Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Help with ransomware recovery

Featured Replies

Hello gang, sadly my trusty old unraid machine was hit by the Want To Cry ransomware this week. I have to say it is completely my fault, as after suffering an OS corruption due to power outage and UPS failure, I rushed to get things operational for the share/VMs with the intent to revisit and tighten ship and it was infected before I got back to it. I am an amateur admin, and I set up this server as a budget way to serve my parents small business needs. It has been an amazing success up until this point but I have to admit I grew lax and failed them here. I am posting from a new account because I have had little to no need for support over the years and I cannot even remember how to log in to my original unraid forum account (or how I got into it for the connect service just a couple days ago when this was discovered...) I know i will get back in and I'm chalking this up to the stress of this ordeal for the moment..

I am unsure exactly how to proceed to get back to fully secure, and I'd like some feedback if possible. The server is setup with a simple single share for file serving to two VMs running on the server. The share is used for media creation work (CAD drafting/fine art archival and web design) and quickbooks accounting for the two business entities running these services. Since this is livelihood and not just streaming of old movies, you can imagine what a nightmare scenario this is, so absolutely any and all thoughts are welcome and appreciated. I have the understanding that I have no choice but to wipe and copy from backups, which are a bit older than I would have liked but at least are something.

Actions taken;

Disconnected the server from the network.

Set the Unraid share to private.

Added a new user with a new password and set it as the only user able to access the share.

Only one of the VMs currently has access to the share, which I did by changing the Vm user name and password to match the share access settings. (the user needs to finalize some work on files that were not infected [thank goodness] and..

Running a backup now of the entire share for posterity and in case a magical but seemingly impossible decryption tool somehow comes out in near term.

Main questions;

Am I correct that only the share that was available to the VMs needs to be deleted/replaced?

What should/can I do about the infected VMs? I believe I have a backup of each, but in the 6.5 years I have run Unraid I don't believe I have ever restored a VM from backup and I'm not sure how best to do so (currently what I am trying to read up on).

I am finally running Unraid Connect (only enacted in December after the OS corruption), but I am still on a 6.9 variant (6.9.12?) as trying to go any further resulted in the server not being able to correctly boot. I would love to move into the version 7 lands so that I can update Tailscale at the minimum, but also.. I have never had to make use of the Unraid Connect service, and only set it up just 3 months ago, so I am unsure exactly what that gives me in the way of tools to perhaps correct my current situation.

Further planned Actions (if you have any suggestions or comments);

Beyond the SMB measures I have already taken, I plan on stopping the array and disabling SMB1 at the earliest possibility, even if I have to slog through making Windows 10 VMs comply with certificates for the shares (not sure how difficult this will be).

I will also be installing a new firewall device after the last firewalla failed (something the two users only admitted to self-diagnosing and removing without telling me this week).. and managed switch with Vlan segmentation to further obfuscate the server from the network.

  • Community Expert

Do you have a current backup of your Unraid boot flash?

  • Author

I do, yes

  • Community Expert

Do you know how the ransomware got in?

  • Author

Unfortunately I havent been able to determine this as of yet. The current belief is that it was a phishing attack from one of the two VMs.

  • Community Expert

Hello,

4 hours ago, DangerDumb said:

Unfortunately I havent been able to determine this as of yet. The current belief is that it was a phishing attack from one of the two VMs.

i have some questions before I can try to give an answer.

  1. Do You have another PC available?

  2. How many GB's/TB's are we talking about for Your VM's each?

  3. Are You accessing Your server via a Windows PC or Linux PC?

  4. Are You accessing Your server directly or remotely/browser

  5. Besides Your VM problems does the rest of Your data seem to be intact/stable?

  6. Are the VM's accessing only a specific drive or an entire pool?

  7. Are You certain now that Your server is hardened? (If You attempt to fix Your VM's but the server itself is accessible then Your VM's are also accessible)

  8. If not can You take it fully offline BEFORE you begin any repairs or do You require it stay running while the fix is implemented?

  9. Have You checked Your log to see the admin/user logins and date/time stamps? If Yes do they all appear normal?

  10. What online sources are You using to link with Your server. SSO or Recoveries etc.

For Me I need those things to understand more. If You wish You can message privately for any data that You wish not be made public.

  • Regards

  • Author
23 minutes ago, imrobertcampbell said:

Hello,

i have some questions before I can try to give an answer.

  1. Do You have another PC available? - Yes. Multiple other PCs available onsite.

  2. How many GB's/TB's are we talking about for Your VM's each? - Each VM is approximately 1 TB, and only house programs. No data is kept on the VMs.

