[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78525":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":28,"readmeContent":29,"aiSummary":30,"trendingCount":15,"starSnapshotCount":15,"syncStatus":31,"lastSyncTime":32,"discoverSource":33},78525,"lockbit-rescue","Saddytech\u002Flockbit-rescue","Saddytech","A toolkit for recovering files encrypted by LockBit 3.0 (\"Black\") ransomware without paying the ransom, by exploiting a known keystream-reuse weakness.","",null,"Python",147,35,3,0,1,11,110,7,62.17,"MIT License",false,"main",[25,26,27],"lockbit","ramsomware","ramsomware-recovery","2026-06-12 04:01:23","# lockbit-rescue\n\nRecover files encrypted by **LockBit 3.0 (\"Black\") \u002F CriptomanGizmo** without paying the ransom, by exploiting the documented **keystream-reuse weakness** in its file-encryption routine.\n\nThis tool can decrypt a meaningful subset of files for free, **without the attacker's private key**, provided your encrypted batch contains at least one file whose original filename was long enough to act as a *known-plaintext oracle*.\n\n> **Bottom line.** Real-world coverage is typically 5–40% of all encrypted files (highly dependent on how long the original filenames were). Files outside groups with a long-named oracle remain unrecoverable.\n\n---\n\n## TL;DR — recover your files\n\n```bash\n# 1. Get the tool\ngit clone https:\u002F\u002Fgithub.com\u002FSaddytech\u002Flockbit-rescue.git\ncd lockbit-rescue\n\n# 2. Build the C decryptor + install Python deps\nbash install.sh\n\n# 3. Run it\npython3 lockbit-rescue.py \u002Fpath\u002Fto\u002Fencrypted \u002Fpath\u002Fto\u002Frecovered\n\n# 4. Check the result\npython3 verify-recovered.py \u002Fpath\u002Fto\u002Frecovered\n```\n\nThe tool will:\n1. Auto-detect the random 9-character ransomware extension.\n2. Walk the source recursively and group encrypted files by their RSA-encrypted KEK fingerprint (same group = same Salsa20 keystream).\n3. Pick the longest-named file in each group as the \"oracle\".\n4. Recover the keystream from the oracle (filename + footer metadata is known-plaintext).\n5. Decrypt every other file in the group whose footer is short enough to fit under the recovered keystream coverage.\n6. Save them under `OUTPUT\u002Fgroup_\u003Ckek>\u002F\u003Coriginal_name>`.\n7. Skip writes where libmagic reports raw `data` (a botched decryption).\n\nIt is **resumable** — re-run the same command if interrupted; it skips work already on disk.\n\n---\n\n## What is the vulnerability?\n\nLockBit 3.0 (\"Black\") encrypts file contents with Salsa20 (modified — random 64-byte initial state, no Salsa20 sigma constants). For each encryption batch, the same Salsa20 key\u002Fkeystream is reused across many files. Each file ends with a 134-byte footer:\n\n```\n[ -134 : -132 ]  fei_len      uint16 little-endian: footer-encryption-info length\n[ -132 : -128 ]  checksum     uint32\n[ -128 :      ]  KEK blob     128 bytes (the RSA-encrypted Key Encryption Key)\n```\n\nSince the **KEK blob is identical** for every file in the same batch, we can group files into batches by hashing that 128-byte blob.\n\nThe \"fei\" region of each file is encrypted with the same Salsa20 keystream. The plaintext under it includes the original filename (apLib-compressed, UTF-16LE) plus a few fixed-format fields. For a file with a *long* original filename, we know:\n\n- The first ~N bytes of plaintext exactly (apLib-compressed filename)\n- The 18 trailing bytes (`filename_size[2] || skipped_bytes[8] || before_chunk_count[4] || after_chunk_count[4]`)\n\nXORing that known plaintext with the ciphertext at the corresponding positions **recovers that many bytes of the Salsa20 keystream**. Any *other* file in the same batch whose footer is small enough to fit within those recovered keystream bytes can then be decrypted directly.\n\nThis research is by [Calif.io](https:\u002F\u002Fwww.calif.io\u002Fblog\u002Flockbit-3.0-decryptor) and implemented in [yohanes\u002Flockbit-v3-linux-decryptor](https:\u002F\u002Fgithub.com\u002Fyohanes\u002Flockbit-v3-linux-decryptor) (`stream-reuse.c`), which this tool drives.