cisagov/ESXiArgs-Recover cisagov/ESXiArgs-Recover

  • This repository has been archived on 20/Jun/2023
  • Stars
    star
    293
  • Rank 137,330 (Top 3 %)
  • Language
    Shell
  • License
    Creative Commons ...
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cisagov/ESXiArgs-Recover
github

cisagov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool to recover from ESXiArgs ransomware

ESXiArgs-Recover

ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.

CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. For more information, see CISA's ESXiArgs Ransomware Virtual Machine Recovery Guidance.

Disclaimer

CISA’s ESXiArgs script is based on findings published by the third-party researchers mentioned above. Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.

This script is being provided “as is” for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Usage

  1. Download this script and save it as /tmp/recover.sh. For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh
  2. Give the script execute permissions: chmod +x /tmp/recover.sh
  3. Navigate to the folder of a virtual machine you would like to decrypt (you may browse these folders by running ls /vmfs/volumes/datastore1). For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example
  4. Run ls to view the files. Note the name of the VM (e.g. if there is a file example.vmdk, the name of the VM is example).
  5. Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the virtual machine determined in step 4. If the virtual machine is a thin format, run /tmp/recover.sh [name] thin.
  6. If successful, the decryptor script will output that it has successfully run. If unsuccessful, this may mean that your virtual machines cannot be recovered.
  7. If the script succeeded, the last step is to re-register the virtual machine.
  8. If the ESXi web interface is inaccessible, take the following steps to remove the ransom note and restore access (note that taking the steps below moves the ransom note to the file ransom.html. Cconsider archiving this file for future incident review).
    • Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html
    • Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html & mv index1.html index.html
    • Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.
  9. In the ESXi web interface, navigate to the Virtual Machines page.
  10. If the VM you restored already exists, right click on the VM and select “Unregister”.
  11. Select “Create / Register VM”.
  12. Select “Register an existing virtual machine”.
  13. Click “Select one or more virtual machines, a datastore or a directory” to navigate to the folder of the VM you restored. Select the vmx file in the folder.
  14. Select “Next” and “Finish”. You should now be able to use the VM as normal.

If needed, the script will save encrypted files in a new encrypted_files folder within each virtual machine’s directory.

Contributing

Contributions are always welcome! Navigate here to submit a pull request or submit an issue here.

Public domain

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

More Repositories

1

RedEye

RedEye is a visual analytic tool supporting Red & Blue Team operations
TypeScript
2,613
star
2

Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Python
1,504
star
3

Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
PowerShell
1,371
star
4

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
Open Policy Agent
1,361
star
5

cset

Cybersecurity Evaluation Tool
TSQL
1,305
star
6

log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Java
1,262
star
7

log4j-affected-db

A community sourced list of log4j-affected software
Shell
1,115
star
8

CHIRP

A DFIR tool written in Python.
Python
1,040
star
9

decider

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
HTML
1,021
star
10

untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Python
699
star
11

LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
PowerShell
690
star
12

pshtt

Scan domains and return data based on HTTPS best practices
Python
668
star
13

crossfeed

External monitoring for organization assets
TypeScript
320
star
14

bad-practices

CISA's catalog of bad practices that are exceptionally risky.
Shell
181
star
15

development-guide

A set of guidelines and best practices for an awesome engineering team
Python
180
star
16

trustymail

Scan domains and return data based on trustworthy email best practices
Python
180
star
17

cyber.dhs.gov

A site for CISA directives
SCSS
138
star
18

dotgov-data

Official list of .gov domains
108
star
19

ScubaGoggles

SCuBA Security Configuration Baselines and assessment tool for Google Workspace
Open Policy Agent
105
star
20

check-cve-2019-19781

Test a host for susceptibility to CVE-2019-19781
Python
105
star
21

ICSNPP

Industrial Control Systems Network Protocol Parsers
104
star
22

findcdn

findCDN is a tool created to help accurately identify what CDN a domain is using.
Python
92
star
23

prescup-challenges

President's Cup Cybersecurity Competition Challenges
Python
78
star
24

ansible-role-cobalt-strike

An Ansible role for installing Cobalt Strike.
HCL
66
star
25

shareable-soar-workflows

This is a repository of vendor-agnostic workflows provided for those interested in deploying Security Orchestration, Automation, and Response capabilities within their organizations.
62
star
26

cybersecurity-performance-goals

CISA's space for collaboration on the Cybersecurity Performance Goals.
Shell
53
star
27

