Loki Locker (BlackBit) Ransomware (.Loki, .BlackBit, .Rainman) Support Topic

You're welcome.

I'm confused I wasn't asking for a way to decrypt the data nor if I was affect by loki or not. I was asking how to use file recovery that is recommended on the post template from posts like these and my topic was closed. Also, I found it odd it didn't lock every file and folder of my drive. My question is how do I use file recover to recover the videos and possible the locked cbr/cbz comics.?

 

 

 What I meant is do I delete windows clean install ( I don't care about the c drive there is nothing there I cannot restore even the plex metadata)? Download recuva and work on the loki locked externals? Also, why isn't every file and folder locked? Do these drives still have malware? I'm confused about loki and that was what my topic was about. I'm currently using linux and a mac to view these drives.

Edited by mikozee, 28 November 2022 - 10:39 AM.

I referred you to this topic because it is the primary support topic for Loki ransomware. This way other victims with similar questions could read possible solutions, answer questions and provide possible suggestions.
 
Of course you can always choose to do a reinstall of Windows (clean install/reformat) instead which will remove ransomware related malicious files.
 
As for specific instructions related to recovery software....that will depend on what recovery software you are using since each vendor has varying instructions.

Data Recovery Tools

• How to recover GPcode encrypted files with data recovery tools
• Recuva Portable File Recovery - How to Use Recuva
• Easeus Data Recovery - How to Use Data Recovery Wizard to Recover Lost Data?
• Photorec File Recovery Software
• R-Studio Disk Recovery Software
• Ultimate Data Recovery
• TestDisk, Data Recovery
• Active File Recovery
• FreeUndelete
• Wise Data Recovery
• The Undelete
• PC Inspector File Recovery
• NTFS Undelete
• Undelete Plus
• UndeleteMyFiles

I just realized something. If two identical disks as identified by win merge were hit by loki, will Winmerge still identify them as identical despite being encrypted post ransomware? This is what happened to me as 2 out of 4 different disks were online while 2 out of 4 with some obsolete content were offline. My set up works in pairs and I forgot to take at least one of it offline before the event. So I'm missing about a weeks worth of content I can't identify.But my backups are not that old so it's not a huge issue.

DO NOT PAY LOKI LOCKER
Lokisupp0rt@yandex.com, lokiloki@mailfence.com

Hello All,
I am one of the victims of LokiLoker, they are scammers. These guys  locked my files lokiloki@mailfence.com, and the ransom note had these 2 email ID's Lokisupp0rt@yandex.com, lokiloki@mailfence.com. We paid them twice as they did not send the decrypter after receiving the first payment and we had to make another payment to get the decrypter. After receiving both the payments these guys sent a decrypter but the decrypter which they sent did not work my files.And the worst part is they are asking access to my machine to decrypt the files saying the problem is with my computer when i had clearly explained to them that i had tried to decrypt the files on a clean computer.

I have merged your topic into the primary support topic for victims of this ransomware.

 

Hello Community, 
 

Please I need help to recover the files encrypted by killer ransomware. all files are crypted and have the .kill extension

I attach an encrypted file and also the file with instructions done by the hackers
 

I did lot of research for a decryptor but this ransomware is not recongnized by decryptors

 

Best Regards

The contents of your ransom note are similar to what we have seen with some variants of Loki Locker Ransomware.
 

Your #FILES-ENCRYPTED.txt

Is .kill the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]), an ID number with a person's name (.[a7fth62bc1].[<name>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?
 
Any files that are encrypted with Loki Locker Ransomware will have an [<email>][<ID 8 random characters>]<filename>.[extension] followed by the .Loki, .BlackBit, .Rainman, .PayForKey, .Adair, .Boresh, .onion700, .DATA extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named Restore-My-Files.txt, info.hta as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.[lolooki@protnmail.com][7E09E942]<filename>.mp4.Loki
.[DecNow@TutaMail.Com][7E09E942]<filename>.pdf.Loki
.[spystar@onionmail.org][9ECFA84E]<filename>.jpg.BlackBit
.[Onion749@onionmail.org][52294877]<filename>.log.onion700

.[crypter@firemail.de][43DE62EH]<filename>.jpg.kill

 

The contents of your ransom note are similar to what we have seen with some variants of Loki Locker Ransomware.
 

