Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Flamingo_unlock Ransomware (.lAeSUZDqb, lAeSUZDqb.README.txt)


  • Please log in to reply
51 replies to this topic

#31 al1963

al1963

  •  Avatar image
  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 23 August 2023 - 03:11 AM

1.

This happened through an Adobe Acrobat Zip I downloaded from telegram page
(Can share page link privately to experts on the forum upon request)

 

 

give a link to download the file through private messages, perhaps the file is still available.

 

2. The logo is uniquely linked to the Lockbit Black v3/CryptomanGizmo ransomware

 

3. If you still have a modified desktop (desktop background), please show us a screenshot of the desktop.

 

4. If it's Lockbit v3, and all users' encryption comes with the same extension, it's possible that the decryptor can be suitable for all cases, so if someone decides to buy the decryptor, please share with other victims.


Edited by al1963, 23 August 2023 - 03:16 AM.


BC AdBot (Login to Remove)

 


#32 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:45 PM

Posted 23 August 2023 - 06:33 AM

... have attached the Ransom Note and the Logo All Files infected by the .lAeSUZDqb

post-1291466-0-43604400-1692777476.png

The image does look similar to LockBit 3.0 (LockBit Black) as shown here by PCrisk
lockbit-3-ransomware-encrypted-files.jpg

 

 and Hacker News.

lockbit-ransomware.png

 

 

However, as also noted by PCrisk (and Trend Micro), LockBit 3.0 encrypted files typically will be renamed with TWO strings of random.random characters appended to the end of the encrypted file and leave files (ransom notes) named with the same second string [random characters].README.txt, [random characters].bmp

.CDtU3Eq.HLJkNskOq
.PLikeDC.HLJkNskOq
.qwYkH3L.HLJkNskOq
HLJkNskOq.README.txt
HLJkNskOq.bmp

 

LockBitBlack-072022-03.png

 

According to CISA CYBERSECURITY ADVISORY, Non-LockBit affiliates were able to use LockBit 3.0 after its builder was leaked in Sep 2022. Flamingo_unlock could be the creation of a non-LockBit affiliate or just a new variation of CriptomanGizmo since the random 9 character extension and ransom note is the same format.

.
.
Microsoft MVP Alumni 2023
Windows Insider MVP 2017-2020
Microsoft MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#33 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:07:45 AM

Posted 23 August 2023 - 10:48 AM

CriptomanGizmo Ransomware is a spin-off from Lockbit Ransomware 
 
Flamingo_unlock is a spin-off from CriptomanGizmo or its new variation.

Edited by quietman7, 23 August 2023 - 02:44 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#34 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:45 PM

Posted 23 August 2023 - 02:45 PM


Flamingo_unlock is a spin-off from CriptomanGizmo or its new variation.

That explains the similarities.
 
CriptomanGizmo Ransomware examples.

<filename>.hZiV1YwzR
<filename>.3WbzmF0CC
<filename>.JxxLLpPns
hZiV1YwzR.README.txt
3WbzmF0CC.README.txt
JxxLLpPns.README.txt

Flamingo_unlock

<filename>.lAeSUZDqb
lAeSUZDqb.README.txt

.
.
Microsoft MVP Alumni 2023
Windows Insider MVP 2017-2020
Microsoft MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#35 al1963

al1963

  •  Avatar image
  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 24 August 2023 - 05:32 AM

He may have used Lockbit v3 Black Builder to create his sample.

 

In this case, the configuration file config.json can be modified.

This file allows you to create your own ransom note.

 

If you remove this line from the default note

 

Y>>>>our personal DECRYPTION ID: %s

 

then the ID string with ID will not be displayed in the ransom note.

 

By default "encrypt_filename": false, If this parameter is changed to "true", the original name in the encrypted file will be replaced with a random one.

By default "print_note": true If you change this parameter to "false" - the ransom note will not be printed.

By default "set_wallpaper": true, If you change this parameter to "false:" - the message "Lockbit Black. All your important files are stolen and encrypted!....." will not be displayed on the desktop.

By default "set_icons": true, If you change this parameter to "false: - the standard icon "B" will not be displayed on files

---------

The fact that the extension remains constant in all known cases suggests that it encrypts different clients with the same sample. This is both good and bad. The bad news is that LB3Decryptor was created in advance on your device. Well - the fact that for all victims there can be one and the same decoder.


Edited by al1963, 24 August 2023 - 05:41 AM.


