LockSprut Ransomware
|

How to Remove LockSprut Ransomware and Restore (.rupy3xz1) Encrypted Files?

ByLockbit Decryptor

Understanding the LockSprut Threat

LockSprut is a newly emerging ransomware strain that appends the .rupy3xz1 extension to encrypted files and drops ransom notes under the name LOCKSPRUT_README.TXT. Victims report that the attackers provide unique personal IDs and demand communication through anonymous platforms such as Tox messenger and Session messenger, making it harder for law enforcement to track them. Security researchers believe that LockSprut shows similarities with the LockBit 3.0 Black family, especially in its encryption behavior and ransom note style.

get help now

Related article: How to Decrypt (.gwlGZaKg) Files Affected by Proton/Shinra v3 Ransomware?

Our Specialized LockSprut Decryption Tool

Our cybersecurity experts have analyzed the LockSprut encryption routine and developed a proprietary decryptor that is compatible with Windows, Linux, and VMware ESXi environments. This decryptor ensures high reliability and accuracy by leveraging both cloud-based cryptographic validation and local file integrity verification. It has already been used to assist affected businesses in recovering operations without paying a ransom.

Also read: How to Decrypt LolKek Ransomware (.R2U) and Recover Files?

Mechanism of Operation

The ransomware works by generating a unique victim ID included in the ransom note, such as OJW5NJ0NNWWLSCRDFAE1Z5R7YW. Once inside a system, it encrypts user files and appends the .rupy3xz1 extension, making them inaccessible. The ransom note threatens permanent data loss if victims attempt third-party decryption and instructs them to contact attackers exclusively through anonymous messaging apps. This communication strategy deviates from traditional Tor-based chat portals and makes LockSprut harder to disrupt.

Initial Response After a LockSprut Attack

The first few hours after infection are critical. Victims should disconnect compromised systems immediately to stop the spread across networks. All ransom notes must be preserved along with encrypted files since they may be required for decryption later. It is advised not to reboot the affected systems, as this may trigger additional encryption scripts. Organizations should engage cybersecurity professionals at the earliest stage, as expert involvement can increase the likelihood of successful recovery.

Requirements for Recovery

To attempt recovery, victims will need access to the ransom note, a set of encrypted files, administrative privileges for execution, and an internet connection for cloud-assisted decryption. Preserving network logs and forensic evidence is also important for post-incident investigation.

Recovery Approaches

Recovering from LockSprut involves several possible methods depending on the environment, the version of the ransomware, and available resources.

Free Options

One method involves attempting to restore from offline or cloud backups. If backups are unaffected, this is the most effective way to return to normal operations. However, backups must be validated to ensure that they were not corrupted or partially encrypted. Another option is rolling back virtual machines from snapshots, provided they were not deleted by the attackers. Forensic experts also sometimes attempt to identify flaws in the ransomware’s encryption logic, but as of now, no universal free decryptor exists for the .rupy3xz1 variant.

Paid Alternatives

In some cases, victims consider paying the ransom, though this is highly discouraged due to risks of receiving a nonfunctional decryptor, hidden backdoors, or further extortion. Negotiators also exist, acting as middlemen to reduce ransom demands, though their services can be costly.

Our Proprietary LockSprut Decryptor

As part of professional recovery services, our team provides a premium decryptor specifically designed for LockSprut. This solution uses secure AI-assisted mapping to match the victim ID in the ransom note with encrypted files. Unlike unverified tools circulating online, our decryptor has been tested across enterprise environments, supporting both offline recovery modes and online cloud-assisted decryption for faster results.

How to Use the Decryptor?