  3. Are You accessing Your server via a Windows PC or Linux PC? - Server is never accessed from anywhere besides the VMs, unless I am troubleshooting or doing admin which I then was using Tailscale to remote in from my PC. That hasn't been working since the OS was redone though so no outside/non-direct access at all in last 3 months.

  4. Are You accessing Your server directly or remotely/browser - Currently accessing through web console from within VM only.

  5. Besides Your VM problems does the rest of Your data seem to be intact/stable? - The issue appears to only be with the single server share that the VMs use for data storage. That share is about 7TB. It's estimated that about 75% of files total are infected. Nothing outside the share currently looks to be infected.

  6. Are the VM's accessing only a specific drive or an entire pool? - The accessed share is spread through the entire pool.

  7. Are You certain now that Your server is hardened? (If You attempt to fix Your VM's but the server itself is accessible then Your VM's are also accessible) - No. Not certain, still taking mitigating steps.

  8. If not can You take it fully offline BEFORE you begin any repairs or do You require it stay running while the fix is implemented? - Plan to take it offline tonight/early tomorrow, it has been disconnected from network and internet since I found out mid day Tuesday.

  9. Have You checked Your log to see the admin/user logins and date/time stamps? If Yes do they all appear normal? - Not yet, hoping to do this in a couple hours.

  10. What online sources are You using to link with Your server. SSO or Recoveries etc. - None currently. I had setup Tailscale and a backup rsync (Resilio?) previously, but neither were active during this period.

For Me I need those things to understand more. If You wish You can message privately for any data that You wish not be made public.

  • Regards

Hi and thank you! Answers above.

  • Community Expert
5 minutes ago, DangerDumb said:

checked Your log

Unless Syslog Server is setup, logs don't survive reboot.

  • Author

Excellent point and it has not been rebooted yet. I will definitely try and pull logs and diagnostics before I do

  • Community Expert

Yes pull the diagnostics and post it. No shutdown or reboot until that step is done. Also if I am understanding the rest of it correctly if You have no data on the VM's lets first secure and harden the server and the i/o connections themselves first and then move onto the VM's (which I would probably just reinstall from scratch since You said they contain no data and would be better rebuilt on a fully verified and harden Unraid install anyways.)

Trurl can definately help You check Your diagnostics. Its the best place to start.

  • Regards

  • Author

Here is the diagnostics. I am currently hunting and trying to find how the attack entered the network.. it seems it may have been attempting to run for quite some time (based on my incredibly rudimentary look through the syslog)...

corridantower-diagnostics-20260402-1740.zip

  • Community Expert

Some older syslogs aren't included in those.

What do you get from command line with this?

ls -lah /var/log/syslog*
  • Author

Ah, yes, there is a syslog.1 and syslog.2

Shall I post them zipped as well?

  • Author

If I can figure out how.. 😅

  • Author

Unfortunately those are the only three logs.. I don't understand why, we didn't reboot the system or shut it down..

  • Author

I can only assume it was a sophisticated attack that deleted earlier logs to hide entry identification..

  • Community Expert

If the attack could actually access that I would expect it to do more than just deleting logs. If the attack could access Unraid OS it might be a good idea to restore it from your flash backup. And it would also mean that other things the VMs had no access to are also suspect. Do you have any dockers?

Was your server accessible from outside your LAN?

  • Author

First of all, thank you to everyone who has chimed in so far.

Well, I don't think the attack was complete. It sort of makes sense to me that the virus would attack logs as part of its setup, to cover its bases for the deployment in case the attack was halted midway (which it seems like it was), and then likely delete logs afterwards as well. It also makes sense that it would leave everything else functional, because the whole point of the attack is that you continue seeing your files and notice what happened, see the ransom note and then pay. If they did anything else to the detriment of the system, wouldn't it work against their ultimate goal?

From what little I understand (and I could be vastly misunderstanding), the logs that ARE present seem to have a ton of smb requests to or from outside IP addresses, which is indicative of this type of attack. The interesting thing is that it looks like they were happening since at least March 2nd, and none of the files actually changed until 3/29 at ~9:12 pm. The attack ran for roughly 42 hrs and then abruptly shut down, I think from a lost connection. Then the pings appeared to start over, with no additional actual changes to files happening, until we finally noticed and pulled the connections to the network almost 24 hrs later. I think the requests could have been partially unsuccessful, or they could have just spent a really long time routing the smb traffic through a ridiculous network to hide the end goal, which was deleted from local logs. The connection may have dropped unintentionally, or perhaps they purposefully dropped it to close the connection before starting the routing back up again as a safety procedure of some sort. This is all wild speculation.

