Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DangerDumb

Members
  • Joined

  • Last visited

Everything posted by DangerDumb

  1. Alright, so bringing this back up just to give an update and a final and big THANK YOU to everyone who gave advice and feedback. I did a complete clear of all disks, and replaced the original boot flash with the backup. Rebuilt the array and created two new NMs (which honestly was such an immensely easier task than the first time I did it 6 years ago.. this new vers 7 is just awesome so far). Replaced all data with the most recent backups, and started moving in more recent data that was not backed up or encrypted during the attack. So far, everything is working really well (aside from an issue where an old AutoCAD program from 26 years ago is having trouble running on Windows 11 but.. that's to be expected I think). Thank you, everyone, truly. This community is awesome.
  2. Ok, I have to admit I'm a bit confused as I get ready for the next steps. I have hardened my network, and I feel confident it is now a safe space. My thoughts to move forward were; Wipe drives Replace OS thumb drive with backup drive and use Connect to link license to it Setup single empty share Create two new VMs (here is a question, can I use the existing VM xml files to help setup the device passthru? This took me months to get working perfectly.) Copy pre-attack backup of single share to machine and work from there with enhanced monitoring for the initial period following going live (third>fourth quarter) Does this sound correct, overboard?
  3. Thank you, Robert, I agree that it seems to be the most likely cause. Time to relearn how to configure VMs, and once again try my hand at bringing back a VM from backup (never been successful myself).
  4. First of all, thank you to everyone who has chimed in so far. Well, I don't think the attack was complete. It sort of makes sense to me that the virus would attack logs as part of its setup, to cover its bases for the deployment in case the attack was halted midway (which it seems like it was), and then likely delete logs afterwards as well. It also makes sense that it would leave everything else functional, because the whole point of the attack is that you continue seeing your files and notice what happened, see the ransom note and then pay. If they did anything else to the detriment of the system, wouldn't it work against their ultimate goal? From what little I understand (and I could be vastly misunderstanding), the logs that ARE present seem to have a ton of smb requests to or from outside IP addresses, which is indicative of this type of attack. The interesting thing is that it looks like they were happening since at least March 2nd, and none of the files actually changed until 3/29 at ~9:12 pm. The attack ran for roughly 42 hrs and then abruptly shut down, I think from a lost connection. Then the pings appeared to start over, with no additional actual changes to files happening, until we finally noticed and pulled the connections to the network almost 24 hrs later. I think the requests could have been partially unsuccessful, or they could have just spent a really long time routing the smb traffic through a ridiculous network to hide the end goal, which was deleted from local logs. The connection may have dropped unintentionally, or perhaps they purposefully dropped it to close the connection before starting the routing back up again as a safety procedure of some sort. This is all wild speculation. At this point, I'm assuming that I will have to restore the OS from flash backup. Now that I have Unraid Connect on the system, I think this should be a really painless process (at least I hope so). I am really hoping I won't have to recreate the VMs, because they were a BEAR to get working reliably at the outset, but it definitely seems like best practice, even if I might be able to justify keeping them intact. The failures of security are hard for me to admit, because I definitely know better. My only excuse is that I spent the entirety of 2025 working 14-16hr days, 6 to 7 days a week, to complete an engineering project at work that was by far the greatest and hardest effort of my life. Doesn't make me feel any better, because I should have prioritised the security of this system as highly as I always had, but it at least explains why my head wasn't fully in the game. If it's not obvious, I am bitterly upset with myself over this comedy of errors. As far as dockers/outside access go... I had one Docker container enabled, ApacheGuacamole, which I had tried getting to work at one point before abandoning it and.. yep I failed to shut it down/delete it.. I had the Tailscale plugin, but the only other machine on the tailnet hasn't logged in since December. After the failure of the firewall (which I really wish I had been told about 😞), they installed a new Amazon Eero router, which defaulted to having UPNP active. Lastly, of course, we had an SMB port open on the network. I can't for the life of me figure out what I was thinking in the moment. I must have been meaning to have it open temporarily to brute force entry, and then absent-mindedly left it open. As for what has been done since yesterday evening; A new firewall has been installed with strict scanning and controls. A new managed switch has been installed to microsegment the LAN in case something else on the network is the culprit. All data on the server has been backed up (encrypted and unencrypted files). Both VMs have been scoured with multiple virus scanners without finding anything amiss. I have gone through Task Manager on both without finding anything that seems like an obvious red flag. This afternoon, I want to start scouring the Event Viewer for both VMs to see if I can spot any possible executable that could still be present or able to run. I may forego this and just get started on the wipe instead. The server is offline until I figure out the best next steps, and I imagine I will spend most of tonight/Saturday basically starting from scratch with data that is 3-7 months old. 😭 Since Im gonna have to seemingly start over from scratch.. might be a good time to update the drives I guess