#36 al1963

al1963

  •  Avatar image
  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 02 September 2023 - 12:15 AM

Interesting analysis based on LB3Black samples from Kaspersky Lab.

 

"We found that 77 samples make no reference to a “Lockbit” string"

 

https://securelist.com/lockbit-ransomware-builder-analysis/110370/



#37 Riki-alban

Riki-alban

  •  Avatar image
  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 02 September 2023 - 08:12 AM

please give me an example
how to make a file experiment, because I don't understand how to use %s ?


#38 Susi12

Susi12

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 September 2023 - 05:04 AM

Pues estoy en la misma situación de los compañeros anteriores, el pasado 21 de agosto fui víctima del tal flamingo voy a intentar subir los archivos que pedis por si hubiera solución que los entendidos pudieran ayudarnos a desencriptar los archivos afectados.

 

 

solamente consigo adjuntar la nota de texto, he intentado subiros un archivo encriptado y el mismo desencriptado pero o no sé hacerlo porque no me deja adjuntarlos

 

Espero vuestra respuesta , ojalá tengamos suerte y los que entendeis podais guiarnos . Gracias de antemano.

 

Attached Files



#39 pekkuu

pekkuu

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 08 September 2023 - 01:44 AM

Amigo-A Something like this happened to me

Attached Files



#40 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:45 PM

Posted 08 September 2023 - 06:41 AM

@pekkuu
 
.qQGCCtKXN and qQGCCtKXN.README.txt are related to CriptomanGizmo. Ransom note contents and email have been reported before although personal DECRYPTION ID number is different.
 

!!! ALL YOUR FILES ARE ENCRYPTED!!!
 
All your files, documents, photos, databases and other important files are encrypted.
The only way to recover your files is to get a decryptor.
To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter:
 
Email: decryptor@cyberfear.com
Telegram: https://t.me/decrypt_help
@decrypt_help
 
Warning.
* Do not rename encrypted files.
* Do not attempt to decrypt data using third party software, as this may result in permanent data loss.
* Do not contact other people, only we can help you and recover your data.
 
Your personal DECRYPTION ID: 5B5F20AF9F8AF766902D314D39CB62E0

 
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.


.
.
Microsoft MVP Alumni 2023
Windows Insider MVP 2017-2020
Microsoft MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#41 rivitna

rivitna

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 15 September 2023 - 03:04 PM

I can’t understand why a well-known ransomware family has different names.
"Flamingo_unlock" ransomware was created using leaked LockBit3 builder (version 2022-09-09 01:27:01).
CriptomanGizmo, Flamingo_unlock and etc aren't spin-offs from LockBit3 (Black), they are LockBit3 (Black)!!!

Spin-off implies further development. Babuk may be a spin-off, but LockBit3 is not.
Now more than 100 gangs use LockBit3 for attacks.

Flamingo_unlock sample
https://www.virustotal.com/gui/file/66c143f6ed237e162e1ed9c0213ea4eea7e87ef9f13876516917e522194e7a0b

Here is its LockBit3 config.json part:
 

{
  "bot": {
    "uid": "00000000000000000000000000000000",
    "key": "00000000000000000000000000000000"
  },
  "config": {
    "settings": {
      "encrypt_mode": "auto",
      "encrypt_filename": false,
      "impersonation": true,
      "skip_hidden_folders": false,
      "language_check": false,
      "local_disks": true,
      "network_shares": true,
      "kill_processes": true,
      "kill_services": true,
      "running_one": true,
      "print_note": true,
      "set_wallpaper": true,
      "set_icons": true,
      "send_report": false,
      "self_destruct": true,
      "kill_defender": true,
      "wipe_freespace": false,
      "psexec_netspread": false,
      "gpo_netspread": true,
      "gpo_ps_update": true,
      "shutdown_system": false,
      "delete_eventlogs": true,
      "delete_gpo_delay": 1
    },
...

You should classify groups, but not well-known malware families!


Edited by rivitna, 15 September 2023 - 05:49 PM.


#42 al1963

al1963

  •  Avatar image
  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 15 September 2023 - 08:33 PM


Flamingo_unlock sample
https://www.virustotal.com/gui/file/66c143f6ed237e162e1ed9c0213ea4eea7e87ef9f13876516917e522194e7a0b

Here is its LockBit3 config.json part:..

 

Great! The sample was just not enough to claim that this was the result of the work of LB3Builder Black. Should we assume that for all these *.lAeSUZDqb cases the private key (and the LB3Decryptor.exe) is the same?
 


