UNRAID / Nextcloud Share Ransomware

Go to solution Solved by Kilrah,

Recommended Posts

  First I want to state that I am sure this was an issue with my configuration and security protocol I had implemented not being strong enough and no fault of UNRAIDs, but has anyone else been ransomewared? So I get back from vacation, and I saw that my nextcloud wasn't working on any of my devices. I clicked on the web shortcut to my subdomain and saw it was a 502 bad gateway error. I actually didn't figure it out for a hot minute because I was restarting containers, and reviewing logs. I have three main containers that are all connected to my Nextcloud Share (Nginx, MariaDB, and Nextcloud). What threw me off is that all three containers logs were going crazy (looping with the same error), so I was going down rabbit holes figuring out why MariaDB kept looping through an error "umask cahnged from 020 to 0640" and then nextcloud was also throwing a php config error, and I can't remember what Nginx was doing. Long story short when I started digging through the config directories, I realized that there was a funky file in each directory. It was like `$38DECRYPT-README$%^ something like that. When you read it, it had a message from whoever hacked me stating to pay them in bitcoin to decrypt my files. The good news is that I have a good backup process and none of the client files were harmed. The only thing that was harmed was the server/config files that were all attached to the Nextcloud share. So basically I blew away the Nextcloud share a redeployed. A day of down time, no harm no foul. But I guess the point of this thread is to, A: see if this has happened to anyone else? and B: what steps can be taken to better prevent against this in the future?



Link to comment
  • 4 weeks later...
  • 2 weeks later...

Ohhhhhhhhhhh.... Just figured it out... it's the security with my UNRAID, not NextCloud. Because although the nextcloud share has been compromised, the /mnt/user/appdata/mariadb and /mnt/user/appdata/Nginx-Proxy-Manager-Official/data are also compromised along with the nextcloud config files. So if I am not mistaken, I need to bump up the security of my UNRAID. Can anyone confirm my assessment is accurate?  

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.