October 17, 20241 yr So yesterday my server got infected by ransomware. I would love to figure out how, if it's possible? I had Tailscale set up and only open ports to plex server and tailscale. SMB was enabled to (workgroup) and I realized uPnP was enabled in my router I've attached diagnostics. I could see a failed SMB attempt around the same time it happened. I do not know if these type of attacks are instant or if the ransomware is dormant for some time before the attack. What is the recommended procedure for starting clean again? Wipe absolutely everything? Can I keep the OS files on the USB? I have earlier backup of appdata, can I use that to restore after wipe? diagnostics-20241017-1938.zip
October 17, 20241 yr Community Expert Start by figuring what was encrypted. Was is only the SMB shares? (Most ramsomware attacks use a compromised Windows client.) Since most of your shares are private, figure out which clients have write access to the shares affected. Then isolate that client. I would suspect that the files on the client were also encrypted and that the client is infected. (Could be wrong on that as the big bucks come from locking the files on servers run by entities having deep pockets!) Edited October 17, 20241 yr by Frank1940
October 17, 20241 yr Community Expert I suspect the torrent client. Loads of segfaults from it (although that could just be a byproduct) but given that even binhex container got xmrig or whats its called. I suspect those first^^ But the client did have some upnp related issue, depending what version youre running 😬 But as mentioned above. Really depends on what got encrypted. Everything? Just a part? Everything else is just a guess from the magic 8 ball.
October 17, 20241 yr Author Seems like it has only touched these folders. The ransomware .txt file is in all subdirectories from there. In the "appdata-backup" folder, there is only the .txt and no ".want_to_cry" file extension, so they seem unharmed. To my eyes it looks like it has only really encrypted my media files. My host path for qbittorrent(which was acting up) is /mnt/user/data/torrents/, so if I understand correctly, it should not be able to affect the other folder in /mnt/user/data? The only client with direct access is my desktop which had a clean install of windows last week and have no files affected. The other clients who connects goes only to plex server.
October 17, 20241 yr Community Expert One thing I would do is to make all my shares read-only until you get things sorted out. If you think he torrent client might be involved, shut it down (if you haven't already done so). I would also close any open ports and shutdown any VPN. You will have to identify what malware variant is actually the cause of your problem. (The ransom demand text might be a good starting point to figure this out...) Then google that knowledge to death to find out what is your next step.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.