Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Ransomware "WantToCry"

Featured Replies

So yesterday my server got infected by ransomware. I would love to figure out how, if it's possible?

I had Tailscale set up and only open ports to plex server and tailscale. SMB was enabled to (workgroup) and I realized uPnP was enabled in my router

 

I've attached diagnostics. I could see a failed SMB attempt around the same time it happened. I do not know if these type of attacks are instant or if the ransomware is dormant for some time before the attack.

 

What is the recommended procedure for starting clean again? Wipe absolutely everything? Can I keep the OS files on the USB? I have earlier backup of appdata, can I use that to restore after wipe?

diagnostics-20241017-1938.zip

  • Community Expert

Start by figuring what was encrypted.  Was is only the SMB shares?   (Most ramsomware attacks use a compromised Windows client.)  Since most of your shares are private, figure out which clients have write access to the shares affected.  Then isolate that client.  

 

I would suspect that the files on the client were also encrypted and that the client is infected.  (Could be wrong on that as the big bucks come from locking the files on servers run by entities having deep pockets!)

Edited by Frank1940

  • Community Expert

I suspect the torrent client. Loads of segfaults from it (although that could just be a byproduct) but given that even binhex container got xmrig or whats its called. I suspect those first^^
But the client did have some upnp related issue, depending what version youre running 😬

But as mentioned above. Really depends on what got encrypted. Everything? Just a part? Everything else is just a guess from the magic 8 ball.

  • Author

Seems like it has only touched these folders. The ransomware .txt file is in all subdirectories from there.

In the "appdata-backup" folder, there is only the .txt and no ".want_to_cry" file extension, so they seem unharmed.

To my eyes it looks like it has only really encrypted my media files.

 

My host path for qbittorrent(which was acting up) is /mnt/user/data/torrents/, so if I understand correctly, it should not be able to affect the other folder in /mnt/user/data?

 

The only client with direct access is my desktop which had a clean install of windows last week and have no files affected. The other clients who connects goes only to plex server.

 

image.thumb.png.17bc8c1ab24dd00e1f849b7eed041234.png

  • Community Expert

One thing I would do is to make all my shares read-only until you get things sorted out.  If you think he torrent client might be involved, shut it down (if you haven't already done so).  I would also close any open ports and shutdown any VPN. 

 

You will have to identify what malware variant is actually the cause of your problem.  (The ransom demand text might be a good starting point to figure this out...)  Then google that knowledge to death to find out what is your next step. 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.