search

cisagov / ESXiArgs-Recover

A tool to recover from ESXiArgs ransomware
Creative Commons Zero v1.0 Universal
292 stars 40 forks source link

decrypt virtual machines with sesparse.vmdk format #8

Open aleksarkun opened 1 year ago

aleksarkun commented 1 year ago

Hello. Got an infection of a server with several virtual machines. Using your script managed to restore 3 out of 4 machines, windows server 2016 booted without any problems. There was a problem with the machine on which was snapshot. This is the list of files of the virtual machine: Screenshot_38

When specify AstRun_srv.vmx script, it passes successfully however after registering the machine does not start: Failed to power on virtual machine AstRun_srv. File AstRun_srv_1-000001.vmdk was not found

Here is the content of the .vmx file:

.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "14"
vmci0.present = "TRUE"
floppy0.present = "FALSE"
numvcpus = "12"
memSize = "32768"
bios.bootRetry.delay = "10"
firmware = "efi"
powerType.suspend = "soft"
tools.upgrade.policy = "manual"
sched.cpu.units = "mhz"
sched.cpu.affinity = "all"
vm.createDate = "1593152686125618"
scsi0.virtualDev = "lsisas1068"
scsi0.present = "TRUE"
sata0.present = "TRUE"
usb_xhci.present = "TRUE"
scsi0:0.deviceType = "scsi-hardDisk"
scsi0:0.fileName = "AstRun_srv-000001.vmdk"
sched.scsi0:0.shares = "normal"
sched.scsi0:0.throughputCap = "off"
scsi0:0.present = "TRUE"
scsi0:1.deviceType = "scsi-hardDisk"
scsi0:1.fileName = "AstRun_srv_1-000001.vmdk"
sched.scsi0:1.shares = "normal"
sched.scsi0:1.throughputCap = "off"
scsi0:1.present = "TRUE"
ethernet0.virtualDev = "e1000e"
ethernet0.networkName = "LAN3_Grp_AstRus"
ethernet0.addressType = "generated"
ethernet0.present = "TRUE"
displayName = "AstRun_srv"
guestOS = "windows9-64"
uefi.secureBoot.enabled = "TRUE"
toolScripts.afterPowerOn = "TRUE"
toolScripts.afterResume = "TRUE"
toolScripts.beforeSuspend = "TRUE"
toolScripts.beforePowerOff = "TRUE"
tools.syncTime = "FALSE"
uuid.bios = "56 4d 8e 2c 82 0a 68 1c-da 6d ba d0 fb 06 c3 97"
uuid.location = "56 4d 8e 2c 82 0a 68 1c-da 6d ba d0 fb 06 c3 97"
vc.uuid = "52 b7 2d 1d 64 9b 2d 63-2d 89 6a a7 58 68 b5 ca"
sched.cpu.min = "0"
sched.cpu.shares = "normal"
sched.mem.min = "0"
sched.mem.minSize = "0"
sched.mem.shares = "normal"
ethernet0.generatedAddress = "00:0c:29:06:c3:97"
vmci0.id = "-83442793"
cleanShutdown = "FALSE"
extendedConfigFile = "AstRun_srv.vmxf"
mks.enable3d = "TRUE"
tools.guest.desktop.autolock = "FALSE"
nvram = "AstRun_srv.nvram"
pciBridge0.present = "TRUE"
svga.present = "TRUE"
pciBridge4.present = "TRUE"
pciBridge4.virtualDev = "pcieRootPort"
pciBridge4.functions = "8"
pciBridge5.present = "TRUE"
pciBridge5.virtualDev = "pcieRootPort"
pciBridge5.functions = "8"
pciBridge6.present = "TRUE"
pciBridge6.virtualDev = "pcieRootPort"
pciBridge6.functions = "8"
pciBridge7.present = "TRUE"
pciBridge7.virtualDev = "pcieRootPort"
pciBridge7.functions = "8"
hpet0.present = "TRUE"
RemoteDisplay.maxConnections = "-1"
sched.cpu.latencySensitivity = "normal"
svga.autodetect = "FALSE"
disk.EnableUUID = "TRUE"
numa.autosize.cookie = "120001"
numa.autosize.vcpu.maxPerVirtualNode = "12"
sched.swap.derivedName = "/vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-625b630d.vswp"
pciBridge0.pciSlotNumber = "17"
pciBridge4.pciSlotNumber = "21"
pciBridge5.pciSlotNumber = "22"
pciBridge6.pciSlotNumber = "23"
pciBridge7.pciSlotNumber = "24"
scsi0.pciSlotNumber = "160"
ethernet0.pciSlotNumber = "192"
usb_xhci.pciSlotNumber = "224"
vmci0.pciSlotNumber = "32"
sata0.pciSlotNumber = "33"
scsi0.sasWWID = "50 05 05 6c 82 0a 68 10"
ethernet0.generatedAddressOffset = "0"
vm.genid = "1025359355794109798"
vm.genidX = "5812918138057738809"
monitor.phys_bits_used = "43"
vmotion.checkpointFBSize = "4194304"
vmotion.checkpointSVGAPrimarySize = "67108864"
softPowerOff = "FALSE"
toolsInstallManager.lastInstallError = "0"
svga.guestBackedPrimaryAware = "TRUE"
tools.remindInstall = "FALSE"
toolsInstallManager.updateCounter = "2"
migrate.hostLog = "./AstRun_srv-625b630d.hlog"
svga.vramSize = "67108864"
sata0:0.startConnected = "FALSE"
scsi0:0.redo = ""
scsi0:1.redo = ""

