First I want to state that I am sure this was an issue with my configuration and security protocol I had implemented not being strong enough and no fault of UNRAIDs, but has anyone else been ransomewared? So I get back from vacation, and I saw that my nextcloud wasn't working on any of my devices. I clicked on the web shortcut to my subdomain and saw it was a 502 bad gateway error. I actually didn't figure it out for a hot minute because I was restarting containers, and reviewing logs. I have three main containers that are all connected to my Nextcloud Share (Nginx, MariaDB, and Nextcloud). What threw me off is that all three containers logs were going crazy (looping with the same error), so I was going down rabbit holes figuring out why MariaDB kept looping through an error "umask cahnged from 020 to 0640" and then nextcloud was also throwing a php config error, and I can't remember what Nginx was doing. Long story short when I started digging through the config directories, I realized that there was a funky file in each directory. It was like `$38DECRYPT-README$%^ something like that. When you read it, it had a message from whoever hacked me stating to pay them in bitcoin to decrypt my files. The good news is that I have a good backup process and none of the client files were harmed. The only thing that was harmed was the server/config files that were all attached to the Nextcloud share. So basically I blew away the Nextcloud share a redeployed. A day of down time, no harm no foul. But I guess the point of this thread is to, A: see if this has happened to anyone else? and B: what steps can be taken to better prevent against this in the future?
Craig
