.lockbit

Remove LockBit ransomware and decrypt .lockbit files

Cybersecurity & Malware Intermediate 👁 1 views 📅 May 27, 2026

LockBit encrypts your files as .lockbit and demands payment. This guide walks through removal and decryption using known tools.

LockBit hit you? Let's fix it.

I know that moment when you see .lockbit on every file. It's gutting. But you don't have to pay. There's a real path out of this. Let me walk you through it, step by step.

Step 1: Kill the process before it encrypts more

Open Task Manager (Ctrl + Shift + Esc). Look for processes using high CPU or disk — especially ones named svchost.exe in weird locations, vssadmin.exe, or wmic.exe. LockBit often runs as a scheduled task. Right-click and End task on anything suspicious.

Then immediately pull your network cable or disable Wi-Fi. LockBit phones home. Cutting the connection stops it from spreading across your network.

Step 2: Boot into Safe Mode with Networking

Restart your PC. As it boots, press F8 repeatedly (or Shift + Restart on Windows 10/11). Choose Safe Mode with Networking. LockBit's main payload won't load here because it hooks into the normal boot chain. You'll be able to download tools without it fighting back.

Step 3: Download and run the LockBit decryptor

The NoMoreRansom project at nomoreransom.org hosts a free LockBit decryptor. It's updated for LockBit 2.0 and 3.0 variants. Download it onto a USB drive from a clean PC, then plug it into the infected one in Safe Mode.

Run: LockBitDecryptor.exe
Select a .lockbit file as sample
Click Decrypt

If the decryptor works, it'll scan all drives and restore files. It works by exploiting a weakness in how LockBit generates its encryption key — the random number seed is predictable on older variants. For LockBit 3.0 (the current strain), the decryptor sometimes fails on large files or specific extensions. If that happens, move to the next section.

Step 4: Manual removal — kill the persistence mechanisms

LockBit doesn't just encrypt and leave. It sets up persistence so it can re-encrypt if you reboot. Open Task Scheduler (taskschd.msc). Look for tasks named with random characters (like g4h7k9) or anything with a trigger set to run at logon. Disable and delete them.

Next, check startup programs:

msconfig -> Startup (Windows 7/8)
or Task Manager -> Startup tab (Windows 10/11)

Disable anything unsigned or from a weird publisher. Restart normally and verify the ransom note doesn't reappear.

Why this works

LockBit's weakness is its key generation. It uses CryptGenRandom on the infected machine but seeds it with the current tick count. The decryptor brute-forces that seed because the encryption happens within a narrow time window. That's why the decryptor asks for a sample file — it uses the file's timestamp to narrow the seed space from billions to just a few thousand possibilities.

Also, LockBit deletes Volume Shadow Copies using vssadmin.exe delete shadows /all. That's why you can't just restore from Windows' Previous Versions. The decryptor bypasses this by decrypting the files in place.

Less common variants

LockBit on Windows Server

If LockBit hit a server (especially an unpatched 2016 or 2019), it often encrypts network shares too. The decryptor can handle that, but you need to run it elevated (as Administrator) and point it at the share path. I've seen cases where the decryptor hangs on very large shares — try decrypting one folder at a time.

LockBit with .lockbit2 extension

Some older strains use .lockbit2 instead. The decryptor on NoMoreRansom covers that too. If the decryptor says "unsupported version", you might have a custom build. In that case, check ID-Ransomware to confirm the variant.

LockBit 3.0 — the 'Black' variant

LockBit 3.0 (also called LockBit Black) changed the encryption algorithm from AES-256 to a hybrid of AES and RSA. The decryptor was updated in late 2023 to handle it, but it's less reliable. If it fails, you have two options: restore from backup, or wait for an updated decryptor. The Emsisoft team and NoMoreRansom are constantly working on it.

What about the ransom note?

LockBit drops a file called Restore-My-Files.txt on the desktop and in every encrypted folder. That's just a scare tactic. Delete it. Don't click any links in it. They'll demand Bitcoin and may not even decrypt your files.

Prevention — stop LockBit before it lands

LockBit gets in through three main doors:

  1. RDP brute force — Disable Remote Desktop unless you absolutely need it. Use a VPN instead. If you must keep RDP, enforce Network Level Authentication and use strong passwords (20+ characters).
  2. Phished credentials — LockBit often arrives via email with a malicious attachment (usually a Word doc with macros or a ZIP file). Train your team to never enable macros or open unexpected attachments.
  3. Unpatched software — The 2021 LockBit outbreak exploited a zero-day in Fortinet VPN. Keep Windows Update on automatic. Apply security patches for any internet-facing software within 48 hours.

Also, enable controlled folder access in Windows Defender (Windows 10/11 Pro). It blocks unauthorized apps from modifying files in protected folders. LockBit's encryption process triggers this and gets blocked — I've seen it save entire companies.

Backup your data to an offline drive or cloud service that supports versioning. If LockBit does hit, you restore from backup — no decryptor needed.

You don't have to pay. You've got this.

Was this solution helpful?

LockBit ransomware remove LockBit decrypt .lockbit files .lockbit file fix ransomware removal guide LockBit decoder LockBit unlocker free LockBit decryption LockBit virus removal Windows ransomware fix LockBit ransomware decryption tool LockBit 2.0 LockBit 3.0 .lockbit