When I try to feed the AstRun_srv-000001 file to the script, it gives the following errors:

[root@static:/vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv] /tmp/recover.sh AstRun_srv-000001
mkdir: can't create directory 'encrypted_files': File exists
Moving encrypted AstRun_srv-000001.vmdk to encrypted_files
mv: can't rename 'AstRun_srv-000001.vmdk': No such file or directory
ls: AstRun_srv-000001-flat.vmdk: No such file or directory

Creating copy of AstRun_srv-000001-flat.vmdk
Invalid file length specifier: -d
rm: can't remove 'temp-flat.vmdk': No such file or directory

Adding AstRun_srv-000001.vmdk
sed: temp.vmdk: No such file or directory
sed: temp.vmdk: No such file or directory
mv: can't rename 'temp.vmdk': No such file or directory

Copying AstRun_srv-000001.vmx
mv: can't rename 'AstRun_srv-000001.vmx': No such file or directory
cp: can't stat 'AstRun_srv-000001.vmx~': No such file or directory
Error: unable to find vmx backup. You may be unable to re-register the virtual machine.

Moving encrypted AstRun_srv-000001.vmsd to encrypted_files
mv: can't rename 'AstRun_srv-000001.vmsd': No such file or directory

Moving encrypted AstRun_srv-000001.nvram to encrypted_files
mv: can't rename 'AstRun_srv-000001.nvram': No such file or directory

Validating...
Failed to open disk link /vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-000001.vmdk :The system cannot find the file specified (25)Disk chain is not consistent : The system cannot find the file specified (25)

Error. Trying to update the file size.
sed: AstRun_srv-000001.vmdk: No such file or directory
Failed to open disk link /vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-000001.vmdk :The system cannot find the file specified (25)Disk chain is not consistent : The system cannot find the file specified (25)

Error. Could not recover. Please consult CISA's guidance for further information: https://www.cisa.gov/uscert/ncas/alerts/aa23-039a

I guess because of the snapshot I have a disk divided into files AstRun_srv_1-000001-sesparse.vmdk but script is looking for *flat.vmdk. Maybe someone has a solution how to run a virtual machine in this case or just pull the files from the drive? Maybe redo the script so that it would work on the files AstRun_srv_1-000001-sesparse.vmdk; AstRun_srv-000001-sesparse.vmdk; AstRun_srv-Snapshot1.vmem ?

If connect the disks AstRun_srv.vmdk and AstRun_srv_1.vmdk in the new created virtual machine - it starts and works correctly but there is old data.

aleksarkun commented 1 year ago

may be its complete insanity, i change word in script flat ---> sesparse and start it with: /tmp/recover.sh AstRun_srv_1-000001 thin i got:

...
Validating...
Disk chain is consistent.

Success! Unregister the virtual machine and re-register it and you should be good to go.

after i try add disk to another virtual machine, i see correct size disk before encrypting, but inside didn't detect any partition or data, R-STUDIO after scaning show all unrecognized sectro =(

aleksarkun commented 1 year ago

i go another way, i rename -sesparse.vmdk to -flat.vmdk in virtual machine folder, run script - success, reaname back -flat.vmdk to -sesparse.vmdk, after add disk in another virtual machine and scann R-STUDIO and i got files! But various dates.

aleksarkun commented 1 year ago

update, i see my paper tree, my arhives and R-STUDIO show right size, but when i try restore *.7z arhives they give me error: Closing attribute: parsed allocated size (92325376) differ from stored one (738603008) I will try another programm for restore

upd all files on disk show same err Closing attribute: parsed allocated size (51200) differ from stored one (409600) Closing attribute: parsed allocated size (512) differ from stored one (4096)

upd Another programm recover files with right size, looks fine, but inside nothing =(

kpma1985 commented 1 year ago

sesparse f**me also up :D i solved it manually without the script

cablej commented 1 year ago

Hi @kpma1985, are you able to share the commands that you ran to successfully recover with sesparse?

aleksarkun commented 1 year ago

@kpma1985 Hello, can you give some tips pls?

teweha commented 1 year ago

sesparse f**me also up :D i solved it manually without the script

how do you solved it? please share the information. it would be great help

mariosomma commented 1 year ago

@kpma1985 Hello, can you please share your finding and solution..? Thx a lot in advance.. Ciao..Mario.