PNT-Integrity

The PNT Integrity Library provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
C++
49
star
28

join-cisagov

CISA is hiring! We’re looking for candidates passionate about our mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.
Shell
45
star
29

gophish-tools

Helpful tools for interacting with a GoPhish phishing instance
Python
40
star
30

ioc-scanner

Search a filesystem for indicators of compromise (IoC).
Python
39
star
31

vdp-in-fceb

Vulnerability disclosure policies in the US Government's executive branch
32
star
32

Epsilon

The Epsilon Algorithm Suite provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
Python
31
star
33

pca-gophish-composition

Phishing campaign docker composition for Gophish
Shell
31
star
34

gophish-docker

Docker container for the gophish phishing framework.
Shell
30
star
35

check-your-pulse

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
Python
28
star
36

getgov

Building a new .gov registrar for a bright .gov future
Python
27
star
37

postfix-docker

Docker container with a postfix server designed for use during phishing campaigns
Shell
26
star
38

dotgov-home

Homepage for the .gov registry
SCSS
25
star
39

assessment-reporting-engine

Python
24
star
40

skeleton-python-library

A skeleton project for quickly getting a new cisagov Python library started.
Python
19
star
41

scanner

Automated pshtt, trustymail, and sslyze scanning
Shell
18
star
42

cyhy_amis

AWS infrastructure for Cyber Hygiene and BOD 18-01 scanning
HCL
16
star
43

admiral

Distributed certificate transparency log harvester
Python
14
star
44

skeleton-docker

A skeleton project for quickly getting a new cisagov Docker container started.
Shell
14
star
45

icsnpp-opcua-binary

Zeek OPCUA Binary Parser - CISA ICSNPP
JavaScript
13
star
46

icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
Zeek
13
star
47

pe-reports

Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
Python
13
star
48

icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
JavaScript
12
star
49

ansible-role-clamav

Ansible role to install and enable the ClamAV virus scanner
Shell
12
star
50

lambda_functions

Generate AWS Lambda environment zip files for use by cisagov/domain-scan
Shell
12
star
51

icsnpp-s7comm

Zeek S7comm, S7comm-plus, and COTP Parser - CISA ICSNPP
JavaScript
11
star
52

network-architecture-verification-and-validation

The NAVV (Network Architecture Verification and Validation) tool creates a spreadsheet for network traffic analysis from PCAP data and Zeek logs, automating Zeek analysis of PCAP files, the collation of Zeek logs and the dissection of conn.log and dns.log to create a summary or network traffic in an XLSX-formatted spreadsheet.
Python
11
star
53

docker-kali-ansible

A systemd-enabled Kali Linux Docker image, in the spirit of geerlingguy/docker-debian11-ansible.
Dockerfile
10
star
54

tic3.0

Collaborating on Trusted Internet Connection 3.0 use cases
10
star
55

icsnpp-genisys

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Genisys over TCP/IP
Python
10
star
56

gh-skeleton

This extension for the gh CLI provides the ability to easily start new projects from our existing library of skeleton repositories.
Shell
10
star
57

scoping-validation-tool

SVT is a tool that can be used to verify ownership and location of assets during the scoping process of a penetration test.
Python
9
star
58