  5. I can only assume it was a sophisticated attack that deleted earlier logs to hide entry identification..
  6. Unfortunately those are the only three logs.. I don't understand why, we didn't reboot the system or shut it down..
  7. If I can figure out how.. 😅
  8. Ah, yes, there is a syslog.1 and syslog.2 Shall I post them zipped as well?
  9. Here is the diagnostics. I am currently hunting and trying to find how the attack entered the network.. it seems it may have been attempting to run for quite some time (based on my incredibly rudimentary look through the syslog)... corridantower-diagnostics-20260402-1740.zip
  10. Excellent point and it has not been rebooted yet. I will definitely try and pull logs and diagnostics before I do
  11. Hi and thank you! Answers above.
  12. Unfortunately I havent been able to determine this as of yet. The current belief is that it was a phishing attack from one of the two VMs.
  13. Hello gang, sadly my trusty old unraid machine was hit by the Want To Cry ransomware this week. I have to say it is completely my fault, as after suffering an OS corruption due to power outage and UPS failure, I rushed to get things operational for the share/VMs with the intent to revisit and tighten ship and it was infected before I got back to it. I am an amateur admin, and I set up this server as a budget way to serve my parents small business needs. It has been an amazing success up until this point but I have to admit I grew lax and failed them here. I am posting from a new account because I have had little to no need for support over the years and I cannot even remember how to log in to my original unraid forum account (or how I got into it for the connect service just a couple days ago when this was discovered...) I know i will get back in and I'm chalking this up to the stress of this ordeal for the moment.. I am unsure exactly how to proceed to get back to fully secure, and I'd like some feedback if possible. The server is setup with a simple single share for file serving to two VMs running on the server. The share is used for media creation work (CAD drafting/fine art archival and web design) and quickbooks accounting for the two business entities running these services. Since this is livelihood and not just streaming of old movies, you can imagine what a nightmare scenario this is, so absolutely any and all thoughts are welcome and appreciated. I have the understanding that I have no choice but to wipe and copy from backups, which are a bit older than I would have liked but at least are something. Actions taken; Disconnected the server from the network. Set the Unraid share to private. Added a new user with a new password and set it as the only user able to access the share. Only one of the VMs currently has access to the share, which I did by changing the Vm user name and password to match the share access settings. (the user needs to finalize some work on files that were not infected [thank goodness] and.. Running a backup now of the entire share for posterity and in case a magical but seemingly impossible decryption tool somehow comes out in near term. Main questions; Am I correct that only the share that was available to the VMs needs to be deleted/replaced? What should/can I do about the infected VMs? I believe I have a backup of each, but in the 6.5 years I have run Unraid I don't believe I have ever restored a VM from backup and I'm not sure how best to do so (currently what I am trying to read up on). I am finally running Unraid Connect (only enacted in December after the OS corruption), but I am still on a 6.9 variant (6.9.12?) as trying to go any further resulted in the server not being able to correctly boot. I would love to move into the version 7 lands so that I can update Tailscale at the minimum, but also.. I have never had to make use of the Unraid Connect service, and only set it up just 3 months ago, so I am unsure exactly what that gives me in the way of tools to perhaps correct my current situation. Further planned Actions (if you have any suggestions or comments); Beyond the SMB measures I have already taken, I plan on stopping the array and disabling SMB1 at the earliest possibility, even if I have to slog through making Windows 10 VMs comply with certificates for the shares (not sure how difficult this will be). I will also be installing a new firewall device after the last firewalla failed (something the two users only admitted to self-diagnosing and removing without telling me this week).. and managed switch with Vlan segmentation to further obfuscate the server from the network.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.