leop6140 commented 1 year ago

.encoding = "UTF-8" config.version = "8" virtualHW.version = "14" vmci0.present = "TRUE" floppy0.present = "FALSE" numvcpus = "12" memSize = "32768" bios.bootRetry.delay = "10" firmware = "efi" powerType.suspend = "soft" tools.upgrade.policy = "manual" sched.cpu.units = "mhz" sched.cpu.affinity = "all" vm.createDate = "1593152686125618" scsi0.virtualDev = "lsisas1068" scsi0.present = "TRUE" sata0.present = "TRUE" usb_xhci.present = "TRUE" scsi0:0.deviceType = "scsi-hardDisk" scsi0:0.fileName = "AstRun_srv-000001.vmdk" sched.scsi0:0.shares = "normal" sched.scsi0:0.throughputCap = "off" scsi0:0.present = "TRUE" scsi0:1.deviceType = "scsi-hardDisk" scsi0:1.fileName = "AstRun_srv_1-000001.vmdk" sched.scsi0:1.shares = "normal" sched.scsi0:1.throughputCap = "off" scsi0:1.present = "TRUE" ethernet0.virtualDev = "e1000e" ethernet0.networkName = "LAN3_Grp_AstRus" ethernet0.addressType = "generated" ethernet0.present = "TRUE" displayName = "AstRun_srv" guestOS = "windows9-64" uefi.secureBoot.enabled = "TRUE" toolScripts.afterPowerOn = "TRUE" toolScripts.afterResume = "TRUE" toolScripts.beforeSuspend = "TRUE" toolScripts.beforePowerOff = "TRUE" tools.syncTime = "FALSE" uuid.bios = "56 4d 8e 2c 82 0a 68 1c-da 6d ba d0 fb 06 c3 97" uuid.location = "56 4d 8e 2c 82 0a 68 1c-da 6d ba d0 fb 06 c3 97" vc.uuid = "52 b7 2d 1d 64 9b 2d 63-2d 89 6a a7 58 68 b5 ca" sched.cpu.min = "0" sched.cpu.shares = "normal" sched.mem.min = "0" sched.mem.minSize = "0" sched.mem.shares = "normal" ethernet0.generatedAddress = "00:0c:29:06:c3:97" vmci0.id = "-83442793" cleanShutdown = "FALSE" extendedConfigFile = "AstRun_srv.vmxf" mks.enable3d = "TRUE" tools.guest.desktop.autolock = "FALSE" nvram = "AstRun_srv.nvram" pciBridge0.present = "TRUE" svga.present = "TRUE" pciBridge4.present = "TRUE" pciBridge4.virtualDev = "pcieRootPort" pciBridge4.functions = "8" pciBridge5.present = "TRUE" pciBridge5.virtualDev = "pcieRootPort" pciBridge5.functions = "8" pciBridge6.present = "TRUE" pciBridge6.virtualDev = "pcieRootPort" pciBridge6.functions = "8" pciBridge7.present = "TRUE" pciBridge7.virtualDev = "pcieRootPort" pciBridge7.functions = "8" hpet0.present = "TRUE" RemoteDisplay.maxConnections = "-1" sched.cpu.latencySensitivity = "normal" svga.autodetect = "FALSE" disk.EnableUUID = "TRUE" numa.autosize.cookie = "120001" numa.autosize.vcpu.maxPerVirtualNode = "12" sched.swap.derivedName = "/vmfs/volumes/5ebac8f4-ba43223e-d524-309c239ced34/AstRun_srv/AstRun_srv-625b630d.vswp" pciBridge0.pciSlotNumber = "17" pciBridge4.pciSlotNumber = "21" pciBridge5.pciSlotNumber = "22" pciBridge6.pciSlotNumber = "23" pciBridge7.pciSlotNumber = "24" scsi0.pciSlotNumber = "160" ethernet0.pciSlotNumber = "192" usb_xhci.pciSlotNumber = "224" vmci0.pciSlotNumber = "32" sata0.pciSlotNumber = "33" scsi0.sasWWID = "50 05 05 6c 82 0a 68 10" ethernet0.generatedAddressOffset = "0" vm.genid = "1025359355794109798" vm.genidX = "5812918138057738809" monitor.phys_bits_used = "43" vmotion.checkpointFBSize = "4194304" vmotion.checkpointSVGAPrimarySize = "67108864" softPowerOff = "FALSE" toolsInstallManager.lastInstallError = "0" svga.guestBackedPrimaryAware = "TRUE" tools.remindInstall = "FALSE" toolsInstallManager.updateCounter = "2" migrate.hostLog = "./AstRun_srv-625b630d.hlog" svga.vramSize = "67108864" sata0:0.startConnected = "FALSE" scsi0:0.redo = "" scsi0:1.redo = ""