explaingit

saddytech/lockbit-rescue

Analysis updated 2026-05-18

55PythonAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

This tool exploits a key-reuse flaw in LockBit 3.0 ransomware to recover some encrypted files without paying the ransom.

Mindmap

mindmap
  root((LockBit Rescue))
    What it does
      Recovers keystream fragments
      Groups files by batch
      Decrypts recoverable files
    Tech stack
      Python
      C
    Use cases
      Recover ransomware victims files
      Verify recovered files
      Group encrypted batches
    Audience
      Incident responders
      Ransomware victims

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Recover a portion of files encrypted by LockBit 3.0 without paying the ransom.

USE CASE 2

Group encrypted files by batch and identify the best oracle file for keystream recovery.

USE CASE 3

Verify that recovered files match their expected file type.

USE CASE 4

Check the No More Ransom project for a matching decryption key for full recovery.

What is it built with?

PythonC

How does it compare?

saddytech/lockbit-rescuebhartiyashesh/purelymailcalendarbiao994/docpaws
Stars555555
LanguagePythonPythonPython
Setup difficultymoderatemoderatemoderate
Complexity3/54/53/5
Audienceops devopsgeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Linux and a C compiler, recovery rate varies from 5 to 40 percent depending on file names.

License not stated in the explanation.

In plain English

This tool helps victims of a specific ransomware attack recover some of their encrypted files without paying the ransom. It targets LockBit 3.0, also known as LockBit Black, which is a well-documented ransomware strain that encrypts files and then demands payment for the decryption key. The recovery is possible because of a flaw in how LockBit 3.0 reuses its encryption key across many files in the same attack batch. Each encrypted file ends with a footer that includes a 128-byte fingerprint tied to the encryption key used for that batch. Files sharing the same fingerprint were all encrypted with the same keystream. If one file in that group had a long original filename, the tool can reconstruct part of the keystream by comparing what the footer should contain (the compressed filename and some fixed fields) against the encrypted bytes actually stored there. That recovered keystream fragment can then be used to decrypt other files in the same group whose footers are small enough to fit within it. In practice this means recovery rates vary a lot: files with short original names like photo1.jpg may not be recoverable at all, while batches containing files with long descriptive names can see 80% or more of the targeted files come back. The README estimates real-world coverage of 5 to 40% across a typical encrypted collection. Running the tool requires Linux and a C compiler. An install script handles building the underlying C decryptor and installing Python dependencies. You point the tool at the folder of encrypted files and an output folder, and it works through everything automatically, grouping files by batch, selecting the best oracle file in each group, recovering the keystream, and writing the decrypted files. A separate verification script then checks each recovered file to confirm the content matches the expected file type. The tool never modifies the original encrypted files: it only reads from the source and writes to the output directory. The README also directs users to the No More Ransom project, where law enforcement agencies publish decryption keys when they seize them, which would allow full recovery if a matching key exists. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Walk me through running the LockBit 3.0 recovery tool against a folder of encrypted files.
Prompt 2
Explain how reusing an encryption key across a batch of files makes partial recovery possible.
Prompt 3
Why do files with long original names recover better than files with short names like photo1.jpg?
Prompt 4
What does the verification script check after files are decrypted?

Frequently asked questions

What is lockbit-rescue?

This tool exploits a key-reuse flaw in LockBit 3.0 ransomware to recover some encrypted files without paying the ransom.

What language is lockbit-rescue written in?

Mainly Python. The stack also includes Python, C.

What license does lockbit-rescue use?

License not stated in the explanation.

How hard is lockbit-rescue to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is lockbit-rescue for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.