GithubHelp home page GithubHelp logo

esxiargs-recover's Introduction

ESXiArgs-Recover

ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.

CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. For more information, see CISA's ESXiArgs Ransomware Virtual Machine Recovery Guidance.

Disclaimer

CISA’s ESXiArgs script is based on findings published by the third-party researchers mentioned above. Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.

This script is being provided “as is” for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Usage

  1. Download this script and save it as /tmp/recover.sh. For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh
  2. Give the script execute permissions: chmod +x /tmp/recover.sh
  3. Navigate to the folder of a virtual machine you would like to decrypt (you may browse these folders by running ls /vmfs/volumes/datastore1). For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example
  4. Run ls to view the files. Note the name of the VM (e.g. if there is a file example.vmdk, the name of the VM is example).
  5. Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the virtual machine determined in step 4. If the virtual machine is a thin format, run /tmp/recover.sh [name] thin.
  6. If successful, the decryptor script will output that it has successfully run. If unsuccessful, this may mean that your virtual machines cannot be recovered.
  7. If the script succeeded, the last step is to re-register the virtual machine.
  8. If the ESXi web interface is inaccessible, take the following steps to remove the ransom note and restore access (note that taking the steps below moves the ransom note to the file ransom.html. Cconsider archiving this file for future incident review).
    • Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html
    • Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html & mv index1.html index.html
    • Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.
  9. In the ESXi web interface, navigate to the Virtual Machines page.
  10. If the VM you restored already exists, right click on the VM and select “Unregister”.
  11. Select “Create / Register VM”.
  12. Select “Register an existing virtual machine”.
  13. Click “Select one or more virtual machines, a datastore or a directory” to navigate to the folder of the VM you restored. Select the vmx file in the folder.
  14. Select “Next” and “Finish”. You should now be able to use the VM as normal.

If needed, the script will save encrypted files in a new encrypted_files folder within each virtual machine’s directory.

Contributing

Contributions are always welcome! Navigate here to submit a pull request or submit an issue here.

Public domain

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

esxiargs-recover's People

Contributors

cablej avatar epicfaace avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

centos-wheezy lecuy klinklinklin meckiilino f0r3ns1cat0r z-madi elementalit epicfaace r0th-m henryd0 nurettinozen crawc outs1d3r-net cephurs djnodt cybersecops p1ach01 tsoetan stoicmehedi oferchen esukorion poacher69 sethuaung sumodgeorge longmdx guramihamk robertvajdik ukaserge mfaridi1394 nadhemmohamedrached cboyer60 mochizuki3310 wengad82 squiddyswap sharp18 juwon1405 podipod abraham-kater wangzhennj stephonye

esxiargs-recover's Issues

extension .iFire

drwxr-xr-x 1 root root 77824 Feb 12 09:59 .
drwxr-xr-t 1 root root 77824 Feb 17 14:16 ..
-rw-r--r-- 1 root root 1323 Feb 12 05:08 iFire-readme.txt
-rw------- 1 root root 480101007360 Feb 12 09:18 ntb-mpw-flat.vmdk
-rw------- 1 root root 9204 Feb 12 05:08 ntb-mpw.nvram.iFire
-rw------- 1 root root 1123 Feb 12 05:08 ntb-mpw.vmdk.iFire
-rw-r--r-- 1 root root 0 Feb 10 21:14 ntb-mpw.vmsd
-rwxr-xr-x 1 root root 2179 Feb 11 23:33 ntb-mpw.vmx
-rw-r--r-- 1 root root 218628 Feb 11 09:21 vmware-1.log
-rw-r--r-- 1 root root 272360 Feb 11 11:36 vmware-2.log
-rw-r--r-- 1 root root 208212 Feb 11 23:32 vmware-3.log
-rw-r--r-- 1 root root 188082 Feb 11 23:49 vmware-4.log
-rw-r--r-- 1 root root 57766 Feb 12 09:59 vmware.log

Even tough the /recover.sh returned success I'm unable to register the VM : No VMs were found in [datastore1] RH_79_template"

Hello There,

Applying the /recover.sh RH_79_template, I'm getting the attached result, but I'm still unable to register the VM==>
"No VMs were found in [datastore1] RH_79_template"

Should I do something else o in a different way..?
Any suggestion, experience to share..

Thx a lot in advance..
Ciao..Mario.

