In our recovery lab today at Lockbit Decryptor, we analyzed a custom-built ELF ransomware targeting TerraMaster and Synology NAS devices. The binary, tos-encrypt, is a Rust-based encryptor using a .locked extension and a “TOSG” magic header. Our forensic analysis confirms this is a BianLian-affiliate operation, leveraging a custom Linux toolset distinct from their primary Windows…
In our recovery lab today at Lockbit Decryptor, we isolated the Zollo ransomware strain, a confirmed variant of the MedusaLocker family. This variant appends the .zollo6 extension (with a variable number) and employs a double-extortion model, threatening to leak stolen data. Our forensic analysis indicates that despite their claims of strong RSA+AES encryption, the underlying…
In our recovery lab today at Lockbit Decryptor, we isolated the Raptum ransomware strain, a confirmed variant of the MedusaLocker family. This variant appends the .raptum46 extension (with a variable number) and employs a double-extortion model, threatening to leak stolen data on a TOR blog. Our forensic analysis indicates that despite their claims of strong…
In our recovery lab today at Lockbit Decryptor, we isolated the Immigration ransomware strain, which our analysis confirms is a new variant of the MedusaLocker family. This variant appends the .eimmigration extension and employs a double-extortion model. Our forensic analysis indicates that while the actors threaten to publish stolen data within 72 hours, the underlying…
In our recovery lab today at Lockbit Decryptor, we analyzed a new Shinra v3 ransomware sample appending the .LMAoBRPj extension. This variant continues the trend of using randomly generated, 9-character extensions to evade detection and employs a terse ransom note directing victims to email and Telegram. Our forensic analysis confirms this is a Shinra derivative…
In our recovery lab today at Lockbit Decryptor, we analyzed the ARM47 HACKERS ransomware. This threat actor utilizes the qTox platform for anonymous communication and appends a unique, randomized prefix to their ransom note filename, such as yKpxkN8Ds.README.txt. Our forensic analysis reveals that despite their claims of a secure breach, their implementation of the ChaCha20…
In our recovery lab today at Lockbit Decryptor, we analyzed a new Shinra ransomware sample appending the .vcWt5D9e extension. This variant specifically targets enterprise servers, encrypting files with a randomized 9-character extension and leaving a terse ransom note. Our forensic analysis confirms this is a Shinra v3 derivative, and while the actors claim decryption is…
In our recovery lab today at Lockbit Decryptor, we isolated a new build of the Shinra v3 ransomware, specifically the strain appending the .Chgldecr extension. This variant aggressively targets Remote Desktop Protocol (RDP) vulnerabilities for initial access. Our forensic analysis reveals that while the actors employ “military-grade” encryption rhetoric, the implementation contains critical flaws in…
In our recovery lab today at Lockbit Decryptor, we isolated the LSD ransomware strain. This threat actor utilizes aggressive scare tactics, claiming to compromise the UEFI/BIOS and SSD controller to force payment. Our forensic analysis confirms that while the malware appends the .lsd extension and drops a full-screen ransom note, the claims regarding firmware destruction…
In our recovery lab today at Lockbit Decryptor, we analyzed the newly emerged Vect Ransomware-as-a-Service (RaaS) operation. This group claims to have developed a custom C++ codebase targeting Windows, Linux, and VMware ESXi. Our forensic analysis of their advertised capabilities reveals a heavy reliance on ChaCha20-Poly1305 AEAD encryption and Safe Mode execution to bypass security…