[SOLVED] Ransomware targeting Linux/Unraid?

[TheDisapprovingBrit]

I updated to UnRaid 6.9.1 last week and immediately ran into problems with my Docker environment - basically docker.img became corrupt and none of the user images were listed on the USB (I'm guessing because I replaced the USB about 6 months ago and never copied anything over from the old one), so I had to start again. I mention this to illustrate that this is essentially a fresh start in terms of Docker. 

The ONLY images I reinstalled so far are: 

 

* Traefik
* DuckDNS
* SabNZBD
* Radarr
* Lidarr
* Sonarr
* Plex

 

I hadn't got around to putting ANYTHING else back on yet. On Sunday, I noticed that all my Docker containers had unmounted again, Unraid was reporting that my USB was blacklisted, and the GUID was comprised of all zeroes. I reseated the USB stick and rebooted in case it had just been knocked loose, but it wouldn't come back up.

 

I checked the USB this morning and found that most of the files on it are encrypted, with a ".[[email protected]].Caleb" extension. It looks like the USB was encrypted around 8am Saturday morning while I was sleeping. I have no idea how much actual data has been encrypted so far. 

My concern is more how this happened. I have one windows machine connected to the network, but that's showing no indication of infection. The USB is not shared either on the network or to any docker containers, so neither of those vectors *should* have been able to get to the USB.

 

Has anyone else run into anything like this?

Edited March 15, 2021 by TheDisapprovingBrit

[trurl]

Have you allowed access to your server outside your LAN? 

[TheDisapprovingBrit]

7 minutes ago, trurl said:

Have you allowed access to your server outside your LAN? 

 

Ports 80 and 443 are forwarded to the server and managed by Traefik, which proxies to Plex, Sab, and the various *darr's. Currently no proxy to the Unraid console itself

Edited March 15, 2021 by TheDisapprovingBrit

[dimitriz]

Something like that would require extensive log review. Firewall + Fraefik + Unraid.

I would start examining your Traefik configuration just to be sure nothing was misconfigured.

 

Never used Traefik personally but will take a look. Need to make sure my system is stable after rollback to 6.8.3 as I don't want to introduce anything new yet.

[TheDisapprovingBrit]

As part of rebuilding, I switched from jwilder's nginx-proxy to Traefik, so it is a potential candidate. Unfortunately, it looks like docker.img and the docker share where I keep config and log files were hit, so I'm just going to nuke the lot and restore from backup. Guess I'll never truly know for sure. 

[TheDisapprovingBrit]

OK, I believe I found the issue. Short version: I'm a dumbass. 

 

Long version: 

I got a new router a couple of weeks ago, which took 192.168.1.254 as it's IP. This broke Unraid because it was configured with a static IP and a gateway of 192.168.1.1.

 

While I was trying to troubleshoot this, I put Unraid into the DMZ to rule out any potential firewall issues, and my dumb ass never took it back out when I figured it out. That was my first mistake.

 

My second mistake was an old Windows 10 VM that I spun up a while ago for some purpose that I can't even remember anymore. It was powered down, but when I lost Docker after the upgrade, I rebooted Unraid. I can't say for sure that the VM was set to auto power on, but given the results I'd say it's a pretty safe bet.

 

That basically meant I had a windows VM directly exposed to the internet. It seems almost certain that this machine was compromised and subsequently caused the infection. I can't find out for sure because it's disk file was one of the ones encrypted.

 

This makes me...not happy as such, because I'm still a dumbass, but at least content that I can see a plausible way that this could have happened.