This is what I have in my VM directory:

[esx_server:/vmfs/volumes/5ceff160-7005ea2a-a3f2-ac1f6b0b18f2/RH_79_template] ls -altr
total 262146240
-rw-r--r-- 1 root root 446 Jun 22 2021 RH_79_template-774f34e8.hlog
-rwxr-xr-x 1 root root 2836 Jul 15 2021 RH_79_template.vmtx
drwxr-xr-t 1 root root 81920 Nov 29 08:47 ..
drwxr-xr-x 1 root root 73728 Feb 3 10:44 .
-rw-r--r-- 1 root root 9 Feb 8 17:05 RH_79_template.vmdk.args
-rw-r--r-- 1 root root 17 Feb 8 17:05 RH_79_template-flat.vmdk.args
-rw-r--r-- 1 root root 9 Feb 8 17:05 RH_79_template.vmsd.args
-rw-r--r-- 1 root root 1024 Feb 8 17:05 RH_79_template.vmsd
-rw------- 1 root root 1557 Feb 8 17:05 RH_79_template.vmdk
-rw-r--r-- 1 root root 10 Feb 8 17:05 RH_79_template.nvram.args
-rw------- 1 root root 9708 Feb 8 17:05 RH_79_template.nvram
-rw------- 1 root root 268435457024 Feb 8 18:20 RH_79_template-flat.vmdk

This is the result of /recover.sh RH_79_template ==>
""
Copying RH_79_template.vmx
mv: can't rename 'RH_79_template.vmx': No such file or directory
cp: can't stat 'RH_79_template.vmx~': No such file or directory
Error: unable to find vmx backup. You may be unable to re-register the virtual machine.
..
..
Validating...
Disk chain is consistent.

Success! Unregister the virtual machine and re-register it and you should be good to go. ""\

VMDK result is not recognized properly

🐛 Summary

I have followed the steps in the README, and also the referenced tutorial. Once I register the VMX, I see this:
image

Two things wrong with this:

  1. It says my hard disk is Thin Provisioned (which it is not).
  2. It says that the disk size should be larger that its original capacity.

To reproduce

  1. Follow the README
  2. got the screenshot while registering

Expected behavior

I would expect the disk to have the proper size.

Successful decrypt but

I have Success decrypt vm file, and re-register vm, but when trying power on VM, errot operating system not found.
How to fix that?

decrypt virtual machines with sesparse.vmdk format

Hello.
Got an infection of a server with several virtual machines. Using your script managed to restore 3 out of 4 machines, windows server 2016 booted without any problems. There was a problem with the machine on which was snapshot. This is the list of files of the virtual machine:
Screenshot_38

When specify AstRun_srv.vmx script, it passes successfully however after registering the machine does not start:
Failed to power on virtual machine AstRun_srv. File AstRun_srv_1-000001.vmdk was not found

Here is the content of the .vmx file:

.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "14"
vmci0.present = "TRUE"
floppy0.present = "FALSE"
numvcpus = "12"
memSize = "32768"
bios.bootRetry.delay = "10"
firmware = "efi"
powerType.suspend = "soft"
tools.upgrade.policy = "manual"
sched.cpu.units = "mhz"
sched.cpu.affinity = "all"
vm.createDate = "1593152686125618"
scsi0.virtualDev = "lsisas1068"
scsi0.present = "TRUE"
sata0.present = "TRUE"
usb_xhci.present = "TRUE"
scsi0:0.deviceType = "scsi-hardDisk"
scsi0:0.fileName = "AstRun_srv-000001.vmdk"
sched.scsi0:0.shares = "normal"
sched.scsi0:0.throughputCap = "off"
scsi0:0.present = "TRUE"
scsi0:1.deviceType = "scsi-hardDisk"
scsi0:1.fileName = "AstRun_srv_1-000001.vmdk"
sched.scsi0:1.shares = "normal"
sched.scsi0:1.throughputCap = "off"
scsi0:1.present = "TRUE"
ethernet0.virtualDev = "e1000e"
ethernet0.networkName = "LAN3_Grp_AstRus"
ethernet0.addressType = "generated"
ethernet0.present = "TRUE"
displayName = "AstRun_srv"
guestOS = "windows9-64"
uefi.secureBoot.enabled = "TRUE"
toolScripts.afterPowerOn = "TRUE"
toolScripts.afterResume = "TRUE"
toolScripts.beforeSuspend = "TRUE"
toolScripts.beforePowerOff = "TRUE"
tools.syncTime = "FALSE"
uuid.bios = "56 4d 8e 2c 82 0a 68 1c-da 6d ba d0 fb 06 c3 97"
uuid.location = "56 4d 8e 2c 82 0a 68 1c-da 6d ba d0 fb 06 c3 97"
vc.uuid = "52 b7 2d 1d 64 9b 2d 63-2d 89 6a a7 58 68 b5 ca"
sched.cpu.min = "0"
sched.cpu.shares = "normal"
sched.mem.min = "0"
sched.mem.minSize = "0"
sched.mem.shares = "normal"
ethernet0.generatedAddress = "00:0c:29:06:c3:97"
vmci0.id = "-83442793"
cleanShutdown = "FALSE"
extendedConfigFile = "AstRun_srv.vmxf"
mks.enable3d = "TRUE"
tools.guest.desktop.autolock = "FALSE"
nvram = "AstRun_srv.nvram"
pciBridge0.present = "TRUE"
svga.present = "TRUE"
pciBridge4.present = "TRUE"
pciBridge4.virtualDev = "pcieRootPort"
pciBridge4.functions = "8"
pciBridge5.present = "TRUE"
pciBridge5.virtualDev = "pcieRootPort"
pciBridge5.functions = "8"
pciBridge6.present = "TRUE"
pciBridge6.virtualDev = "pcieRootPort"
pciBridge6.functions = "8"
pciBridge7.present = "TRUE"
pciBridge7.virtualDev = "pcieRootPort"
pciBridge7.functions = "8"
hpet0.present = "TRUE"
RemoteDisplay.maxConnections = "-1"
sched.cpu.latencySensitivity = "normal"
svga.autodetect = "FALSE"
disk.EnableUUID = "TRUE"
numa.autosize.cookie = "120001"
numa.autosize.vcpu.maxPerVirtualNode = "12"
sched.swap.derivedName = "/vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-625b630d.vswp"
pciBridge0.pciSlotNumber = "17"
pciBridge4.pciSlotNumber = "21"
pciBridge5.pciSlotNumber = "22"
pciBridge6.pciSlotNumber = "23"
pciBridge7.pciSlotNumber = "24"
scsi0.pciSlotNumber = "160"
ethernet0.pciSlotNumber = "192"
usb_xhci.pciSlotNumber = "224"
vmci0.pciSlotNumber = "32"
sata0.pciSlotNumber = "33"
scsi0.sasWWID = "50 05 05 6c 82 0a 68 10"
ethernet0.generatedAddressOffset = "0"
vm.genid = "1025359355794109798"
vm.genidX = "5812918138057738809"
monitor.phys_bits_used = "43"
vmotion.checkpointFBSize = "4194304"
vmotion.checkpointSVGAPrimarySize = "67108864"
softPowerOff = "FALSE"
toolsInstallManager.lastInstallError = "0"
svga.guestBackedPrimaryAware = "TRUE"
tools.remindInstall = "FALSE"
toolsInstallManager.updateCounter = "2"
migrate.hostLog = "./AstRun_srv-625b630d.hlog"
svga.vramSize = "67108864"
sata0:0.startConnected = "FALSE"
scsi0:0.redo = ""
scsi0:1.redo = ""

