\"' % mutex_name)

Yes, thank you for your research! I have already used the LB3_PARSE_CFG.PY script to extract config.json from sample, if it is not protected by password. .

============= RESTART: D:\DATA\Python\rivitna\LB3\lb3_parse_cfg.py =============
Usage: D:\DATA\Python\rivitna\LB3\lb3_parse_cfg.py filename
helper code position: 00022BBB
helper code saved to file.
cfg data position: 00022E00
rnd seed: 40F4F6526B5B358A
compressed cfg data size: 2398
cfg data size: 2968
cfg data saved to file.
RSA public key saved to file.
decryption id: "F1073E18ABB7B2EF"
guid: "*******"
ransom ext: ".sfKkL7jHp"
ransom note name: "sfKkL7jHp.README.txt"
bot_id: "ad9f2a53e1254202d8eda50be1dc12d3"
mutex name: "Global\532a9fad024225e10ba5edd8d312dce1"
uid: "00000000000000000000000000000000"
ransom note saved to file.
JSON cfg data saved to file.

Edited by al1963, 16 September 2023 - 12:43 AM.

Super! If you know the password, use lb3_pass_dec and then lb3_parse_cfg

Edited by rivitna, 16 September 2023 - 12:51 AM.