Your #FILES-ENCRYPTED.txt

!!!All of your files are encrypted!!!

To decrypt them send e-mail to this address: Decryption.helper@aol.com

In case of no answer in 24h, send e-mail to this address: helper@cyberfear.com

Your System ID : 689DBE54

!!!Deleting "xor.689DBE54.kill" causes permanent data loss.

....

+Ways to contact us:

Our Email:

Decryption.helper@aol.com

helper@cyberfear.com

Your System ID: 689DBE54

Loki Locker (BlackBit) - Restore-My-Files.txt

!!!All of your files are encrypted!!!

To decrypt them send e-mail to this address: spystar@onionmail.org

In case of no answer in 24h, send e-mail to this address: spystar1@onionmail.com

You can also contact us via Telegram: @Spystar_Support

All your files will be lost on Thursday, October 20, 2022 9:51:06 AM.

Your SYSTEM ID : 8E4A8CF5

!!!Deleting "Cpriv.BlackBit" causes permanent data loss.

 

Loki Locker - Restore-My-Files.txt

!!!All of your files are encrypted!!!

To decrypt them send e-mail to this address: Lollooki@protonmail.com

In case of no answer in 24h, send e-mail to this address: Lollooki@yandex.com

All your files will be lost on Wednesday, 28 December 2022 4:30:12 am.

Your SYSTEM ID: 52294877

!!!Deleting "Cpriv.Loki" causes permanent data loss.

 

 

Is .kill the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]), an ID number with a person's name (.[a7fth62bc1].[<name>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?
 
Any files that are encrypted with Loki Locker Ransomware will have an [<email>][<ID 8 random characters>]<filename>.[extension] followed by the .Loki, .BlackBit, .Rainman, .PayForKey, .Adair, .Boresh, .onion700, .DATA extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named Restore-My-Files.txt, info.hta as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.[lolooki@protnmail.com][7E09E942]<filename>.mp4.Loki
.[DecNow@TutaMail.Com][7E09E942]<filename>.pdf.Loki
.[spystar@onionmail.org][9ECFA84E]<filename>.jpg.BlackBit
.[Onion749@onionmail.org][52294877]<filename>.log.onion700

.[crypter@firemail.de][43DE62EH]<filename>.jpg.kill

 

Thanks for replying

The files are encrypted and the their names are changed as you said [Decryption.helper@aol.com][689DBE54].filename.kill

is there any way to decrypt them

@Fighter84,

 

Can I add two more files? one encrypted file and "xor.689DBE54.kill" into an archive, upload the archive to sendspace.com, and give us the archive download link in your message.

@Fighter84,

 

Can I add two more files? one encrypted file and "xor.689DBE54.kill" into an archive, upload the archive to sendspace.com, and give us the archive download link in your message.

Done
I've sent you the link

Agree with Global Moderator quietman7

 

With a high probability this is a variant of Loki Locker.

Check in the antivirus quarantine there should be a file called winlogon.exe.

This will be the body of the ransomware.

@Fighter84

Since the infection has been identified/confirmed and this is a new variant, I merged your topic into the primary support topic for victims of this ransomware.

I have recovered a huge part of my encrypted files.
So if someone has the same issue I can try to help, contact me with direct message

If you are able to assist other victims, then do so in this support topic.

 

By Bleeping Computer policy (Forum Rules), all help must be provided in the forums...specifically this part.

All help must be provided in the forums or on our Discord Server. We do not allow support to be provided or requested via personal message, email, or remote desktop control programs (Logmein, TeamViewer, etc).

Thanks,
The BC Staff