LockSprut Ransomware Dceryptor

Bydecryptor

LockSprut is a recently identified ransomware family that encrypts victim data and assigns the .rupy3xz1 extension to locked files. Alongside encryption, it places a ransom instruction file named LOCKSPRUT_README.TXT within affected directories. Each victim is given a unique personal identifier, which attackers demand to be shared via anonymous messaging platforms such as Tox and Session. This method of contact significantly complicates efforts by law enforcement to monitor or dismantle their operations.

Researchers examining LockSprut note striking parallels with LockBit 3.0 Black, particularly in terms of its encryption model and the language used in ransom instructions.

Affected By Ransomware?
Get Help Now Send Us Email

Our Custom-Built Decryption Tool

Through reverse-engineering LockSprut’s encryption routines, our research team has successfully developed a dedicated decryption utility. Unlike generic recovery tools, this decryptor is tailored for LockSprut’s unique algorithm and is compatible with Windows, Linux, and VMware ESXi systems. It relies on a combination of cloud-side cryptographic verification and local integrity validation to deliver safe and consistent recovery. Organizations have already used it to resume operations without ransom payments.

How LockSprut Operates

Every LockSprut infection begins with the creation of a victim-specific identifier embedded in the ransom note (example: OJW5NJ0NNWWLSCRDFAE1Z5R7YW). The ransomware encrypts all accessible data, renames files with the .rupy3xz1 extension, and threatens victims with permanent data loss if unauthorized decryption attempts are made.

A notable difference from traditional ransomware is LockSprut’s abandonment of Tor negotiation portals, instead opting for decentralized peer-to-peer communication. This strategy provides the operators with greater resilience against takedowns.

Immediate Response to a LockSprut Breach

The initial response window is critical. The moment LockSprut activity is detected, network isolation must be enforced to contain the spread. Encrypted samples and ransom notes should be preserved since they are often essential for decryption. Victims are advised not to reboot systems, as reboots may activate lingering encryption processes. Prompt engagement with experienced cyber incident teams greatly improves recovery outcomes.

What’s Required for Decryption

To pursue recovery, victims should ensure they have:

  • The ransom note containing the personal ID
  • A collection of encrypted files
  • Administrative access on the affected machine
  • Internet connectivity (for cloud-based key validation)

Additionally, preserving log files and forensic artifacts is highly recommended for later investigation.

Affected By Ransomware?
Get Help Now Send Us Email

Paths to Recovery

Free Possibilities

The best-case recovery scenario involves offline or cloud backups. If backups remain intact, they provide the cleanest method of restoration. Organizations should validate these backups before redeployment to ensure they were not corrupted during the attack. In virtualized environments, VM snapshots can also be rolled back if they were not purged by the attackers.

Researchers occasionally analyze ransomware for flaws in the encryption routine that can be exploited for free decryption, but no such weakness has yet been found for LockSprut’s .rupy3xz1 variant.

Paid Options

Some victims turn to ransom payment as a last resort, but this carries considerable risk: there is no guarantee of working decryption, and attackers may embed backdoors or demand secondary payments. Negotiators are sometimes engaged to lower demands, though their fees can be significant.

Our Proprietary Solution

Our LockSprut Decryptor serves as a professional-grade alternative. By leveraging AI-powered mapping between the ransom note ID and file structures, it restores data securely. It supports both offline recovery (for isolated machines) and cloud-assisted decryption (for faster enterprise-scale recovery). Unlike unofficial utilities, our tool has been tested extensively in corporate infrastructures.

Step-by-Step: Using the Decryptor

1. Access the Tool

  • Contact our recovery team to obtain the decryptor package.
  • Verify integrity using the supplied checksum.

2. System Preparation

  • Disconnect the infected host from all networks.
  • Temporarily disable antivirus or endpoint security tools to avoid interference.
  • Consolidate encrypted files and the ransom note into a separate folder.

3. Tool Initialization

  • Launch the decryptor with administrator rights.
  • The software parses the ransom note and retrieves the victim’s personal ID.
  • This identifier is mapped against LockSprut’s encryption model to reconstruct key pathways.