Edited by al1963, 15 September 2023 - 08:34 PM.


#43 rivitna

rivitna

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 16 September 2023 - 12:30 AM

LockBit3 builder generates new RSA key pairs every time.

Ransom file extension is computed based on the RSA public key.

https://github.com/rivitna/Malware/blob/main/LockBit3/lb3_parse_cfg.py

# Decryption ID
decr_id = binascii.hexlify(rsa_pub_key[:8]).decode().upper()
print('decryption id: \"%s\"' % decr_id)
# GUID
guid = lb3_id.get_uuid_str(rsa_pub_key)
print('guid: \"%s\"' % guid)
# Ransom extension
victim_id = lb3_id.get_victim_id(guid)
print('ransom ext: \"%s\"' % ('.' + victim_id))
# Ransom note name
ransom_note_name = victim_id + '.' + RANSOM_NOTE_NAME
print('ransom note name: \"%s\"' % ransom_note_name)
# bot_id
bot_id = lb3_id.get_bot_id(guid, True)
print('bot_id: \"%s\"' % bot_id)
# Mutex name
mutex_name = lb3_id.get_bot_id(guid, False)
print('mutex name: \"Global\\%s\"' % mutex_name)

For this sample

https://www.virustotal.com/gui/file/66c143f6ed237e162e1ed9c0213ea4eea7e87ef9f13876516917e522194e7a0b

decryption id: "5517E4B5E9EDCE63"
guid: "{6A1D5A1E-86FC-23D1-936D-C63E94CEBCE1}"
ransom ext: ".lAeSUZDqb"
ransom note name: "lAeSUZDqb.README.txt"
bot_id: "45abd01c198ec9991ed08c400aa9df18"
mutex name: "Global\1cd0ab4599c98e19408cd01e18dfa90a"

Edited by rivitna, 16 September 2023 - 12:41 AM.


#44 al1963

al1963

  •  Avatar image
  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 16 September 2023 - 12:37 AM

LockBit3 builder generates new RSA key pairs every time.

Ransom file extension is computed based on the RSA public key.

https://github.com/rivitna/Malware/blob/main/LockBit3/lb3_parse_cfg.py

# Decryption ID
decr_id = binascii.hexlify(rsa_pub_key[:8]).decode().upper()
print('decryption id: \"%s\"' % decr_id)
# GUID
guid = lb3_id.get_uuid_str(rsa_pub_key)
print('guid: \"%s\"' % guid)
# Ransom extension
victim_id = lb3_id.get_victim_id(guid)
print('ransom ext: \"%s\"' % ('.' + victim_id))
# Ransom note name
ransom_note_name = victim_id + '.' + RANSOM_NOTE_NAME
print('ransom note name: \"%s\"' % ransom_note_name)
# bot_id
bot_id = lb3_id.get_bot_id(guid, True)
print('bot_id: \"%s\"' % bot_id)
# Mutex name
mutex_name = lb3_id.get_bot_id(guid, False)
print('mutex name: \"Global\\%s\"' % mutex_name)

 

Yes, thank you for your research! I have already used the LB3_PARSE_CFG.PY script to extract config.json from sample, if it is not protected by password. :).

 

============= RESTART: D:\DATA\Python\rivitna\LB3\lb3_parse_cfg.py =============
Usage: D:\DATA\Python\rivitna\LB3\lb3_parse_cfg.py filename
helper code position: 00022BBB
helper code saved to file.
cfg data position: 00022E00
rnd seed: 40F4F6526B5B358A
compressed cfg data size: 2398
cfg data size: 2968
cfg data saved to file.
RSA public key saved to file.
decryption id: "F1073E18ABB7B2EF"
guid: "*******"
ransom ext: ".sfKkL7jHp"
ransom note name: "sfKkL7jHp.README.txt"
bot_id: "ad9f2a53e1254202d8eda50be1dc12d3"
mutex name: "Global\532a9fad024225e10ba5edd8d312dce1"
uid: "00000000000000000000000000000000"
ransom note saved to file.
JSON cfg data saved to file.


Edited by al1963, 16 September 2023 - 12:43 AM.


#45 rivitna

rivitna

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 16 September 2023 - 12:49 AM

Super! If you know the password, use lb3_pass_dec and then lb3_parse_cfg


Edited by rivitna, 16 September 2023 - 12:51 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users