Ransomware got into my Unraid Server


Recommended Posts

Hi I have a huge problem a ransomware got in to my unraid server.

The server hold the company's databases so It can't be deleted 

Note

- The Last edited by tag is "nobody/UNIXUSER (Same as created by tag)

- The docker.img file which I DID NOT SHARE IT TO SMB OR SAMBA got encrypt 

 

 

 

The ransomware

here is the ransom text

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: [email protected]


Your personal ID: 979896082

 

 

 

So my conclusion is the ransomware must be running in unraid either it was (it isn't running now I use ps -ef and I did not find any wired processes

If anyone know how to decrypt this please help

Thank You

Link to comment

Post up Diagnostics.

 

I do not believe the ransomware is running ON Unraid, but is from a WinOS client pc or within a WinOS VM.

 

The docker.img might be shared from the following shares, depending on you configured them:

 

appdata -- mine is available as appdata/Docker/docker.img

Cache -- mine is available as cache/appdata/Docker/docker.img

disk# - if you have your docker.img stored on an array disk, then it might be disk1/appdata/Docker/docker.img

 

 

Link to comment
27 minutes ago, Siwat2545 said:

So my conclusion is the ransomware must be running in unraid either it was (it isn't running now I use ps -ef and I did not find any wired processes

 

Very unlikely.  A ransomware author isn't going to bother directly targeting an unRaid server, as it will be far more lucrative to target a Windows or Mac system or your mobile devices.

 

Pull the network cables to ALL networked devices to physically isolate them from each other.  Google, Google, and Google again for what to do.

 

Side note, there is a Ransomware protection plugin which *may* (or may not) have stopped the damage to the server.

 

 

Link to comment

Because all my .vhdx and .sql .msdb and other related server environment file are the only one that got encrypt and I don't think with my 10 gigabit connection limiting to 5gbps per user by pfsense will get all the file encrypt in just 10 hours


Sent from my iPhone using Tapatalk

Link to comment

As I understand it, these programs can access mapped drives as easily as they can a directory/folder on the local hard drives.  (I have heard of  a local county government that got hit and it was their servers being attacked by a Windows computer in their own offices.)  

 

1 minute ago, Siwat2545 said:

Oh the. How can I get my license key back ?
 

 

That is easy, see here:

 

     https://lime-technology.com/replace-key/

 

If you have an issue, there is a contact address at the bottom of the this page.  LimeTech has a reputation for being very fair with their customers.

 

Link to comment

My worry is a replacement key can only be issue once a years and I still can't identify which of the machine that has the ransomware on it. Therefor if the USB drive got encrypted again I won't be able to use unraid for a years unless I got a new keys


Sent from my iPhone using Tapatalk

Link to comment
10 minutes ago, Siwat2545 said:

I need to reconsider about security now ...

 

You have a VM running on a corporate server?  You certainly do.  This is not the way to save a four hundred dollars.  In fact, you should not have shared the Flash Drive as Public share. 

2 minutes ago, Siwat2545 said:

My worry is a replacement key can only be issue once a years and I still can't identify which of the machine that has the ransomware on it. Therefor if the USB drive got encrypted again I won't be able to use unraid for a years unless I got a new keys

 

Shut the network down completely and start googling from a single trusted computer with all sharing turnoff.  Find out the name of the processes that do this encrypting and start checking every computer in the facility until you find the one(s) with that process running.  You may get lucky and find a key that will unlock your files.  (Apparently, some of these guys were lazy and reused the keys...) 

 

Most users have found that LimeTech treats its customers very fairly.  You might have to present your case to them but they have treated most folks very, very well and on a timely basis. 

 

I suspect some employee/officer got 'social engineered' and turned this beast loose.  You need to re-instruct folks about security and look at what you are doing.  (I personally think that running a VM (or even a Docker with outside access) on a corporate server is not an ideal way to save a few bucks.  The less stuff that is running on your servers, the easier it will be secure them.)  You also need to determine who needs w/r privileges verses read-only access and implement that.  And stop sharing the Flash Drive...

  • Upvote 1
Link to comment

Well I feel dumb I have the data backup 3 month ago safely store at google cloud big data container but I did not backup the flash boot drive though I am contacting unraid right now I am going to mark this as solved when the server accept the key Thank you all for your help ,Siwat Sirichai


Sent from my iPhone using Tapatalk

Link to comment

The license key would be the last thing I'd be worried about if this were to happen to me.

 

The very first thing I would do upon realizing I had RansomWare on my server is to power it down. That is me - but I'd rather deal with a dirty shutdown than give the virus more time.

 

I'd do the same with any Windows workstation. It's like having a tiger in the house. I'd want to shut every door.

 

You need one machine to be able to Google for research. Even a tablet or smartphone might suffice.

 

Unlike a normal Linux or Windows environment, unRAID completely reinstalls the OS with every boot to memory. You should be able to rebuild a new USB stick, and reboot. Don't run any dockers, VMs, etc. Seems impossible that RansomWare would survive that. unRAID seems the easiest to clean vs a Windows or regular Linux box with a persistent OS install.

 

I want to re-iterate that it is much more likely that a RansomWare attack would occur through an infected Windows machine and get to unRAID through unRAID's Samba shares. The flash disk IS a Samba share. After shutting down the unRAID server, I would go hunting for a Windows box that is infected. We know that unRAID is vulnerable to such an attack through Samba.

 

We have never seen one of these (until now possibly).

 

(An aside - I keep all of my media shares read only Samba shares to prevent being exposed).


There is a old expression about when you hear hoofbeats, think horses not zebras.  Attacking unRAID would not be very profitable given the small user base. It might be possible for a generic Linux strain to do so, but seems very unlikely. This is the zebra IMO. It could be a zebra, but nothing I've seen so far convinces me.

 

Which leads me to believe, Siwat, that you have another infected computer that you haven't found.

 

A few questions for Siwat ...

 

1 - Are you running any VMs on unRAID? A windows VM is just like a Windows computer. It can infect unRAID. And probably do more damage faster than a network connected Windows box.

2 - Have you checked each and every Windows box for signs of the virus?

3 - Are you running any Dockers on unRAID? Anything recently installed or updated?

4 - Is your server exposed to the Internet for external access? If so, how?

 

I do not envy you the next few days sorting this out. But please keep us updated on the steps you are taking. We may be able to provide some general guidance and suggestions, I am not aware of anyone of the forum with specific experience this issue.

Link to comment
9 hours ago, Siwat2545 said:

...forth it is exposed through OpenVPN

Obvious question: 

Have you disabled the VPN connection?

Less obvious question:

What is the OpenVPN a connection to?

Folks use VPNs in many different ways, so I don't want to make assumptions or generalisations, but if anything at the other end of the connection has write access to shares then it can do damage.  Does anything at the other end of the VPN have  an exposed connection to the Internet? 

Link to comment

I have disabled it temporarily for security Until I made sure all the client are clean I won't enable it and I will start an OpenVPN in an virtual network open an Samba Service on ubuntu put some bait file and see who encrypt it also OpenVPN are only available for Level 4 employees which only 16 peoples have it. The other end of the vpn Is a vpn router at my home so I can Access the network (only turn on when needed) and the other 16 node I will ask them


Sent from my iPhone using Tapatalk

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.