CyberPanel users have recently been targeted by ransomware groups exploiting vulnerabilities in their instances. Among the most concerning strains are PSAUX, .encryp, and .locked ransomware, each leaving a unique mark in the form of file extensions. This post covers what you need to know about the PSAUX ransomware variant, including the available decryption script and key files identified on a threat actor’s server, providing actionable insights to help you stay secure.
When PSAUX infects a CyberPanel instance, it appends a .psaux extension to encrypted files. The ransomware uses a flawed implementation, meaning that in some cases, the encrypted data can be restored without paying a ransom. If your server only shows files with the .psaux extension, you may be able to decrypt these files.
Other Known Extensions: .encryp and .locked
Alongside PSAUX, other ransomware groups target CyberPanel and use similar file-encrypting methods, but with different extensions:
These variants have been reported across different groups and may require other methods for decryption or restoration.
Decrypting PSAUX-Affected Files
A decryption tool for PSAUX-encrypted files has been made available. Here’s a step-by-step guide on using this tool to restore your files:
Confirm the File Extension: Ensure the affected files have the .psaux extension.
Run the Decryption Script: Download and execute the provided decryption script on your server. This script takes advantage of weaknesses in PSAUX's encryption logic, allowing users to decrypt files without needing a ransom key.
Verify Decryption Success: Check if the files are restored. Note that this decryption process is effective only for PSAUX ransomware, not for .encryp or .locked extensions.