Loki Locker (BlackBit) Ransomware (.Loki, .BlackBit, .Rainman) Support Topic

Any files that are encrypted with Loki Locker (Blackbit) Ransomware will have an [<email>][ID random 8 characters]<filename>.[extension] followed by the .Loki, .BlackBit, .Rainman, .PayForKey, .Adair, .Boresh, .onion700, .DATA extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.[lolooki@protnmail.com][7E09E942]<filename>.mp4.Loki
.[spystar@onionmail.org][9ECFA84E]<filename>.jpg.BlackBit
.[bloc.boy@yandex.com][C279F237]<filename>.pdf.Rainman
.[Onion749@onionmail.org][52294877]<filename>.log.onion700
.[crypter@firemail.de][43DE62EH]<filename>.jpg.kill

Loki Locker typically will leave files (ransom notes) named Restore-My-Files.txt, info.hta, #FILES-ENCRYPTED.txt.

 

Some variants of Loki Locker are known to include a random 8 character System ID with a note about deleting specific files causing permanent data loss.

Your SYSTEM ID : 82F54321
!!!Deleting "Cpriv.Loki" causes permanent data loss.
Your SYSTEM ID : 8E4A83CF
!!!Deleting "Cpriv.BlackBit" causes permanent data loss.
Your System ID : 689DBE54
!!!Deleting "xor.689DBE54.kill" causes permanent data loss.

 
 
 
is there any solution for LOKI LOCKER ransomware?

Edited by quietman7, 21 November 2023 - 07:53 PM.
Moved from Intros to Ransomware - Hamluis.

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by Loki Locker (Blackbit) Ransomware without paying the ransom and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the private key is unique (specific) for each victim and generated in a secure way (i.e. RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption.

 
If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time.

Thank you so much for your replay

You're welcome.

Hello everyone.
My friend's server is a victim of Loki Locker.
Mb there is a solution for it already ?
Ive got copy of files (1 encrypted and 1 is not) mb it would help at least i hope so.

https://dropmefiles.com/PWGy2   - files are here
Also ive noticed 2x files cpriv and cpriv2 may be those are keys or so ?

 

Big thanks!

Edited by Rvn48, 23 May 2022 - 11:00 AM.

There is nothing new to report that I am aware of.

There is nothing new to report that I am aware of.

Thank you anyway for response!

You're welcome.

Hi everyone!
I got this virus. I wrote to extortionists and paid. In response, they did not send anything and stopped responding. I started looking for information on the Internet about this virus.
And I saw on one site id-ransomware.blogspot.com that if extortionists do not send a decoder after payment, they need to write to such and such an address. I wrote to that address, they say so and so,
- I paid, and in response, silence. I was dropped a link to a file hosting service with a type decoder. Downloaded, but it does not decrypt anything. I wrote to the extortionists, gave a screen of the problem - in response - we cant help in any way and then they dont answer letters.

A couple of days later they write to the mail from another address with the text - "pay extra and we will decrypt your files." I explain that I have already paid as agreed, but my files have not been decrypted. What are the guarantees that after the second payment you will not deceive? But in response they write - "if you do not pay, then your files will be freely available on the Internet"

If you caught this virus -
DO NOT PAY THEM!!! These are scammers and they have no decoder.

The experience you describe is not uncommon and one reason why most security experts will advise against paying the ransom demands or engage in negotiating a payment with the malware developers. The criminals may demand more money after payment or even send you something containing more malware or a fake decryptor. So why should you trust anything said or provided by those who infected you to begin with? I explain in more detail why victims should not pay the ransom in this topic which includes victim experiences relating to dealing with or negotiating with the malware developers.

The experience you describe is not uncommon and one reason why most security experts will advise against paying the ransom demands or engage in negotiating a payment with the malware developers. The criminals may demand more money after payment or even send you something containing more malware or a fake decryptor. So why should you trust anything said or provided by those who infected you to begin with? I explain in more detail why victims should not pay the ransom in this topic which includes victim experiences relating to dealing with or negotiating with the malware developers.

I started looking for information about this virus late. now there is exactly one example (me) confirming in practice that these scammers do not need to pay!

yura_tor4ok

Уже как минимум три человека сообщили, что вымогатели не платят и просят еще денег. 

Напишите комментарий после статьи, чтобы подтвердить это. 

https://id-ransomware.blogspot.com/2021/10/lokilocker-ransomware.html

Hi.

 

still no solution for this ransomware?

 

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by Loki Locker Ransomware without paying the ransom and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the private key is unique (specific) for each victim and generated in a secure way (i.e. RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption.
 
If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time.

There is nothing new to report that I am aware of.

Thank You!

 

There is nothing new to report that I am aware of.