What is LockBit file extension
.LockBit file extension is a file extension that is used by a malware belonging to the category of Ransomware. Security researchers called this new malware “LockBit ransomware”. ‘LockBit’ is very similar in its characteristics to other ransomware. It also encrypts files, and then renames them. The filename of the encrypted file consists of its old name and the “.lockbit” extension appended to the right. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data.
Currently, there are two known variants of the LockBit ransomware, which differ in the extension appended to the encrypted files. First variant: files encrypted with .abcd extension. Second variant: files encrypted with .lockbit extension.
Screenshot of files encrypted by LockBit ransomware (‘.lockbit’ file extension)
What is LockBit ransomware
LockBit ransomware is a new malware that belongs to the category of ransomware. It appends the ‘.LockBit’ extension to each file that it encrypts using a complex encryption mechanism. As other ransomware, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, the LockBit ransomware collects information about the computer and then proceeds to encrypt the files located on it. The following common file types can be encrypted:
.indd, .xlsm, .ibank, .zi, .dng, .lrf, .p12, .cas, .crw, .t12, .eps, .vtf, .vcf, .pfx, .rim, .css, .odb, .ntl, .zw, .nrw, .xwp, .bik, .wpa, .ai, .fos, .cr2, .1st, .kdc, .xlsx, .wpt, .pem, .der, .forge, .srf, .t13, .webdoc, .ptx, .dazip, .zip, .dba, .menu, .bkf, .epk, .wbz, .odt, .sidn, .ppt, .qdf, .xmmap, .jpe, .3dm, .orf, .map, .js, .wgz, .wbd, .xy3, .wp, .wps, .xbplate, .xyp, .wmf, .rar, .mdbackup, .p7c, .zif, .pptx, .pef, .wcf, .csv, .rtf, .sidd, .z3d, .wdp, .odp, .ybk, .bar, .mdf, .syncdb, .das, .sr2, .mcmeta, .wot, .flv, .xlsx, .pkpass, .wbm, .hvpl, .wmd, .fpk, .db0, .iwi, .x3d, .wpe, .lbf, .wpw, .yml, .ztmp, .7z, .bc6, .xbdoc, .fsh, .p7b, .mlx, .wm, .wmo, .accdb, .wri, .vfs0, .2bp, .asset, .layout, .cdr, .kf, .itm, .litemod, .wpd, .x3f, .arch00, .xll, .xld, .cfr, .docm, .wpb, .wsh, .ods, .itl, .hplg, .zdc, .ff, .wsd, .odc, .jpeg, .yal, .wire, .lvl, .itdb, .png, .wp5, .dmp, .wb2, .desc, .wsc, .m3u, .y, .vpp_pc, .xmind, .wp7, .rgss3a, .sb, .mddata, .webp, .slm, .py, .sum, .doc, .wpg, .txt, .xlgc, .mef, .wn, .wotreplay, .erf, .xlk, .rwl, .ncf, .psd, .srw, .gho, .kdb, .wbk, .mdb, .cer, .mpqge, .hkdb, .xxx, .wav, .3ds, .xls, .esm, .sis, .vpk, .wdb, .sql, .crt, .wmv, .xls, .bsa, .ysp, .bc7, .rb, .ws, .bkp, .xpm, .jpg, .raw, .tor, .xyw, .m4a, .tax, .1, wallet, .wma, .wp4, .bay, .re4, .zip, .snx, .xlsm, .xx, .icxs, .pak, .wpd, .blob, .xml, .vdf, .d3dbsp, .x3f, .raf, .wp6, .r3d, .docx, .svg, .x, .dwg, .m2, .mp4, .xlsb, .wbmp, .avi, .pdd, .dbf, .w3x, .xar, .apk, .dcr, .psk, .sid, .upk, .qic, .xdl, .pst, .z, .sie, .mov, .xf, .ltx, .pdf, .rofl, .wbc, .sav, .gdb, .odm, .xdb, .wpl, .wps, .rw2, .pptm, .arw
No files will be skipped. All documents, photos, archives located on local disks, system disks and connected network drives will be encrypted. The LockBit ransomware encrypts the contents of all disks file by file. Each file that has been encrypted is marked, the ransomware appends the ‘.lockbit’ extension to its name. That is, as soon as a document with the name ‘document.doc’ is encrypted, it will immediately be renamed to ‘document.doc.lockbit’. If you remove this extension, the file will remain locked. The associated program will not be able to read its contents.
