LockSprut Ransomware Dceryptor

Bydecryptor

LockSprut is a recently identified ransomware family that encrypts victim data and assigns the .rupy3xz1 extension to locked files. Alongside encryption, it places a ransom instruction file named LOCKSPRUT_README.TXT within affected directories. Each victim is given a unique personal identifier, which attackers demand to be shared via anonymous messaging platforms such as Tox and Session. This method of contact significantly complicates efforts by law enforcement to monitor or dismantle their operations.

Researchers examining LockSprut note striking parallels with LockBit 3.0 Black, particularly in terms of its encryption model and the language used in ransom instructions.

Affected By Ransomware?
Get Help Now Send Us Email

Our Custom-Built Decryption Tool

Through reverse-engineering LockSprut’s encryption routines, our research team has successfully developed a dedicated decryption utility. Unlike generic recovery tools, this decryptor is tailored for LockSprut’s unique algorithm and is compatible with Windows, Linux, and VMware ESXi systems. It relies on a combination of cloud-side cryptographic verification and local integrity validation to deliver safe and consistent recovery. Organizations have already used it to resume operations without ransom payments.

How LockSprut Operates

Every LockSprut infection begins with the creation of a victim-specific identifier embedded in the ransom note (example: OJW5NJ0NNWWLSCRDFAE1Z5R7YW). The ransomware encrypts all accessible data, renames files with the .rupy3xz1 extension, and threatens victims with permanent data loss if unauthorized decryption attempts are made.

A notable difference from traditional ransomware is LockSprut’s abandonment of Tor negotiation portals, instead opting for decentralized peer-to-peer communication. This strategy provides the operators with greater resilience against takedowns.

Immediate Response to a LockSprut Breach

The initial response window is critical. The moment LockSprut activity is detected, network isolation must be enforced to contain the spread. Encrypted samples and ransom notes should be preserved since they are often essential for decryption. Victims are advised not to reboot systems, as reboots may activate lingering encryption processes. Prompt engagement with experienced cyber incident teams greatly improves recovery outcomes.

What’s Required for Decryption

To pursue recovery, victims should ensure they have:

  • The ransom note containing the personal ID
  • A collection of encrypted files
  • Administrative access on the affected machine
  • Internet connectivity (for cloud-based key validation)

Additionally, preserving log files and forensic artifacts is highly recommended for later investigation.

Affected By Ransomware?
Get Help Now Send Us Email

Paths to Recovery

Free Possibilities

The best-case recovery scenario involves offline or cloud backups. If backups remain intact, they provide the cleanest method of restoration. Organizations should validate these backups before redeployment to ensure they were not corrupted during the attack. In virtualized environments, VM snapshots can also be rolled back if they were not purged by the attackers.

Researchers occasionally analyze ransomware for flaws in the encryption routine that can be exploited for free decryption, but no such weakness has yet been found for LockSprut’s .rupy3xz1 variant.

Paid Options

Some victims turn to ransom payment as a last resort, but this carries considerable risk: there is no guarantee of working decryption, and attackers may embed backdoors or demand secondary payments. Negotiators are sometimes engaged to lower demands, though their fees can be significant.

Our Proprietary Solution

Our LockSprut Decryptor serves as a professional-grade alternative. By leveraging AI-powered mapping between the ransom note ID and file structures, it restores data securely. It supports both offline recovery (for isolated machines) and cloud-assisted decryption (for faster enterprise-scale recovery). Unlike unofficial utilities, our tool has been tested extensively in corporate infrastructures.

Step-by-Step: Using the Decryptor

1. Access the Tool

  • Contact our recovery team to obtain the decryptor package.
  • Verify integrity using the supplied checksum.

2. System Preparation

  • Disconnect the infected host from all networks.
  • Temporarily disable antivirus or endpoint security tools to avoid interference.
  • Consolidate encrypted files and the ransom note into a separate folder.

3. Tool Initialization

  • Launch the decryptor with administrator rights.
  • The software parses the ransom note and retrieves the victim’s personal ID.
  • This identifier is mapped against LockSprut’s encryption model to reconstruct key pathways.

