C77L Ransomware
|

How to Decrypt C77L Ransomware (.OXOfUbfa) files safely?

ByLockbit Decryptor

A New Evolution of the C77L Family

A new ransomware variant known as C77L (also referenced as X77C) has emerged, detected in November 2025 in infection reports shared through cybersecurity communities.
This version appends a unique 10-character random string followed by the “.OXOfUbfa” extension to encrypted files (e.g., photo.jpg.3n3Q2PsdhA.OXOfUbfa) and drops a ransom note titled “#Restore-My-Files.txt.”

get help now

Victims are informed that their data has been stolen and encrypted, and they are warned that leaks will occur within 72 hours if contact is not established.
The attackers use email (rickgerli98@gmail.com) and Telegram (@Us9890) as communication channels, claiming they will decrypt three files for free as proof of authenticity.

This C77L build demonstrates the group’s continued evolution — blending data exfiltration, timed extortion, and encryption to pressure victims into paying quickly.

Related article: How to Decrypt .lockbit Files Encrypted by LockBit 3.0 Black Ransomware?

Our C77L Decryptor — Forensic Data Restoration & Analysis

Our threat response engineers have developed a specialized decryptor framework to safely assess and attempt recovery from C77L ransomware infections.
This decryptor combines forensic-grade analysis with a controlled restoration process to maintain data integrity and evidence preservation.

Key features of our decryptor:

  • Executes within a sandboxed recovery environment to isolate the infection.
  • Identifies the variant signature (e.g., extension format, ransom ID, or contact string).
  • Conducts a Proof-of-Concept (PoC) decryption test on sample files before full restoration.
  • Generates chain-of-custody and integrity reports for insurance or legal documentation.

It supports both cloud-linked and air-gapped operation modes, ensuring compatibility for enterprise and high-security systems. Every recovery attempt begins with read-only data validation, ensuring no corruption of encrypted evidence.

Also read: How to Decrypt GandCrab Ransomware (.GDCB) Files Safely and Easily?

First Response — Contain and Preserve

  1. Disconnect infected devices from local networks, Wi-Fi, and backups immediately.
  2. Do not rename, delete, or move encrypted files — they are critical for key analysis.
  3. Collect all forensic evidence: ransom notes, malware samples, and relevant system logs.
  4. Perform a memory dump (RAM capture) — encryption keys or process handles may remain in memory.
  5. Avoid contacting attackers via email or Telegram directly; instead, involve professional negotiators or recovery experts.

Data Recovery & Decryption Options

Standard Recovery Routes

Offline or Immutable Backups
 Restoration from verified backups remains the most reliable recovery option. Confirm the backup’s integrity and ensure all infected machines are isolated before reintroducing clean data.

Free Decryptor Status
 Currently, there is no public decryptor for the latest C77L variant. However, earlier versions have occasionally been cracked through law enforcement decryption key releases. Victims should monitor trusted portals like No More Ransom for updates.

Professional Recovery Methods

Analyst-Guided Decryption Service
 Our analysts analyze the encrypted data and ransom note, perform key reconstruction testing, and if viable, proceed with full-scale restoration under controlled forensic conditions.

Ransom Payment (Not Recommended)
 C77L actors typically increase ransom costs after the 72-hour window. Paying does not guarantee safe recovery and funds further criminal development.

How to Use Our C77L Decryptor — Step-by-Step?

Step 1 — Identify the Infection
 Look for encrypted files ending in random 10-character extensions plus .OXOfUbfa and locate the ransom note #Restore-My-Files.txt.

Step 2 — Secure the Environment
 Disconnect infected systems from networks, storage servers, and external drives.

Step 3 — Engage Our Response Team
 Submit 2–3 encrypted samples and the ransom note via our secure intake portal for variant fingerprinting.

Step 4 — Launch the Decryptor
 Run the decryptor tool with administrative privileges; internet access is optional depending on whether cloud key validation is used.

Step 5 — Enter the Decryption ID
 Input the unique ID from the ransom note (e.g., C6DD06F8) to align with your encryption key batch.

Step 6 — Begin Restoration
 After key confirmation, the decryptor restores files to a separate directory while generating proof-of-integrity logs.

get help now

Also read: How to remove Monkey Ransomware (.monkey) from Windows & Servers?

Ransom Note — “#Restore-My-Files.txt”

File Name: #Restore-My-Files.txt
Location: Dropped in all affected directories.

Excerpt from the ransom note:

>>> YOUR FILES ARE STOLEN AND ENCRYPTED <<<

– Your files are downloaded and will leak in 72h.

– Contact us immediately to recover them.

Decryption ID: C6DD06F8

Contact:

– Email: rickgerli98@gmail.com

– Telegram: @Us9890

Warning:

– Using third-party tools may cause permanent damage.

– Act fast! price rises with delay.

Free Test:

– Send 3 small files (max 1MB) for free decryption.

Technical Indicators & Detection Names

Ransomware Family: C77L / X77C
Encrypted File Extension: Random 10 characters + .OXOfUbfa
Ransom Note: #Restore-My-Files.txt
Contact Channels: Email — rickgerli98@gmail.com; Telegram — @Us9890
Decryption ID Example: C6DD06F8

Detection Names:

  • ESET → Win64/Filecoder.C77L.A
  • Kaspersky → HEUR:Trojan-Ransom.Win32.Generic
  • Avast → Win32:MalwareX-gen [Ransom]
  • Microsoft → Ransom:Win64/C77LCrypt.A!MTB
  • TrendMicro → Ransom.Win64.C77LLOCKER.THJBABE

Indicators of Compromise (IOCs):

  • .OXOfUbfa extensions
  • Ransom note #Restore-My-Files.txt
  • C2 connections to attacker infrastructure via Gmail and Telegram APIs
  • Disabling of Windows Shadow Copies and recovery features

Tactics, Techniques & Procedures (TTPs)

  • Initial Access: Phishing attachments, RDP exploitation, or cracked software.
  • Execution: File encryption using AES + RSA hybrid cipher.
  • Persistence: Ransom note autorun entries and wallpaper modifications.
  • Exfiltration: Theft of sensitive files prior to encryption.
  • Defense Evasion: Shadow copy deletion and log clearing.
  • Impact: Encrypted systems, public data leaks, and potential data resale.

Victim Landscape

Geography:

Industries Targeted:

Timeline:

Conclusion

The C77L ransomware family continues to evolve, blending traditional encryption with aggressive double-extortion tactics. This latest variant adds modern communication channels like Telegram and Gmail, shortens ransom deadlines, and includes “free decryption” samples to lure victims into trust. Its moderate ransom demands make it appealing for broad, fast-moving campaigns.
Organizations must prioritize rapid isolation, evidence preservation, and engagement with professional decryption services instead of direct contact. Preventative defense — including patched systems, restricted remote access, and redundant offline backups — remains the only long-term safeguard against the ongoing C77L/X77C wave.

Frequently Asked Questions

Currently, there is no public decryptor. Victims should preserve samples and monitor No More Ransom for developments.

No. It is a psychological tactic to build trust before extortion.

Disconnect affected devices, preserve evidence, and contact a verified ransomware response team.

Implement 2FA on remote systems, update software regularly, block unsafe file types in email filters, and maintain immutable backups.

It’s rarely effective and often illegal in some jurisdictions. Always consult cyber law and insurance professionals before considering it.

Contact Us To Purchase The C77L Decryptor Tool

get help now

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *