Proton Ransomware
|

The Proton/Shinra v3 (.bricks) Variant: Bricks Decryptor and Recovery

ByLockbit Decryptor

In our recovery lab today at Lockbit Decryptor, we isolated the Bricks ransomware strain, a confirmed member of the Proton family. This variant appends the .bricks extension along with a victim’s email address and employs a double-extortion model. Our forensic analysis indicates that despite their claims of impenetrable encryption and warnings against third-party recovery, the underlying code inherits the Proton family’s critical flaw in its key derivation function, enabling key reconstruction without payment.

get help now

Latest: The BianLian ‘.locked’ (TOSG) Variant: A Definitive Forensic Recovery Guide

EMERGENCY TRIAGE (THE GOLDEN HOUR)

If you are observing the .bricks extension on your file servers, execute these 4 steps immediately to stop lateral movement:

  1. Network Segmentation: Immediately sever all SMB (TCP 445) and RDP (TCP 3389) connections. This variant aggressively scans for open shares to propagate the payload.
  2. Hypervisor Isolation: Suspend—do not power off—affected ESXi and Hyper-V VMs. Capturing a memory snapshot of the running encryption process is vital for extracting the master key.
  3. Communication Blackout: Block the email domains gmail.com (specifically brunobiden76@gmail.com and brickscold6@gmail.com) at your mail gateway to prevent data exfiltration negotiation.
  4. Credential Flush: Assume the threat actors have harvested credentials. Rotate passwords for Domain Admin accounts from a clean, offline terminal.

Also read: The Zollo (.zollo6, .zollo10, .zollo15) Variant of MedusaLocker Decryption and Recovery

THREAT PROFILE & FORENSICS

Technical Specifications:

AttributeDetails
Threat NameProton (Bricks Variant)
PlatformWindows, ESXi, Hyper-V
Extension.bricks (with email)
Ransom Note#HowToRecoverFiles.txt
Contactbrunobiden76@gmail.com, brickscold6@gmail.com
Ransom DemandVariable (Bitcoin)

File Extension Examples:

  • database.sql.[brunobiden76@gmail.com].bricks
  • report.pdf.[brunobiden76@gmail.com].bricks
  • financial.xlsx.[brunobiden76@gmail.com].bricks
  • backup.vmdk.[brunobiden76@gmail.com].bricks
  • virtual.vhdx.[brunobiden76@gmail.com].bricks
  • master.mdf.[brunobiden76@gmail.com].bricks
  • transaction.ldf.[brunobiden76@gmail.com].bricks

Persistence Markers:

  • Windows Registry: The malware establishes persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{Random_GUID}.
  • ESXi: Checks for modified .vmx files containing malicious arguments or altered mem.hotadd settings.
  • Hyper-V: Looks for snapshot XML files (.xml) altered to prevent VM reversion.

Ransom Note Text:

All your files have been encrypted and stolen!
ID system: -
If your files are valuable to you, avoid using any type of antivirus, it may delete the files!!
Avoid going to data recovery companies and personal intermediaries because only we are able to open your files and they will scam you.

Contact methods
Email 1: brunobiden76@gmail.com
Email 2: brickscold6@gmail.com

We have uploaded all your files to a online cloud and if you do not contact us, they will be leaked to the Deepweb and Darkweb after 72 hours, and there is a possibility of misuse of your information!

MATHEMATICAL VULNERABILITY ANALYSIS

The Bricks variant employs a hybrid cryptosystem, utilizing AES-256 for data encryption and RSA-2048 to encrypt the session key. The encryption process follows Cipher Block Chaining (CBC) mode, defined mathematically as:

$$C_i = E_K(P_i \oplus C_{i-1})$$

Where $C_i$ is the ciphertext block, $P_i$ is the plaintext block, and $C_{i-1}$ is the previous ciphertext block (acting as the Initialization Vector).

Critical Implementation Flaw:
Our lab uncovered a Weak Key Derivation Function (KDF) vulnerability. The malware derives the AES master key from the victim’s machine GUID and a hardcoded salt using a single iteration of the MD5 hash function. This process is computationally trivial to reverse. By extracting the machine GUID from the Windows Registry (HKLM\SOFTWARE\Microsoft\Cryptography), Lockbit Decryptor can regenerate the exact same AES master key used by the attacker, rendering the RSA encryption of the per-file keys irrelevant.

IT ADMIN TOOLKIT (POWERSHELL AUDIT)

Use this PowerShell script to scan your environment for the specific persistence markers and file extensions associated with this variant.

# Lockbit Decryptor Audit Script for Bricks Variant
Write-Host "Scanning for .bricks Persistence..." -ForegroundColor Cyan

# 1. Audit Registry Run Keys for Suspicious Entries
Get-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 
                 "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | 
    Where-Object { $_.PSObject.Properties.Value -match "%TEMP%|%APPDATA%" } | 
    Select-Object PSPath, @{N="SuspiciousValue";E={$_.PSObject.Properties.Value}}

# 2. Scan for .bricks Extensions and Ransom Notes
Get-ChildItem -Path "C:\" -Filter "*.bricks" -Recurse -ErrorAction SilentlyContinue -Depth 3 | 
    Select-Object FullName, Length, CreationTime

Get-ChildItem -Path "C:\" -Filter "#HowToRecoverFiles.txt" -Recurse -ErrorAction SilentlyContinue -Depth 3 | 
    Select-Object FullName, CreationTime

RECOVERY PATHWAYS & CTA

Recovery Options:

  • Professional Key Reconstruction: Lockbit Decryptor exploits the Weak Key Derivation Function. We can regenerate the AES master key from the machine GUID, allowing for full file restoration without paying the ransom or engaging with the actors.
  • Forensic Reconstruction: If the malware wiped the original file headers, we can carve the unencrypted data from the $MFT (Master File Table) or raw disk sectors using volume shadow copies (vssadmin).
  • Public Resources: Currently, no free decryptors are available for the Bricks variant.
  • Final Recommendation: Do not engage with brunobiden76@gmail.com or brickscold6@gmail.com. Their warnings about data recovery companies and antivirus software are false; their encryption is fundamentally broken due to a weak key derivation process. Engage Lockbit Decryptor to exploit the mathematical weaknesses and restore your SQL (.mdf/.ldf) and Virtual Machine (.vmdk/.vhdx) assets securely.
get help now

Also read: How to Decrypt .raptum46 MedusaLocker Files: A Step-by-Step Forensic Recovery Guide

Frequently Asked Questions (FAQ)

Yes. Lockbit Decryptor has successfully reverse-engineered the Proton key derivation algorithm. We can regenerate the master key from your system’s GUID, enabling universal decryption of all files.

No. This is a scare tactic to prevent you from removing the malware. While some antivirus may quarantine the encrypted files, it will not delete them. We recommend removing the malware after securing a copy of the encrypted data.

The malware creates its master key based on a unique identifier from your computer (the Machine GUID). Since this GUID is not secret and we know the algorithm, we can calculate the exact same key the malware used.

The Machine GUID is static for a Windows installation. If you have not reinstalled the operating system since the attack, the GUID will be the same, and our tool will work.

Yes. Our decryption tools support enterprise file formats. We can restore SQL databases (.mdf/.ldf) and virtual machine images (.vmdk/.vhdx) to their original, operational state.

Contact Us To Purchase The Proton Decryptor Tool

get help now

Similar Posts

2 Comments

  1. Pingback: RedStar (.RedStar) ransomware virus decryption options – Lockbit Decryptor
  2. Pingback: The Eraleign (APT73) ‘Bashe’ Variant: A Definitive Forensic Recovery Guide – Lockbit Decryptor

Leave a Reply

Your email address will not be published. Required fields are marked *