\n\n---\n\n## Requirements\n\n- Linux x86_64\n- `gcc`, `make`, `git`, `python3` (3.8+), `pip`\n- The `file` command (libmagic) — pre-installed on most distros\n- Python: `tqdm` (installed by `install.sh`)\n\nThe `install.sh` script handles everything except the system packages above. On Debian\u002FUbuntu:\n\n```bash\nsudo apt install build-essential git python3 python3-pip file\nbash install.sh\n```\n\nOn Arch\u002FCachyOS:\n\n```bash\nsudo pacman -S base-devel git python python-pip file\nbash install.sh\n```\n\n---\n\n## Usage\n\n### Basic\n\n```bash\npython3 lockbit-rescue.py SOURCE_DIR OUTPUT_DIR\n```\n\n### Common flags\n\n| Flag | Purpose | Default |\n|---|---|---|\n| `--ext .XYZxyzABC` | Force-set the ransomware extension instead of auto-detecting | auto |\n| `--min-size N` | Skip files smaller than N bytes | 10240 (10 KiB) |\n| `--max-size N` | Skip files larger than N bytes | 1073741824 (1 GiB) |\n| `--no-extension-filter` | Don't filter by original file type — try EVERYTHING | off |\n| `--stream-reuse PATH` | Path to the `stream-reuse` binary | auto-search |\n| `--scratch PATH` | Scratch dir for temp files | `OUTPUT\u002F.scratch` |\n| `--timeout N` | Per-file decryption timeout (seconds) | 600 |\n\n### Output layout\n\n```\nOUTPUT_DIR\u002F\n├── group_a1b2c3d4e5f6\u002F         # one folder per encryption batch\n│   ├── photo1.jpg\n│   ├── docs\u002Freport.pdf         # original sub-paths flattened — see note\n│   └── ...\n├── group_f0e9d8c7b6a5\u002F\n│   └── ...\n└── .scratch\u002F                   # temporary working files (safe to delete after)\n```\n\n> **Note**: filenames inside `group_*\u002F` keep their original *basename*, not their original full path. If you need to map a recovered file back to the original directory tree, cross-reference by basename with your encrypted source. A future version may emit a `manifest.csv`.\n\n### Verifying results\n\n```bash\npython3 verify-recovered.py OUTPUT_DIR\n```\n\nThis runs `file -b` on every output and classifies them:\n\n- **GOOD** — magic bytes match the file extension. Recovery succeeded.\n- **MISMATCH** — recognized file, but the magic differs from the extension. **Almost always means the original file was user-renamed before encryption (e.g. a PDF saved as `.html`)**. Content is intact.\n- **SUSPECT** — libmagic returned raw `data`, `empty`, or `corrupted`. The decryption may be wrong for this file; investigate.\n\nA clean run should show ~0% SUSPECT.\n\n---\n\n## FAQ\n\n**Q: My extension isn't `.MoHsVxKYI`. Does it still work?**\nYes. LockBit 3 generates a different 9-character extension per attack. The tool auto-detects it (or pass `--ext .YourExt`).\n\n**Q: How much of my data will I get back?**\nIt depends on whether each encryption batch contained at least one file with a long original filename. If your filenames are short (e.g. `IMG_0001.jpg`), recovery may be 0% for that batch. If they're long (e.g. scientific paper titles, Italian document names, downloads with descriptive titles), recovery can exceed 80% of the targeted files.\n\n**Q: What about files larger than 1 GiB?**\nSkipped by default to keep runs finite (think VM disks). Raise `--max-size` if you want to attempt them — note that I\u002FO cost scales with file size since the stream-reuse implementation reads the whole file.\n\n**Q: Is this safe to run? Will it modify my encrypted files?**\nNo. The tool only reads from the source and writes to the output directory. Encrypted originals are untouched.\n\n**Q: Why does the script split output by `group_\u003Ckek>` rather than restoring the original directory tree?**\nTwo reasons: (a) per-batch separation is the natural unit of the exploit and helps spot issues; (b) different batches can legitimately contain files with the same basename. You can rearrange afterwards using basename matching.\n\n**Q: My system disk is small — output goes to a network share, can it fit?**\nYes. Point `OUTPUT_DIR` directly to a mounted network share (SMB\u002FNFS). Use `--scratch \u002Fpath\u002Fon\u002Flocal\u002Fdisk` if you want temporary files on local disk for speed. Note: very slow NAS hardware can cap throughput at ~10 MB\u002Fs regardless of CPU\u002Fnetwork — this is a hardware limit, not a script limit.