At this point, I'm assuming that I will have to restore the OS from flash backup. Now that I have Unraid Connect on the system, I think this should be a really painless process (at least I hope so). I am really hoping I won't have to recreate the VMs, because they were a BEAR to get working reliably at the outset, but it definitely seems like best practice, even if I might be able to justify keeping them intact.

The failures of security are hard for me to admit, because I definitely know better. My only excuse is that I spent the entirety of 2025 working 14-16hr days, 6 to 7 days a week, to complete an engineering project at work that was by far the greatest and hardest effort of my life. Doesn't make me feel any better, because I should have prioritised the security of this system as highly as I always had, but it at least explains why my head wasn't fully in the game. If it's not obvious, I am bitterly upset with myself over this comedy of errors.

As far as dockers/outside access go... I had one Docker container enabled, ApacheGuacamole, which I had tried getting to work at one point before abandoning it and.. yep I failed to shut it down/delete it.. I had the Tailscale plugin, but the only other machine on the tailnet hasn't logged in since December. After the failure of the firewall (which I really wish I had been told about 😞), they installed a new Amazon Eero router, which defaulted to having UPNP active. Lastly, of course, we had an SMB port open on the network. I can't for the life of me figure out what I was thinking in the moment. I must have been meaning to have it open temporarily to brute force entry, and then absent-mindedly left it open.

As for what has been done since yesterday evening;

  • A new firewall has been installed with strict scanning and controls.

  • A new managed switch has been installed to microsegment the LAN in case something else on the network is the culprit.

  • All data on the server has been backed up (encrypted and unencrypted files).

  • Both VMs have been scoured with multiple virus scanners without finding anything amiss.

  • I have gone through Task Manager on both without finding anything that seems like an obvious red flag.

  • This afternoon, I want to start scouring the Event Viewer for both VMs to see if I can spot any possible executable that could still be present or able to run. I may forego this and just get started on the wipe instead.

The server is offline until I figure out the best next steps, and I imagine I will spend most of tonight/Saturday basically starting from scratch with data that is 3-7 months old. 😭

Since Im gonna have to seemingly start over from scratch.. might be a good time to update the drives I guess

  • Community Expert

I still think its a VM or Docker container that got penetrated. Both have the ability to cause the issues You are facing if they have been breached.

  • Author

Thank you, Robert, I agree that it seems to be the most likely cause. Time to relearn how to configure VMs, and once again try my hand at bringing back a VM from backup (never been successful myself).

  • Community Expert
5 hours ago, DangerDumb said:

Thank you, Robert, I agree that it seems to be the most likely cause. Time to relearn how to configure VMs, and once again try my hand at bringing back a VM from backup (never been successful myself).

I would suggest creating two VM's. One fresh (and fully secured to the best of Your ability) with none of Your data. Verify its security, update it, and back it up. The second VM use as Your recovery setting. Extract Your data; and only Your data, from it and then remove that VM entirely. Manually integrate Your data into the new VM so that You can verify what exact data is being restored. Do one section at a time creating Your restore points/backups and checking for other possible points of failure. I feel like this approach should ensure You have a secured VM with only verified data inserted.

  • Regards

  • Author

Ok, I have to admit I'm a bit confused as I get ready for the next steps.

I have hardened my network, and I feel confident it is now a safe space.

My thoughts to move forward were;

  1. Wipe drives

  2. Replace OS thumb drive with backup drive and use Connect to link license to it

  3. Setup single empty share

  4. Create two new VMs (here is a question, can I use the existing VM xml files to help setup the device passthru? This took me months to get working perfectly.)

  5. Copy pre-attack backup of single share to machine and work from there with enhanced monitoring for the initial period following going live (third>fourth quarter)

Does this sound correct, overboard?

  • Community Expert

My 2 cents .....

Create a new VM without Your data. I want to verify that part is working first. If You arent able to get any VM's working no use in toying with Your actual data until You figure that out. If You can create a new VM then great sounds like You are further then You were before. Once You check everything seems to be working on the New VM You should be able to copy the pre-attack backup data into the verified working VM.

Do You/Anyone see a flaw with that?

  • Regards

  • 2 weeks later...
  • Author

Alright, so bringing this back up just to give an update and a final and big THANK YOU to everyone who gave advice and feedback.

I did a complete clear of all disks, and replaced the original boot flash with the backup.

Rebuilt the array and created two new NMs (which honestly was such an immensely easier task than the first time I did it 6 years ago.. this new vers 7 is just awesome so far).

Replaced all data with the most recent backups, and started moving in more recent data that was not backed up or encrypted during the attack.

So far, everything is working really well (aside from an issue where an old AutoCAD program from 26 years ago is having trouble running on Windows 11 but.. that's to be expected I think).

Thank you, everyone, truly. This community is awesome.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.