The LockBit ransomware creates a file with the name “Restore-My-Files.txt” on the infected computer. This file contains a message from the ransomware authors. The full text of this file is:
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:| 1. Download Tor browser – hxxps://www.torproject.org/ and install it.
| 2. Open link in TOR browser – #############################################
This link only works in Tor Browser!
| 3. Follow the instructions on this page### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our)
# Tor Browser may be blocked in your country or corporate network. Use hxxps://bridges.torproject.org
# Tor Browser user manual hxxps://tb-manual.torproject.org/about
Criminals use the “Restore-My-Files.txt” file to demand ransom from the LockBit ransomware victims. The ransom demand message said that the victim’s files are encrypted. The ransomware authors demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt a single file for free. Of course, decryption of one file cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Screenshot of the LockBit ransomware Tor website
Text presented on the LockBit ransomware website:
What happpend?
Many of your documents, databases, videos and other important files are no longer accessible because they have ben encrypted. Maybe you are busy locking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. LockBit Ransomware use AES and RSA cryptography algorithms.
How to recover my files?We guarantee that you can recover all your files safely and easily.
You can decrypt a single file for warranty – we can do it. But if you want to decrypt all your files, you need to pay.
Write to support if you want to buy decryptor.
Trial decryptYou can decrypt a single file for warranty – we can do it.
Attention! Decryption is available once for youFind a *.lockbit file on your computer
Upload and get the original
Threat Summary
| Name | LockBit ransomware |
| Type | Crypto virus, Ransomware, Crypto malware, File locker, Filecoder |
| Encrypted files extension | .lockbit,.abcd |
| Ransom note | Restore-My-Files.txt |
| Contact | goodmen@countermail.com, goodmen@cock.li, chat in Tor website |
| Ransom amount | 0.6 Btc |
| Detection Names | Ransom:Win32/generic.ali2000010, Trojan.Ransom.Filecoder, Generic.Ransom.LockBit.91CBD888, Trojan.Encoder.30886, Win32/Filecoder.NXQ, Win32.Trojan-Ransom.Lockibit.A, Ransom.LockBit, Ransom:Win32/LokiBot!MSR, Trojan.Win32.Filecoder.gxkpfk, Win32.Trojan.Delshad.Ecal |
| Symptoms | Files won’t open. Windows Explorer displays a blank icon for the file type. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Your desktop is locked with a message about How to pay to unlock your system. |
| Distribution ways | Phishing emails that contain malicious attachments. Drive-by downloads (crypto virus has the ability to infect the system simply by visiting a web page that is running malicious code). Social media, like web-based instant messaging programs. Remote desktop protocol (RDP) hacking. |
| Removal | LockBit ransomware removal guide |
| Recovery | LockBit File Recovery |
The fact that to date, antivirus companies have not created a method to decrypt files encrypted by the LockBit ransomware. Nevertheless, you do not need to despair. There are several ways to find and remove LockBit ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove LockBit ransomware, Restore .LockBit files
If you encounter the malicious actions of LockBit ransomware, and your files have been encrypted with ‘.LockBit’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove LockBit ransomware
- How to decrypt .lockbit files
- How to restore .lockbit files
- How to protect your computer from LockBit ransomware
How to remove LockBit ransomware
There are not many good and free malware removal tools with high detection ratio. The effectiveness of malware removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We suggest to run several programs, not just one. These programs that listed below will allow you remove all components of the LockBit crypto virus from your disk and Windows registry.
Remove LockBit ransomware with Zemana Free
Zemana can scan for all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the LockBit crypto virus, you can easily and quickly delete it.
Installing the Zemana Anti-Malware (ZAM) is simple. First you’ll need to download Zemana on your Desktop by clicking on the following link.
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, close all programs and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup like below.
When the install begins, you will see the “Setup wizard” which will help you set up Zemana Anti-Malware (ZAM) on your computer.
Once setup is done, you will see window as shown on the screen below.
