Analysis updated 2026-05-18
Recover a portion of files encrypted by LockBit 3.0 without paying the ransom.
Group encrypted files by batch and identify the best oracle file for keystream recovery.
Verify that recovered files match their expected file type.
Check the No More Ransom project for a matching decryption key for full recovery.
| saddytech/lockbit-rescue | bhartiyashesh/purelymailcalendar | biao994/docpaws | |
|---|---|---|---|
| Stars | 55 | 55 | 55 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 3/5 | 4/5 | 3/5 |
| Audience | ops devops | general | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Linux and a C compiler, recovery rate varies from 5 to 40 percent depending on file names.
This tool helps victims of a specific ransomware attack recover some of their encrypted files without paying the ransom. It targets LockBit 3.0, also known as LockBit Black, which is a well-documented ransomware strain that encrypts files and then demands payment for the decryption key. The recovery is possible because of a flaw in how LockBit 3.0 reuses its encryption key across many files in the same attack batch. Each encrypted file ends with a footer that includes a 128-byte fingerprint tied to the encryption key used for that batch. Files sharing the same fingerprint were all encrypted with the same keystream. If one file in that group had a long original filename, the tool can reconstruct part of the keystream by comparing what the footer should contain (the compressed filename and some fixed fields) against the encrypted bytes actually stored there. That recovered keystream fragment can then be used to decrypt other files in the same group whose footers are small enough to fit within it. In practice this means recovery rates vary a lot: files with short original names like photo1.jpg may not be recoverable at all, while batches containing files with long descriptive names can see 80% or more of the targeted files come back. The README estimates real-world coverage of 5 to 40% across a typical encrypted collection. Running the tool requires Linux and a C compiler. An install script handles building the underlying C decryptor and installing Python dependencies. You point the tool at the folder of encrypted files and an output folder, and it works through everything automatically, grouping files by batch, selecting the best oracle file in each group, recovering the keystream, and writing the decrypted files. A separate verification script then checks each recovered file to confirm the content matches the expected file type. The tool never modifies the original encrypted files: it only reads from the source and writes to the output directory. The README also directs users to the No More Ransom project, where law enforcement agencies publish decryption keys when they seize them, which would allow full recovery if a matching key exists. The full README is longer than what was shown.
This tool exploits a key-reuse flaw in LockBit 3.0 ransomware to recover some encrypted files without paying the ransom.
Mainly Python. The stack also includes Python, C.
License not stated in the explanation.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.