\n\n**Q: My ransomware ID\u002Fdecryption ID is X. Can I check if law enforcement has a key?**\nYes. Visit [No More Ransom](https:\u002F\u002Fwww.nomoreransom.org\u002F) and use their \"Crypto Sheriff\" or \"Decryption Tools → LockBit 3.0 Black\" checker. If the FBI\u002FEuropol publishes the private RSA key for your decryption ID in the future, you can decrypt 100% of files.\n\n---\n\n## When this tool won't help\n\n- **No long-named oracle in a batch.** The \"fei_len\" of every file in the batch is small (short original filenames) and there is no usable known-plaintext span. Cryptographically blocked.\n- **Files larger than 4 GiB**. The Salsa20 keystream offset for chunked encryption exceeds the keystream we can recover from any oracle.\n- **Different LockBit family \u002F different ransomware.** This exploit is specific to LockBit 3.0 (\"Black\"). Variants like LockBit Green, LockBit Linux, or other families (Conti, Akira, etc.) have different cryptography.\n\n---\n\n## Files in this package\n- `lockbit-rescue.py` — main recovery script (scan, group, decrypt, verify)\n- `verify-recovered.py` — integrity sweep using libmagic\n- `brute-extend` (+ `src\u002F_brute_extend.c`) — *Phase 2 tool*: pure-C, segfault-free keystream extension via known-plaintext brute force. See [BRUTEFORCE.md](docs\u002FBRUTEFORCE.md).\n- `direct-decrypt` (+ `src\u002F_direct_decrypt.c`) — *Phase 2 tool*: decrypts a single file body given a recovered `file_encryption_key` and the batch's chunking parameters.\n- `install.sh` — clones upstream stream-reuse and builds `stream-reuse`, `brute-extend`, `direct-decrypt`; installs `tqdm`\n- `docs\u002FTECHNICAL.md` — in-depth explanation of footer layout, keystream recovery, coverage math\n- `docs\u002FBRUTEFORCE.md` — segfault diagnosis, pure-C fix, false-positive lesson, end-to-end Phase 2 workflow\n- `docs\u002FSTORY.md` — chronicle of the recovery operation this tool was built from (now includes Phase 11)\n- `LICENSE` \u002F credits — see end of this file\n## Advanced: recovering files the main flow had to skip\nThe main `lockbit-rescue.py` flow only decrypts files whose `fei_len ≤ ~106` (the natural coverage from a long-named oracle). Files in the same batch with longer FEIs are skipped.\nIf you want to push further:\n1. Use `brute-extend` to extend the keystream byte-by-byte, climbing a ladder of intermediate-fei_len files in the same batch. 1–3 byte extensions are essentially instant; a 4-byte extension takes ~9 minutes at 2³² iterations.\n2. With each successful extension you also recover that target's `file_encryption_key` (the 64-byte Salsa20 state for its body).\n3. Use `direct-decrypt` with that key plus the batch's `before\u002Fafter\u002Fskipped` parameters to recover the full file body.\nSee [BRUTEFORCE.md](docs\u002FBRUTEFORCE.md) for a complete worked example (including the false-positive trap with short magic strings and the chunking-parameter requirements).\n\n---\n\n## Credits\n\n- **Calif.io** for [the LockBit 3.0 decryptor research and write-up](https:\u002F\u002Fwww.calif.io\u002Fblog\u002Flockbit-3.0-decryptor) that documents the keystream-reuse weakness.\n- **yohanes** for the C\u002FPython implementation in [lockbit-v3-linux-decryptor](https:\u002F\u002Fgithub.com\u002Fyohanes\u002Flockbit-v3-linux-decryptor) — `stream-reuse.c` does the actual cryptographic work; this package wraps it with discovery, batching, resume, and verification.\n- This package: lockbit-rescue — pipeline, integrity sweep, install scripts, documentation.\n\n---\n\n## Disclaimer\n\nThis tool is for legitimate recovery of files on systems you own, by victims of LockBit 3.0 ransomware. Do not use to bypass legitimate security mechanisms. The author makes no warranty as to fitness or completeness.\n","该项目是一个用于恢复被LockBit 3.0（\"Black\"）勒索软件加密文件的工具包，无需支付赎金。它利用了已知的密钥流重用漏洞来解密文件。核心功能包括自动检测随机9字符扩展名、递归遍历源目录并按RSA-加密的KEK指纹分组文件、选择每个组中名称最长的文件作为“已知明文神谕”以恢复密钥流，并解密同一组中的其他文件。该工具使用Python编写，具有MIT许可证，适合那些受到LockBit 3.0勒索软件攻击且希望免费恢复部分文件的用户。实际恢复率通常为5-40%，具体取决于原始文件名长度。",2,"2026-06-11 03:56:56","CREATED_QUERY"]