4. Key Retrieval

  • The tool reaches out to our licensed recovery service for key provisioning.
  • Upon verification, decryption session keys are generated.

5. File Restoration

  • Choose the parent folder containing encrypted data.
  • The tool processes items in batches, restoring filenames and original extensions (e.g., image.jpg.rupy3xz1 → image.jpg).
  • Detailed progress logs are recorded for auditing.

6. Post-Recovery Checklist

  • Reactivate security software.
  • Conduct a full malware sweep to eliminate persistence.
  • Transfer recovered files to a secure, uncompromised environment.

Important Considerations

  • The decryptor only supports .rupy3xz1-based LockSprut samples.
  • Partially corrupted or overwritten files may not be recoverable.
  • Exfiltrated data remains exposed — recovery does not undo data theft.

Indicators of Compromise

File Traces

  • Encrypted files renamed with the .rupy3xz1 extension
  • Presence of LOCKSPRUT_README.TXT ransom note

Communication Channels

  • Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1
  • Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940
Affected By Ransomware?
Get Help Now Send Us Email

Tools Employed by the Operators

LockSprut affiliates make extensive use of dual-use tools — legitimate software repurposed for malicious ends.

  • Tox and Session messengers form the core of victim communication, providing attackers with resilient, decentralized contact points.
  • Mimikatz is used for credential theft, enabling privilege escalation and impersonation of domain users.
  • Advanced IP Scanner and SoftPerfect Network Scanner are deployed to identify networked hosts and open services.
  • AnyDesk and Ngrok tunnels provide persistence and covert RDP access.
  • RClone is leveraged to siphon stolen data into cloud storage platforms such as Mega.nz or Dropbox.
  • System recovery is hindered by issuing vssadmin.exe and wmic commands to erase shadow copies.
  • BYOVD (Bring Your Own Vulnerable Driver) techniques, sometimes with PowerTool, are used to tamper with security products at the kernel level.

This toolset reflects a strategy of weaponizing readily available utilities, which complicates detection while minimizing the need for custom-built malware.

Attack Lifecycle & Tactics

Analysis of LockSprut operations maps closely to the MITRE ATT&CK framework:

  • Initial Access: Exploited RDP endpoints, public-facing service vulnerabilities, and phishing attachments.
  • Credential Access: Mimikatz used to extract cached credentials and Kerberos tickets.
  • Discovery: Host and service enumeration through network scanning utilities.
  • Defense Evasion: BYOVD techniques with tools like Zemana and PowerTool, plus shadow copy deletion.
  • Exfiltration: File transfers through RClone, FileZilla, and Mega.nz.
  • Persistence: Remote access maintained with AnyDesk and Ngrok.
  • Impact: Hybrid encryption (ChaCha20 + RSA) renders files inaccessible, with ransom notes directing victims to decentralized messengers.

Global and Sectoral Impact

LockSprut, though new, has already been observed impacting multiple regions and industries. Early incident reports point to European organizations as the primary victims, with additional cases seen in Asia and North America.

  • Top Countries Affected:
  • Industries Targeted:
  • Timeline of Attacks:
Affected By Ransomware?
Get Help Now Send Us Email

Anatomy of the Ransom Note

The ransom note is straightforward and typically includes the following instructions:

The ransom note is direct and contains the following message:

>> LockSprut <<

Your files have been encrypted

Personal ID:  OJW5NJ0NNWWLSCRDFAE1Z5R7YW

>> What to do? << 

1. Install and run TOX messenger from https://tox.chat/download.html

2. Add our contact – C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

3. Send a message with your personal id

OR

1. Install and run Session messenger from https://getsession.org/

2. Add our contact – 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

3. Send a message with your personal id

>> Attention << 

** Do not rename or modify encrypted files

** Do not try to decrypt your data using third party software, it may cause permanent data loss.

** Decryption of your files with the help of third parties may cause increased price (they add their fee to our).

>> Contact US <<

– Tox ID: C58775962D3E45152BA1BBAF96D9D9F21FDDE5084E90A1F14010624D92F4DD75DB5447D2E3F1

– Session ID: 052a779ec18813883e39e8f2ecb7e59cf0ba905b6f8acc66fcbf00c88395a41940

Affected By Ransomware?
Get Help Now Send Us Email

Mitigation & Prevention

To reduce exposure, organizations should:

  • Implement multi-factor authentication on remote logins.
  • Patch internet-facing services rapidly.
  • Enforce network segmentation to slow lateral movement.
  • Maintain immutable, offline backups.
  • Monitor for anomalous outbound traffic, particularly to P2P protocols.

Conclusion

Although LockSprut is still in its infancy, its technical makeup and shift toward decentralized communication suggest an evolution of the ransomware ecosystem. Victims should act decisively, secure evidence, and utilize trusted recovery solutions like our decryptor rather than paying ransom demands.

Frequently Asked Questions

Currently, there is no publicly available free decryptor. Recovery depends on clean backups or specialized professional tools.

Yes, the note contains the personal ID, which is essential for key mapping.

Pricing is case-specific, depending on the number of systems and the scope of encryption. Our team provides tailored quotes after analysis.

Yes, it supports Windows, Linux, and VMware ESXi.

Yes — all communications occur over encrypted channels with integrity checks.

Unverified software may corrupt files beyond repair and can even escalate ransom amounts if attackers detect tampering.

MedusaLocker Decryptor’s We Provide

MedusaLocker Ransomware Versions We Decrypt

CyberLock

GonzoFortuna

Destroy

Ako

Xciphered

Spider

Root

Root4

DavidHasselhoff

Similar Posts

  • Cowa Ransomware Decryptor

    Bydecryptor

    Our cybersecurity engineers have deconstructed the Cowa ransomware variant from the Makop family and engineered a robust decryptor. This specialized tool can retrieve encrypted data by leveraging the victim-specific ID and contact address embedded in the ransom note. Affected By Ransomware? How Our Solution Works By using advanced AI logic, our tool scans the ransom…

  • Shinra .OkoR991eGf.OhpWdBwm Ransomware Decryptor

    Bydecryptor

    Our cybersecurity division has developed a specialized decryption tool tailored for Proton/Shinra ransomware. This decryptor was created after in-depth reverse engineering of the encryption algorithms used by variants like .OkoR991eGf.OhpWdBwm. It has been extensively tested in enterprise environments, including Windows-based infrastructures and VMware ESXi, proving effective at restoring files without corruption or data loss. Affected…

  • Danger Ransomware Decryptor

    Bydecryptor

    Danger ransomware is a highly disruptive malware strain that has gained infamy for encrypting critical data and demanding a ransom to restore access. This malicious software targets both individuals and enterprises, holding files hostage until payment is made—usually in cryptocurrency. This guide explores the ins and outs of Danger ransomware, its targeted platforms, and how…

  • Nova Ransomware Decryptor

    Bydecryptor

    Comprehensive Guide to Nova Ransomware Decryptor and Recovery Strategies In recent years, Nova ransomware has earned a notorious reputation in the cybersecurity world. Known for its ability to infiltrate systems, encrypt vital files, and extort victims with ransom demands, it poses a significant danger to both businesses and individual users. Once inside a network, Nova…

  • KillBack Ransomware Decryptor

    Bydecryptor

    KillBack is a strain of ransomware designed to encrypt a victim’s files and alter their extensions by adding a unique identifier followed by .killback. Once encryption is complete, the malware leaves behind a ransom message named README.TXT, demanding that victims pay in Bitcoin within 24 hours. The note warns against third-party recovery tools and stresses…

  • BackLock Ransomware Decryptor

    Bydecryptor

    BackLock Ransomware Decryptor: A Comprehensive Recovery Resource BackLock ransomware has emerged as one of the most persistent and damaging cyber threats of the modern digital era. This malware covertly invades systems, encrypts vital data, and then demands a ransom in return for the decryption key. In this guide, you’ll gain a detailed understanding of how…