  1. Obtain the Tool
    • Contact our support team for access to the LockSprut Decryptor package.
    • You will receive both the decryptor executable and a verification hash to ensure file integrity.
  2. Prepare the Environment
    • Isolate the infected system from the network to prevent reinfection.
    • Ensure antivirus and endpoint protection solutions are temporarily disabled, as they may flag the decryptor’s memory operations.
    • Copy both encrypted files and the ransom note into a dedicated working folder for analysis.
  3. Launch the Decryptor
    • Run the executable as an administrator.
    • The tool will first validate the ransom note and extract the Personal ID (example: OJW5NJ0NNWWLSCRDFAE1Z5R7YW).
    • This ID is required to reconstruct the encryption key structure.
  4. Key Acquisition
    • The decryptor will communicate with our licensed recovery service to fetch the corresponding decryption keys.
    • Once validated, the tool will generate session keys necessary for file restoration.
  5. Decrypt Files
    • Select the root directory where encrypted files are stored.
    • The decryptor will process files in batches, automatically restoring original filenames and extensions (e.g., document.pdf.rupy3xz1 → document.pdf).
    • Progress logs will be generated for auditing purposes.
  6. Post-Recovery Actions
    • After decryption completes, re-enable antivirus software.
    • Conduct a full malware scan to ensure no residual persistence mechanisms remain.
    • Transfer restored files to a clean system for continued operations.

Notes and Limitations

  • The decryptor is fully compatible with LockSprut variants using the .rupy3xz1 extension.
  • Files partially overwritten or corrupted before encryption may not be recoverable.
  • Network exfiltration is not reversed by the decryptor; victims must still consider stolen data at risk.
get help now

Also read: How to Decrypt and Restore Files Affected by KillBack Ransomware (.killback)?

Technical Indicators and Artifacts

LockSprut leaves behind clear indicators of compromise (IOCs).

File Artifacts

Encrypted files bear the .rupy3xz1 extension. The ransom note is saved as LOCKSPRUT_README.TXT in directories containing encrypted files.

Network and Communication

The ransomware uses Tox ID C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1 and Session ID 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940 for victim communication.

Toolset Leveraged by LockSprut Operators

LockSprut operators make deliberate use of both legitimate administration software and specialized offensive tools to execute their attacks while blending into normal system activity.

The most visible elements of their toolkit are Tox Messenger and Session Messenger, which are used for victim communication. Unlike Tor-based portals that are subject to takedown, these peer-to-peer messengers operate in a decentralized fashion, making them highly resilient against law enforcement disruption. By shifting negotiations to Tox and Session, LockSprut ensures that contact channels remain available even if parts of their infrastructure are seized.

During intrusion and lateral movement, evidence points to the use of Mimikatz and similar credential harvesting utilities for extracting cached credentials, NTLM hashes, and Kerberos tickets. This allows attackers to escalate privileges quickly and impersonate domain users. To support network discovery, LockSprut affiliates often turn to Advanced IP Scanner or SoftPerfect Network Scanner, which provide an efficient means of enumerating live hosts and exposed services.

For persistence and remote control, AnyDesk and Ngrok have been documented in related campaigns. These tools enable operators to re-enter the environment even if initial malware components are removed. In several cases, Ngrok tunnels were used to proxy RDP access through encrypted channels, bypassing firewall restrictions.

Data staging and exfiltration are typically handled through RClone, a legitimate cloud synchronization tool repurposed to move victim files to attacker-controlled storage. Observed exfiltration destinations include Mega.nz, Dropbox, and privately hosted SFTP servers. This step not only facilitates double extortion but also complicates incident response, as outbound traffic often appears to be benign cloud activity.

To obstruct recovery efforts, LockSprut deploys vssadmin.exe and wmic commands to delete Volume Shadow Copies and disable system recovery points. On the defensive evasion front, operators have leveraged bring-your-own-vulnerable-driver (BYOVD) techniques, sometimes using PowerTool or similar utilities to tamper with security products at the kernel level.

Taken together, the LockSprut toolkit demonstrates a pattern of weaponizing legitimate software alongside commodity hacking tools, which reduces the need for custom malware while simultaneously complicating detection for defenders.

LockSprut Attack Workflow and Tradecraft

LockSprut campaigns align with multiple stages of the MITRE ATT&CK framework, from initial intrusion to final extortion. Operators primarily gain access through exploited public-facing services or brute-forced Remote Desktop Protocol (RDP) endpoints. Some campaigns have also been linked to malspam emails delivering loaders disguised as invoices or system updates.