orchestrator

Orchestrate gatherer, scanner, saver, and trustymail_reporter
Shell
9
star
59

pshtt_reporter

Generate HTTPS reports based on scan data
Python
9
star
60

cyhy-mailer

Email Cyber Hygiene, Trustworthy Email, and HTTPS reports to the appropriate technical or distribution addresses
Python
9
star
61

trustymail_reporter

Generate Trustworthy Email reports based on scan data
Python
9
star
62

pre-commit-packer

Provides pre-commit hooks for Packer projects.
Shell
9
star
63

nessus-packer

Create machine images containing the Nessus vulnerability scanner
HCL
9
star
64

domain-manager-api

Flask API for Domain Manager
Python
9
star
65

gatherer

Gather domains as a precursor to scanning
Shell
9
star
66

certboto-docker

Certbot container that stores its configuration in an AWS S3 bucket
Shell
9
star
67

icsnpp-modbus

Zeek Modbus Extension Scripts - CISA ICSNPP
Zeek
8
star
68

aws-profile-sync

Synchronize AWS credential profiles from remote sources
Python
8
star
69

ansible-role-kali

An Ansible role for provisioning kali
HCL
8
star
70

icsnpp-dnp3

Zeek DNP3 Extension Scripts - CISA ICSNPP
Zeek
8
star
71

dmarc-import

A tool for parsing DMARC aggregate reports.
Python
8
star
72

icsnpp-bsap-ip

Zeek BSAP over IP Parser - CISA ICSNPP
JavaScript
8
star
73

CISASuite

The CSET, Malcom, Con-PCA suite of tools
HTML
8
star
74

icsnpp-ethercat

Zeek Ethercat Parser - CISA ICSNPP
C++
8
star
75

skeleton-generic

A generic skeleton project for quickly getting a new cisagov project started.
Shell
8
star
76

Sogu

This script generates a list of possible SOGU filenames based on serial numbers of active drives. It has the added functionality of searching each drive from the generated file list.
PowerShell
8
star
77

travis-wait-improved

A tool to help long-running, yet reticent, processes avoid death at the hands of Traivs-CI.
Python
7
star
78

con-pca-api

API Docker Container for Con-PCA
HTML
7
star
79

.dotfiles

Generic set of dotfiles to get you started with a cisagov development environment
Shell
7
star
80

domain-manager-ui

UI for the Domain Manager
HTML
7
star
81

pen-testing-findings

A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
7
star
82

vulnerable-instances

Virtual machines that are set up with a variety of known vulnerabilities.
HCL
7
star
83

openvpn-server-tf-module

Terraform module to create an OpenVPN server instance
HCL
6
star
84

scan-target-data

Contains data used to identify targets for scanning
Shell
6
star
85

ansible-role-burp-suite-pro

An Ansible role for installing Burp Suite Professional
HCL
6
star
86

con-pca-web

The website source and terraform code for continuous phishing assessment.
HTML
6
star
87

kali-packer

This project can be used to create AMIs based on Kali Linux, a penetration testing distribution.
HCL
6
star
88

security-contact-finder

Making government security contacts accessible
CSS
6
star
89

saver

Save scan results to a database
Python
6
star
90

con-pca-cicd

continuous phishing main repository
HCL
6
star
91

megazord-composition

Shell
6
star
92

ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Shell
6
star
93

ansible-role-amazon-efs-utils

An Ansible role for installing aws/efs-utils
Shell
5
star
94

PNT-Integrity-Toolkit

The PNT Integrity DIY Toolkit describes how a perspective end-user of the PNT Integrity Library can assemble a demonstrational toolkit with commercial-off-the-shelf (COTS) hardware.
C++
5
star
95

awssh

Tool to simplify secure shell connections over AWS simple systems manager.
Python
5
star
96

sslyze-lambda

AWS Lambda function for sslyze
Python
5
star
97

cyhy-core

Python
5
star
98

cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
HCL
5
star
99

ncats-data-dictionary

Shell
5
star
100

flare-misp-service

Automate the regular transfer of AIS data into a MISP Server
Java
5
star