New Lockbit 3.0 Ransomware Uses .G5xG4GUv2 Extension
▼ Summary
– A ransomware infected a Windows 10 computer in a car workshop, encrypting local files and network shared folders after work hours.
– The infection exploited weak security, including no backups, outdated Windows versions, and reused “ADMIN” credentials across the network.
– A ransom note provides a decryption ID and contact details, offering to decrypt a small file for free as proof.
– Norton support deleted many files from the Downloads folder, complicating recovery efforts.
– The ransomware is unidentified by ID Ransomware, with a provided SHA1 hash for further analysis.
A car repair shop recently faced a major disruption when one of its computers was hit by a sophisticated ransomware attack. The incident highlights the critical importance of robust backup strategies and up-to-date network security protocols, especially for small businesses relying on outdated systems. Without these defenses, companies remain highly vulnerable to encryption-based attacks that can halt operations entirely.
The infection struck after business hours, targeting a Windows 10 machine that still used stored administrative credentials for network access. This allowed the malware to not only encrypt local files, including databases, program files, and documents, but also to map every network shared folder accessible with those credentials. Files across the system were locked and appended with the extension .G5xG4GUv2, a signature associated with this newly identified threat.
A ransom note left on the system demanded payment in exchange for decryption, providing a unique identifier and instructions to contact the attackers via a specified method. The note included an offer to decrypt one or two small files free of charge as “proof” that recovery was possible, a common tactic used to lend credibility to these extortion attempts.
Prior to the discovery, the user had contacted Norton support, where an agent unfortunately deleted numerous files from the Downloads folder, a move that may have complicated potential data recovery efforts. Initial analysis through ID Ransomware could not identify the strain, though its SHA-1 hash was recorded for further investigation.
This situation underscores how dangerous it can be to operate with obsolete software, weak access controls, and no reliable backups. For businesses in similar positions, the immediate steps should include isolating affected devices, auditing network permissions, and consulting cybersecurity professionals specializing in ransomware response. While decryption may not yet be publicly available, exploring all options before considering payment is strongly advised.
(Source: Bleeping Computer)
