Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Ransomware attack..again

Featured Replies

Hello all.. so I've been hit from a ransomware, It happened before, a year ago, I cleaned all the mess but I did not wipe off the Hard drives. Now happened again. all files locked again, the only machine affected is my Unraid server, I have multiple Mac connected and all look to be fine, I'm not mounting shares at the time. I think the ransomware is somehow resident in the server, because it ran autonomosly with Wm stopped and computer shut down. I have Swag installed, duckdns to resolve my IP address an use it mainly as plex server for my dvd collection. I also have a Qbittorren Docker connecting trough the reverse proxy and downloading to an unassigned disk. So, to make it simple, I want to wipe everyting off and start new, should I wipe off also the usb OS drive?, as far as I Understand the OS is installed fresh in the RAM at every boot, thus I would not need to wipe off the usb and reinstall/ copying the licence free file. I would like to stay on the safe side to avoid that happening again.

  • Community Expert

You might want to consider that you have a Docker that is the entry point.  Determine what shares were affected and which Dockers have access to those shares. 

  • Author

thanks for you reply, interesting point. I have plex, swag, double commander, duckdns and qbittorrent which is downloading to a separate Hd unassigned. the one I would think about could be Qbittorrent. other dockers are always shut off. 

going back to the question, should I erase everything (usb with os too) or can I just wipe off the Hdd and start a new config?

  • Community Expert
4 hours ago, mo679 said:

I've been hit from a ransomware

Do you know which one?  (Then Google it and see if it has a Linux variant...)

 

Were all your shares affected?  Or just the unassigned device(s)?  

 

I am assuming it did not encrypt your flash drive.   Am I correct?

 

How do you share your data files?  (SMB, NFS.   Private, Secure or Public.  If Secure or Private, which users have write access to encrypted resources?)

Edited by Frank1940

  • Author

I do not know the name, It looks like it did not encrypt the usb flash drive (which I keep on secure private), all shares affected, I’m using samba,

I want to clean up everything but I would like to keep the usb key intact, do you think it is safe at this point to just wipe the array docker wm etc?

homeserver-diagnostics-20230619-1657.zip

  • Community Expert

Sounds like it is more likely the attack is coming from another computer with access, rather than something running on Unraid itself. The go file looks normal. What do you run with User Scripts?

  • Community Expert

I had a look at your diagnostics file-- specifically, the shares configuration.  You have most of your shares (with SMB access) configured as 'Public' which means that any computer/device that can access your network can change/encrypt your files.  You really need to consider applying more controls on who has access to your server as well as the type of access (no access, read-only, or read-write) allowed in each case.  (A basic rule should be that access privileges should be limited to the minimum required for the user involved!) At the very minimum, you should require that any computer have a login to even gain access to the shares on the server.  Absolutely, no 'Guest' access!  (Personally, I believe that all shares should be 'Private' and permissions (read-only, read-write) granted only to those who have a need for access.  Everyone else's permission should be 'No Access'!)

 

Here is a link to setting up Windows client computers to get you started:

 

      https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup/

 

(In my situation, I have set my shares to 'Read-only' permission.  If and when, I need to write to a share I will change it for the time required to do what has to be done.)

 

Most networks these days have WIFI as a component part of the LAN.  WIFI is not that secure.  Hackers sitting on the street near your building have a good chance of being able to log in to it.  If you give the password to friends who visit you, their computers/devices could be the ones who bring the malware onto your LAN.  IOT devices are another potential source of penetration into your LAN.  All of these are reasons to lock that server down as much as possible.

 

You also have exported most of your share via NFS.  Do you really need NFS access to these shares?  If not, turn it off.

 

 

  • Author

Yes I will change some of the security access, fact is it is really strange to get recurring infections. All my computers are mac, the only windows machine is the Wm in unraid, which I keep all the time shut down, I do not game online, and the qbittorent I use goes through a reverse proxy. 
plus my router is a custom made openwrt with recent patches etc. I somehow believe my Ip (that is a dynamic Ip with duckdns) has been registered after the first attack, and they keep on trying knocking on the exposed doors when I download something.

by the way I use plex chmod script, hdd cache enabler script and the specific no ransom script, which actually locks every data preventing from being modified. And it works, because after this attack, in the folders where i have the movies I still have the original files together with a dummy file that should have replaced the original but…couldn’t 

 

so do you reasonably think I can keep the usb untouched and just format and new config?

  • Community Expert
5 minutes ago, mo679 said:

so do you reasonably think I can keep the usb untouched and just format and new config?

 

Personally, I would grab the .key file from the /config directory and store it on one of your computers.  (You might also want to make a compete backup of your flash drive while you are at it.)  Then format the flash drive on install Unraid from a fresh download.  (If you have a lot of customization of Unraid, make screen shots of the setup screens.) 

 

11 minutes ago, mo679 said:

All my computers are mac

Google   ransomware on MacOS    and look at the results.  Using Mac's may not be making you as safe as you think.

 

While I am not a security Guru, my limited research indicates that ransomware is an 'acute' attack.  It happens as soon as possible after the software is downloaded.  After all, the object is to get the payoff before the user/organization can react.   I would think that they would be thinking that trying to repeat the crime would be futile as the victim has probably put protection in place to prevent a second occurrence from having any serious consequences except for the inconvenience of cleaning up the mess and restoring the data. 

5 hours ago, Frank1940 said:

I had a look at your diagnostics file-- specifically, the shares configuration.  You have most of your shares (with SMB access) configured as 'Public' which means that any computer/device that can access your network can change/encrypt your files.  You really need to consider applying more controls on who has access to your server as well as the type of access (no access, read-only, or read-write) allowed in each case.  (A basic rule should be that access privileges should be limited to the minimum required for the user involved!) At the very minimum, you should require that any computer have a login to even gain access to the shares on the server.  Absolutely, no 'Guest' access!  (Personally, I believe that all shares should be 'Private' and permissions (read-only, read-write) granted only to those who have a need for access.  Everyone else's permission should be 'No Access'!)

 

Here is a link to setting up Windows client computers to get you started:

 

      https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup/

 

(In my situation, I have set my shares to 'Read-only' permission.  If and when, I need to write to a share I will change it for the time required to do what has to be done.)

 

Most networks these days have WIFI as a component part of the LAN.  WIFI is not that secure.  Hackers sitting on the street near your building have a good chance of being able to log in to it.  If you give the password to friends who visit you, their computers/devices could be the ones who bring the malware onto your LAN.  IOT devices are another potential source of penetration into your LAN.  All of these are reasons to lock that server down as much as possible.

 

You also have exported most of your share via NFS.  Do you really need NFS access to these shares?  If not, I see there is a toggle for read only access on unassigned drives. But I don't see a toggle in the shares in the shares tab. Or do you just add secure smb and then toggle the read to write unde the user? 

 

  • Community Expert
4 hours ago, mo679 said:

my Ip (that is a dynamic Ip with duckdns) has been registered after the first attack, and they keep on trying knocking on the exposed doors

This sounds like you haven't secured your server from the internet.

 

https://www.grc.com/shieldsup

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.