LostTrust Ransomware: In-Depth Analysis, Detection, and Mitigation

What Is LostTrust Ransomware?

The LostTrust ransomware operation emerged in September of 2023 as an evolution of MetaEncrypter, which dates back to early 2022. Currently, LostTrust continues to parallel the MetaEncrypter’s multi-extortion model. In late September 2023, a separately-branded LostTrust victim blog was launched.

While there are updated malware payloads to accompany the evolution to LostTrust, they still contain markup and strings from their MetaEncryptor ancestors. Current analysis also shows lineage to the Mindware (aka SFile) ransomware family.

What Does LostTrust Ransomware Target?

LostTrust ransomware operators target multiple industries with little to no discrimination. This includes attacks on healthcare and educational entities.

How Does LostTrust Ransomware Work?

LostTrust postulates that by exposing their victims to their methodologies, they are putting them in a better overall security posture long-term, claiming that they are providing their victims an actual service.

LostTrust ransom notes contain the following quote, which speak to their ‘cause’:


Our team has an extensive background in legal and so called white hat hacking.

However, clients usually considered the found vulnerabilities to be minor and poorly paid for our services.

So we decided to change our business model. Now you understand how important it is to allocate a good budget for IT security.

This is serious business for us and we really don't want to ruin your privacy, reputation and a company.

We just want to get paid for our work whist finding vulnerabilities in various networks.


LostTrust ransomware payloads will attempt to discover and terminate a plethora of services and processes. Critical services associated with the likes of Microsoft Exchange, MSSQL, SharePoint, Tomcat, postgresql, and more are terminated if identified. This is to ensure that nothing inhibits the encryption and potential exfiltration process. The ransomware initiates numerous hidden CMD.EXE sessions to carry out these tasks.

The hidden CMD.EXE windows subsequently host the observed WMIC, NET, SC, taskkill, VSSADMIN, and wevtutil commands. In addition to process discovery and termination, the ransomware will attempt to remote Volume Shadow Copies (VSS) via VSSADMIN as well as clearing out all Windows Event Logs via WEVTUTIL.EXE. LostTrust ransomware payloads support multiple command-line arguments.

Commands supported by LostTrust ransomware include:


Argument Function
–enable-shares Enable discovery and encryption of accessible network volumes
–onlypath Only encrypt files in the specified path


Encrypted files are modified with the “.losttrustencoded” file extension.

LostTrust ransom notes are written to each folder containing encrypted items as “!!LostTrustEncoded.txt”.

How to Detect LostTrust Ransomware

The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to LostTrust ransomware.

In case you do not have SentinelOne deployed, detecting LostTrust ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.

To detect LostTrust ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:

  1. Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
  2. Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
  3. Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
  4. Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
  5. Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.

How to Mitigate LostTrust Ransomware

The SentinelOne Singularity XDR Platform can return systems to their original state using either the Quarantine or Repair.

In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of LostTrust ransomware attacks:

Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.

Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.

Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.

Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.

Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.