When I try to feed the AstRun_srv-000001 file to the script, it gives the following errors:

[root@static:/vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv] /tmp/recover.sh AstRun_srv-000001
mkdir: can't create directory 'encrypted_files': File exists
Moving encrypted AstRun_srv-000001.vmdk to encrypted_files
mv: can't rename 'AstRun_srv-000001.vmdk': No such file or directory
ls: AstRun_srv-000001-flat.vmdk: No such file or directory

Creating copy of AstRun_srv-000001-flat.vmdk
Invalid file length specifier: -d
rm: can't remove 'temp-flat.vmdk': No such file or directory

Adding AstRun_srv-000001.vmdk
sed: temp.vmdk: No such file or directory
sed: temp.vmdk: No such file or directory
mv: can't rename 'temp.vmdk': No such file or directory

Copying AstRun_srv-000001.vmx
mv: can't rename 'AstRun_srv-000001.vmx': No such file or directory
cp: can't stat 'AstRun_srv-000001.vmx~': No such file or directory
Error: unable to find vmx backup. You may be unable to re-register the virtual machine.

Moving encrypted AstRun_srv-000001.vmsd to encrypted_files
mv: can't rename 'AstRun_srv-000001.vmsd': No such file or directory

Moving encrypted AstRun_srv-000001.nvram to encrypted_files
mv: can't rename 'AstRun_srv-000001.nvram': No such file or directory


Validating...
Failed to open disk link /vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-000001.vmdk :The system cannot find the file specified (25)Disk chain is not consistent : The system cannot find the file specified (25)

Error. Trying to update the file size.
sed: AstRun_srv-000001.vmdk: No such file or directory
Failed to open disk link /vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-000001.vmdk :The system cannot find the file specified (25)Disk chain is not consistent : The system cannot find the file specified (25)

Error. Could not recover. Please consult CISA's guidance for further information: https://www.cisa.gov/uscert/ncas/alerts/aa23-039a

I guess because of the snapshot I have a disk divided into files AstRun_srv_1-000001-sesparse.vmdk but script is looking for *flat.vmdk. Maybe someone has a solution how to run a virtual machine in this case or just pull the files from the drive? Maybe redo the script so that it would work on the files AstRun_srv_1-000001-sesparse.vmdk; AstRun_srv-000001-sesparse.vmdk; AstRun_srv-Snapshot1.vmem ?