4. Key Retrieval

  • The tool reaches out to our licensed recovery service for key provisioning.
  • Upon verification, decryption session keys are generated.

5. File Restoration

  • Choose the parent folder containing encrypted data.
  • The tool processes items in batches, restoring filenames and original extensions (e.g., image.jpg.rupy3xz1 → image.jpg).
  • Detailed progress logs are recorded for auditing.

6. Post-Recovery Checklist

  • Reactivate security software.
  • Conduct a full malware sweep to eliminate persistence.
  • Transfer recovered files to a secure, uncompromised environment.

Important Considerations

  • The decryptor only supports .rupy3xz1-based LockSprut samples.
  • Partially corrupted or overwritten files may not be recoverable.
  • Exfiltrated data remains exposed — recovery does not undo data theft.

Indicators of Compromise

File Traces

  • Encrypted files renamed with the .rupy3xz1 extension
  • Presence of LOCKSPRUT_README.TXT ransom note

Communication Channels

  • Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1
  • Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940
Affected By Ransomware?
Get Help Now Send Us Email

Tools Employed by the Operators

LockSprut affiliates make extensive use of dual-use tools — legitimate software repurposed for malicious ends.

  • Tox and Session messengers form the core of victim communication, providing attackers with resilient, decentralized contact points.
  • Mimikatz is used for credential theft, enabling privilege escalation and impersonation of domain users.
  • Advanced IP Scanner and SoftPerfect Network Scanner are deployed to identify networked hosts and open services.
  • AnyDesk and Ngrok tunnels provide persistence and covert RDP access.
  • RClone is leveraged to siphon stolen data into cloud storage platforms such as Mega.nz or Dropbox.
  • System recovery is hindered by issuing vssadmin.exe and wmic commands to erase shadow copies.
  • BYOVD (Bring Your Own Vulnerable Driver) techniques, sometimes with PowerTool, are used to tamper with security products at the kernel level.

This toolset reflects a strategy of weaponizing readily available utilities, which complicates detection while minimizing the need for custom-built malware.

Attack Lifecycle & Tactics

Analysis of LockSprut operations maps closely to the MITRE ATT&CK framework:

  • Initial Access: Exploited RDP endpoints, public-facing service vulnerabilities, and phishing attachments.
  • Credential Access: Mimikatz used to extract cached credentials and Kerberos tickets.
  • Discovery: Host and service enumeration through network scanning utilities.
  • Defense Evasion: BYOVD techniques with tools like Zemana and PowerTool, plus shadow copy deletion.
  • Exfiltration: File transfers through RClone, FileZilla, and Mega.nz.
  • Persistence: Remote access maintained with AnyDesk and Ngrok.
  • Impact: Hybrid encryption (ChaCha20 + RSA) renders files inaccessible, with ransom notes directing victims to decentralized messengers.

Global and Sectoral Impact

LockSprut, though new, has already been observed impacting multiple regions and industries. Early incident reports point to European organizations as the primary victims, with additional cases seen in Asia and North America.

  • Top Countries Affected:
  • Industries Targeted:
  • Timeline of Attacks:
Affected By Ransomware?
Get Help Now Send Us Email

Anatomy of the Ransom Note

The ransom note is straightforward and typically includes the following instructions:

The ransom note is direct and contains the following message:

>> LockSprut <<

Your files have been encrypted

Personal ID:  OJW5NJ0NNWWLSCRDFAE1Z5R7YW

>> What to do? << 

1. Install and run TOX messenger from https://tox.chat/download.html

2. Add our contact – C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

3. Send a message with your personal id

OR

1. Install and run Session messenger from https://getsession.org/

2. Add our contact – 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

3. Send a message with your personal id

>> Attention << 

** Do not rename or modify encrypted files

** Do not try to decrypt your data using third party software, it may cause permanent data loss.

** Decryption of your files with the help of third parties may cause increased price (they add their fee to our).

>> Contact US <<

– Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

– Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

Affected By Ransomware?
Get Help Now Send Us Email

Mitigation & Prevention

To reduce exposure, organizations should:

  • Implement multi-factor authentication on remote logins.
  • Patch internet-facing services rapidly.
  • Enforce network segmentation to slow lateral movement.
  • Maintain immutable, offline backups.
  • Monitor for anomalous outbound traffic, particularly to P2P protocols.