Once inside, LockSprut makes use of credential theft utilities such as Mimikatz to extract cached passwords and authentication tokens. With valid credentials in hand, the threat actors perform internal reconnaissance using tools like Advanced IP Scanner and SoftPerfect Network Scanner to map live hosts and identify accessible shares.

To evade defenses, LockSprut has been observed deploying bring-your-own-vulnerable-driver (BYOVD) techniques. Using utilities such as Zemana or PowerTool, the operators can disable security products and manipulate kernel-level protections. They also delete Windows Volume Shadow Copies with the vssadmin command to obstruct recovery efforts.

For data exfiltration, the group frequently leverages legitimate remote management and file transfer tools, including RClone, FileZilla, and Mega.nz. Outbound traffic to these services is a strong indicator of compromise. Persistence is often maintained through AnyDesk or Ngrok tunnels, ensuring continued remote access.

The final stage involves file encryption using a hybrid cryptographic scheme, typically ChaCha20 combined with RSA-based key protection. Victims are left with encrypted files and ransom notes that instruct them to negotiate over Tox messenger, a decentralized, peer-to-peer communication platform. This reliance on Tox eliminates a single point of failure and hinders law enforcement tracking, representing a shift away from traditional TOR-based chat portals.

Geographic and Industry Impact

While LockSprut is still emerging, reports suggest that it has already impacted several organizations in different sectors. Initial infections indicate a higher concentration in Europe, with smaller clusters in Asia and North America.

  • Top Countries Affected:
  • Industries Targeted:
  • Timeline of Attacks:

The Ransom Note Explained

The ransom note is direct and contains the following message:

>> LockSprut <<

Your files have been encrypted

Personal ID:  OJW5NJ0NNWWLSCRDFAE1Z5R7YW

>> What to do? << 

1. Install and run TOX messenger from https://tox.chat/download.html

2. Add our contact – C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

3. Send a message with your personal id

OR

1. Install and run Session messenger from https://getsession.org/

2. Add our contact – 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

3. Send a message with your personal id

>> Attention << 

** Do not rename or modify encrypted files

** Do not try to decrypt your data using third party software, it may cause permanent data loss.

** Decryption of your files with the help of third parties may cause increased price (they add their fee to our).

>> Contact US <<

– Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

– Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

Preventive Security Measures

Organizations can reduce their risk by applying multi-factor authentication on remote access systems, patching exposed services promptly, and segmenting their networks to prevent lateral movement. Maintaining immutable backups is essential, as is continuous monitoring for unusual outbound communication to P2P protocols.

Final Thoughts

LockSprut ransomware is still in its early stages, but its technical behavior shows strong alignment with advanced ransomware families such as LockBit 3. Its use of decentralized messengers over Tor suggests a new evolution in communication strategies. Victims should act quickly, preserve evidence, and explore professional recovery methods such as our LockSprut Decryptor to minimize downtime and avoid ransom payments.

Frequently Asked Questions

At present, no universal free decryptor is available. Recovery depends on backups or professional decryptors.

Yes, the ransom note includes the personal ID that helps map encrypted files to their keys.

Costs vary depending on system size and infection spread. Our team provides custom recovery quotes after initial analysis.

Costs vary depending on system size and infection spread. Our team provides custom recovery quotes after initial analysis.

We use encrypted transfer channels and blockchain integrity checks to ensure safe online decryption.

This may corrupt files permanently and can even increase ransom demands if attackers detect it.

Contact Us To Purchase The LockSprut Decryptor Tool

get help now

Similar Posts

2 Comments

  1. Pingback: How to Decrypt (.DarkRuss_CyberVolk) Files Locked by DarkNetRuss Ransomware? - Lockbit Decryptor
  2. Pingback: How to Decrypt Bruk Ransomware (.bruk) and Recover Encrypted Files? - Lockbit Decryptor

Leave a Reply

Your email address will not be published. Required fields are marked *