If connect the disks AstRun_srv.vmdk and AstRun_srv_1.vmdk in the new created virtual machine - it starts and works correctly but there is old data.

Improve for filename with space in it.

I modify the script so it can handle filename with space.

mkdir encrypted_files

echo -e "Moving encrypted $1.vmdk to encrypted_files"
mv "$1.vmdk" "encrypted_files/$1.vmdk"
file_size=$(ls -la "$1-flat.vmdk" | awk '{print $5}')

echo -e "\nCreating copy of $1-flat.vmdk"
vmkfstools -c $file_size -d thin temp.vmdk
rm temp-flat.vmdk

echo -e "\nAdding $1.vmdk"
sed -i "s/temp-flat/${1}-flat/" temp.vmdk
if [ "$#" -ne 1 ]; then
  if [ $2 != "thin" ]; then
    sed -i '/ddb.thinProvisioned/d' temp.vmdk
  fi
fi
mv temp.vmdk "$1.vmdk"

echo -e "\nCopying $1.vmx"
mv "$1.vmx" "encrypted_files/$1.vmx"
cp "$1.vmx~" "$1.vmx"

retVal=$?
if [ $retVal -ne 0 ]; then
    echo -e "Error: unable to find vmx backup. You may be unable to re-register the virtual machine."
fi

echo -e "\nMoving encrypted $1.vmsd to encrypted_files"
mv "$1.vmsd" "encrypted_files/$1.vmsd"

echo -e "\nMoving encrypted $1.nvram to encrypted_files"
mv "$1.nvram" "encrypted_files/$1.nvram"

echo -e ""

echo -e "\nValidating..."
vmkfstools -e "$1.vmdk"

retVal=$?
if [ $retVal -ne 0 ]; then
    echo -e "\nError. Trying to update the file size."
    file_size_num=$(( file_size / 512 ))
    file_size_num_plus_one=$(( file_size_num + 1 ))
    sed -i "s/${file_size_num_plus_one}/${file_size_num}/" "$1.vmdk"
    vmkfstools -e "$1.vmdk"
    retVal=$?
    if [ $retVal -ne 0 ]; then
        echo -e "\nError. Could not decrypt. Please consult CISA's guidance for further assistance."
    else
        echo -e "\nSuccess! Unregister the virtual machine and re-register it and you should be good to go.\n"
    fi
else
    echo -e "\nSuccess! Unregister the virtual machine and re-register it and you should be good to go.\n"
fi
exit $retVal

Recovering machines with snapshots

💡 Recovering machines with snapshots

Thank you for the great work! It saved a lot of machines. However, it does not recover machines with snapshopts.
Any ideas to fix those machines? Thanks

222

🐛 Summary

What's wrong? Please be specific.

To reproduce

Steps to reproduce the behavior:

  1. Do this
  2. Then this

Expected behavior

What did you expect to happen that didn't?

Any helpful log output or screenshots

Paste the results here:



Add any screenshots of the problem here.







Syntax error when i run script



Hi, can someone please help my with this syntax error?

/tmp/recover.sh: line 9: syntax error: unexpected newline

Thank you.























Recommend Projects


    

  • 



    • 

  • 

    

    

React photo
React


    

    A declarative, efficient, and flexible JavaScript library for building user interfaces.
    

    

    • 

  • 

    

    

Vue.js photo
Vue.js


    

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
    

    

    • 

  • 

    

    

Typescript photo
Typescript


    

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
    

    

    • 

  • 

    

    

TensorFlow photo
TensorFlow


    

    An Open Source Machine Learning Framework for Everyone
    

    

    • 

  • 

    

    

Django photo
Django


    

    The Web framework for perfectionists with deadlines.
    

    

    • 

  • 


    • 

  • 

    

    

D3 photo
D3


    

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉
    

    

    • 

  • 

    



    

    • 








Recommend Topics


    

  • 

    

    

javascript


    

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
    

    

    • 

  • 

    

    

web


    

    Some thing interesting about web. New door for the world.
    

    

    • 

  • 

    

    

server


    

    A server is a program made to process requests and deliver data to clients.
    

    

    • 

  • 

    

    

Machine learning


    

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
    

    

    • 

  • 


    • 

  • 

    

    

Game


    

    Some thing interesting about game, make everyone happy.
    

    

    • 

  • 



    • 








Recommend Org


    

  • 

    

    

Facebook photo
Facebook


    

    We are working to build community through open source technology. NB: members must have two-factor auth.
    

    

    • 

  • 

    

    

Microsoft photo
Microsoft


    

    Open source projects and samples from Microsoft.
    

    

    • 

  • 

    

    

Google photo
Google


    

    Google ❤️ Open Source for everyone.
    

    

    • 

  • 


    • 

  • 

    

    

D3 photo
D3


    

    Data-Driven Documents codes.
    

    

    • 

  • 


    • 

  • 



    •