Conclusion

Although LockSprut is still in its infancy, its technical makeup and shift toward decentralized communication suggest an evolution of the ransomware ecosystem. Victims should act decisively, secure evidence, and utilize trusted recovery solutions like our decryptor rather than paying ransom demands.

Frequently Asked Questions

Currently, there is no publicly available free decryptor. Recovery depends on clean backups or specialized professional tools.

Yes, the note contains the personal ID, which is essential for key mapping.

Pricing is case-specific, depending on the number of systems and the scope of encryption. Our team provides tailored quotes after analysis.

Yes, it supports Windows, Linux, and VMware ESXi.

Yes — all communications occur over encrypted channels with integrity checks.

Unverified software may corrupt files beyond repair and can even escalate ransom amounts if attackers detect tampering.

MedusaLocker Decryptor’s We Provide

MedusaLocker Ransomware Versions We Decrypt

CyberLock

GonzoFortuna

Destroy

Ako

Xciphered

Spider

Root

Root4

DavidHasselhoff

Similar Posts

  • Midnight Ransomware Decryptor

    Bydecryptor

    Midnight ransomware has earned its reputation as one of the most destructive malware threats in the modern cybersecurity landscape. This highly sophisticated form of ransomware stealthily infiltrates systems, encrypts vital files, and demands ransom payments—usually in cryptocurrency—in return for a decryption key. This in-depth guide explores how Midnight ransomware operates, the damage it causes, and…

  • Bert Ransomware Decryptor

    Bydecryptor

    Bert Ransomware Decryption and Recovery Guide Bert ransomware has rapidly gained infamy as one of the most destructive malware strains in circulation today. Known for its ability to breach systems, encrypt vital data, and demand cryptocurrency payments from its victims, Bert poses a significant risk to both individuals and organizations. This comprehensive guide explores the…

  • Cyberex Ransomware Decryptor

    Bydecryptor

    Cyberex, an unofficial Chaos variant, exemplifies modern ransomware threats: infiltrating systems, encrypting critical files with the .LOCKEDBYCR extension, and dropping a ransom note titled README.LOCKEDBYCR.txt. This guide dives into Cyberex’s behavior, effects, and recovery—especially using our Cyberex Decryptor Tool for a safe and effective resolution. Affected By Ransomware? Cyberex Decryptor Tool: A Reliable Recovery Solution…

  • Xorist Ransomware Decryptor

    Bydecryptor

    Xorist Ransomware Decryptor: The Ultimate Guide to Recovery and Protection Xorist ransomware is a growing cybersecurity menace that infiltrates systems, encrypts vital files, and demands a ransom for their release. This comprehensive guide explores Xorist ransomware, its attack mechanisms, consequences, and effective recovery solutions, including a dedicated decryptor tool. Affected By Ransomware? Xorist Ransomware Decryptor:…

  • Kraken Ransomware Decryptor

    Bydecryptor

    After years of research into file-encryption malware, our cybersecurity specialists have produced a custom decryptor for the Kraken Cryptor ransomware family, known for using the .lock and .zpsc extensions. This solution functions across Windows, Linux, and VMware ESXi systems and is engineered to reconstruct Kraken’s encryption logic while ensuring blockchain-certified recovery integrity. Functionality Overview Encrypted…

  • BlackFL Ransomware Decryptor

    Bydecryptor

    In recent years, BlackFL ransomware has emerged as one of the most significant and destructive cybersecurity threats. Capable of infiltrating systems, encrypting critical files, and demanding a ransom for decryption, BlackFL has severely impacted a range of organizations, from healthcare providers to financial firms. This guide provides an in-depth examination of BlackFL ransomware, its attack…