Now press the “Scan” button . Zemana tool will start scanning the whole PC to find out LockBit crypto malware, other kinds of potential threats such as malware and trojans. This procedure can take some time, so please be patient. While the Zemana AntiMalware (ZAM) utility is checking, you can see how many objects it has identified as being infected by malware.
Once Zemana has finished scanning your personal computer, it will show the Scan Results. In order to remove all items, simply click “Next” button.
The Zemana will remove LockBit crypto malware related folders,files and registry keys and add threats to the Quarantine.
Use MalwareBytes to remove LockBit ransomware virus
We suggest using the MalwareBytes which are fully clean your PC system of the ransomware. This free tool is an advanced malicious software removal application made by (c) Malwarebytes lab. This application uses the world’s most popular antimalware technology. It is able to help you uninstall ransomware, PUPs, malicious software, adware, toolbars, and other security threats from your machine for free.
Visit the page linked below to download the latest version of MalwareBytes Free for MS Windows. Save it on your MS Windows desktop or in any other place.
326464 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is finished, close all windows on your PC. Further, launch the file called mb3-setup. If the “User Account Control” prompt pops up as shown in the following example, press the “Yes” button.
It will open the “Setup wizard” that will allow you install MalwareBytes on the computer. Follow the prompts and don’t make any changes to default settings.
Once setup is finished successfully, click Finish button. Then MalwareBytes Anti-Malware will automatically start and you can see its main window as shown on the image below.
Next, click the “Scan Now” button to begin scanning your computer for the LockBit ransomware, other kinds of potential threats like malicious software and trojans. This procedure can take some time, so please be patient. While the MalwareBytes Anti Malware (MBAM) is scanning, you can see how many objects it has identified either as being malicious software.
When MalwareBytes Anti Malware (MBAM) has completed scanning, MalwareBytes Anti Malware (MBAM) will display a list of all items detected by the scan. You may delete items (move to Quarantine) by simply press “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) will begin to remove LockBit ransomware virus related folders,files and registry keys. When the task is finished, you can be prompted to reboot your computer. We advise you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware to uninstall hijackers, adware and other malware.
Run KVRT to remove LockBit
If you have already used some malware removal utilities, they found and removed malware, then in order to be 100% sure that the computer no longer has LockBit ransomware, we recommend using the Kaspersky virus removal tool (KVRT). This tool, as its name suggests, is made by the Kaspersky lab and uses the core of the Kaspersky Antivirus. Unlike the Kaspersky Antivirus, KVRT has a smaller size and, most importantly, it can work together with an already installed antivirus. This tool has great capabilities and therefore we advise using KVRT in the last turn to be sure that the LockBit crypto malware has been removed.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your Windows desktop or in any other place.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you will see the KVRT screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the LockBit ransomware and other known infections. This task may take quite a while, so please be patient. While the Kaspersky virus removal tool tool is scanning, you may see how many objects it has identified as being affected by malware.
When Kaspersky virus removal tool completes the scan, you’ll be displayed the list of all detected items on your computer as shown below.
In order to delete all threats, simply press on Continue to begin a cleaning process.
How to decrypt .lockbit files
Files with the extension ‘.lockbit’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by LockBit ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the LockBit ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the LockBit ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .lockbit files
If all your files are encrypted with .lockbit file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Restore .lockbit files with ShadowExplorer
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by LockBit ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Click the link below to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your MS Windows desktop.
438824 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to start it. You will see the a window as shown on the image below.
In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export like below.
Use PhotoRec to restore .lockbit files
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec from the following link.
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music such as the one below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, press Browse button to select where recovered personal files should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from LockBit cransomware
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro Alert by clicking on the link below. Save it to your Desktop so that you can access the file easily.
When the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you’ll be shown a window where you can choose a level of protection, as displayed on the image below.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of the LockBit ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .LockBit files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with LockBit related issues, go to here.
the SQL Server database files is encrypted and renamed with extension .lockbit
i have tired all the aforementioned method but still no solution.
Do you have any suggestions??
Unfortunately, ShadowExplorer and PhotoRec are the only alternative ways to recover encrypted files. In some cases, it is theoretically possible to recover Shadow copies (if they existed and were deleted by a virus), but this is not a trivial task.