A variant of the Lockbit 3.0 Black ransomware has been identified in real-world cyberattacks, characterized by its use of the .3R9qG8i3Z file extension. This specific strain encrypts files on victim networks, rendering them inaccessible and appending the unique nine-character extension to each affected file’s name.

Organizations impacted by this attack have reported that all their servers, including those running Windows Server 2016 and 2019, were compromised. The encryption process is followed by the creation of a ransom note in every folder containing altered files.

Attack Characteristics and Identification

The primary indicator of this Lockbit 3.0 variant is the file renaming convention. Encrypted files are appended with the .3R9qG8i3Z extension. Concurrently, a ransom note is generated with a corresponding name, following the format 3R9qG8i3Z.README.txt. This note serves as the attacker’s communication with the victim.

The content of the note explicitly identifies the malware as “Lockbit Black Ransomware” and makes a direct reference to “LockBit 3.0,” a well-documented ransomware family. The appearance of variants like this is connected to the public leak of the LockBit 3.0 builder in September 2022, which allows various actors to create their own versions of the ransomware.

Ransom Demands and Recovery Status

The ransom note left by the attackers contains a personal ID for the victim and directs them to a TOR website to begin negotiations. The note also includes threats to publish data allegedly stolen from the victim’s network if their demands are not met. The operators warn victims not to rename encrypted files or use third-party decryption software.

Cybersecurity experts who have analyzed the attack confirm it is a LockBit 3.0 variant. It has been established that there is currently no known free decryption method available for files encrypted by LockBit 3.0. The official guidance for victims is to restore affected data from clean, offline backups.