Siwat2545 Posted June 18, 2017 Share Posted June 18, 2017 Hi I have a huge problem a ransomware got in to my unraid server. The server hold the company's databases so It can't be deleted Note - The Last edited by tag is "nobody/UNIXUSER (Same as created by tag) - The docker.img file which I DID NOT SHARE IT TO SMB OR SAMBA got encrypt The ransomware here is the ransom text *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED *** To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: [email protected] Your personal ID: 979896082 So my conclusion is the ransomware must be running in unraid either it was (it isn't running now I use ps -ef and I did not find any wired processes If anyone know how to decrypt this please help Thank You Quote Link to comment
BRiT Posted June 18, 2017 Share Posted June 18, 2017 Post up Diagnostics. I do not believe the ransomware is running ON Unraid, but is from a WinOS client pc or within a WinOS VM. The docker.img might be shared from the following shares, depending on you configured them: appdata -- mine is available as appdata/Docker/docker.img Cache -- mine is available as cache/appdata/Docker/docker.img disk# - if you have your docker.img stored on an array disk, then it might be disk1/appdata/Docker/docker.img Quote Link to comment
Siwat2545 Posted June 18, 2017 Author Share Posted June 18, 2017 Mine is shared at /mnt/user/system and it is not shared Sent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 18, 2017 Author Share Posted June 18, 2017 OkSent from my iPhone using Tapatalk Quote Link to comment
Squid Posted June 18, 2017 Share Posted June 18, 2017 27 minutes ago, Siwat2545 said: So my conclusion is the ransomware must be running in unraid either it was (it isn't running now I use ps -ef and I did not find any wired processes Very unlikely. A ransomware author isn't going to bother directly targeting an unRaid server, as it will be far more lucrative to target a Windows or Mac system or your mobile devices. Pull the network cables to ALL networked devices to physically isolate them from each other. Google, Google, and Google again for what to do. Side note, there is a Ransomware protection plugin which *may* (or may not) have stopped the damage to the server. Quote Link to comment
Siwat2545 Posted June 18, 2017 Author Share Posted June 18, 2017 Yup Just installed it after the damaged happen .... getting diagnosis also I think it is targeting unix not unraidSent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 18, 2017 Author Share Posted June 18, 2017 Because all my .vhdx and .sql .msdb and other related server environment file are the only one that got encrypt and I don't think with my 10 gigabit connection limiting to 5gbps per user by pfsense will get all the file encrypt in just 10 hoursSent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 18, 2017 Author Share Posted June 18, 2017 Update Forgot the VMs cause vm have a high speed transfer rate to the unraid serverSent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 Help update it just got in to unraid boot driveSent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 It is totally running in runraidSent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 Sent from my iPhone using Tapatalk Quote Link to comment
JorgeB Posted June 20, 2017 Share Posted June 20, 2017 Flash drive is a network share, e.g.: \\tower\flash Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 Oh the. How can I get my license key back ?Sent from my iPhone using Tapatalk Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 I need to reconsider about security now ...Sent from my iPhone using Tapatalk Quote Link to comment
Frank1940 Posted June 20, 2017 Share Posted June 20, 2017 As I understand it, these programs can access mapped drives as easily as they can a directory/folder on the local hard drives. (I have heard of a local county government that got hit and it was their servers being attacked by a Windows computer in their own offices.) 1 minute ago, Siwat2545 said: Oh the. How can I get my license key back ? That is easy, see here: https://lime-technology.com/replace-key/ If you have an issue, there is a contact address at the bottom of the this page. LimeTech has a reputation for being very fair with their customers. Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 My worry is a replacement key can only be issue once a years and I still can't identify which of the machine that has the ransomware on it. Therefor if the USB drive got encrypted again I won't be able to use unraid for a years unless I got a new keys Sent from my iPhone using Tapatalk Quote Link to comment
Frank1940 Posted June 20, 2017 Share Posted June 20, 2017 10 minutes ago, Siwat2545 said: I need to reconsider about security now ... You have a VM running on a corporate server? You certainly do. This is not the way to save a four hundred dollars. In fact, you should not have shared the Flash Drive as Public share. 2 minutes ago, Siwat2545 said: My worry is a replacement key can only be issue once a years and I still can't identify which of the machine that has the ransomware on it. Therefor if the USB drive got encrypted again I won't be able to use unraid for a years unless I got a new keys Shut the network down completely and start googling from a single trusted computer with all sharing turnoff. Find out the name of the processes that do this encrypting and start checking every computer in the facility until you find the one(s) with that process running. You may get lucky and find a key that will unlock your files. (Apparently, some of these guys were lazy and reused the keys...) Most users have found that LimeTech treats its customers very fairly. You might have to present your case to them but they have treated most folks very, very well and on a timely basis. I suspect some employee/officer got 'social engineered' and turned this beast loose. You need to re-instruct folks about security and look at what you are doing. (I personally think that running a VM (or even a Docker with outside access) on a corporate server is not an ideal way to save a few bucks. The less stuff that is running on your servers, the easier it will be secure them.) You also need to determine who needs w/r privileges verses read-only access and implement that. And stop sharing the Flash Drive... 1 Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 Well I feel dumb I have the data backup 3 month ago safely store at google cloud big data container but I did not backup the flash boot drive though I am contacting unraid right now I am going to mark this as solved when the server accept the key Thank you all for your help ,Siwat SirichaiSent from my iPhone using Tapatalk Quote Link to comment
SSD Posted June 20, 2017 Share Posted June 20, 2017 The license key would be the last thing I'd be worried about if this were to happen to me. The very first thing I would do upon realizing I had RansomWare on my server is to power it down. That is me - but I'd rather deal with a dirty shutdown than give the virus more time. I'd do the same with any Windows workstation. It's like having a tiger in the house. I'd want to shut every door. You need one machine to be able to Google for research. Even a tablet or smartphone might suffice. Unlike a normal Linux or Windows environment, unRAID completely reinstalls the OS with every boot to memory. You should be able to rebuild a new USB stick, and reboot. Don't run any dockers, VMs, etc. Seems impossible that RansomWare would survive that. unRAID seems the easiest to clean vs a Windows or regular Linux box with a persistent OS install. I want to re-iterate that it is much more likely that a RansomWare attack would occur through an infected Windows machine and get to unRAID through unRAID's Samba shares. The flash disk IS a Samba share. After shutting down the unRAID server, I would go hunting for a Windows box that is infected. We know that unRAID is vulnerable to such an attack through Samba. We have never seen one of these (until now possibly). (An aside - I keep all of my media shares read only Samba shares to prevent being exposed). There is a old expression about when you hear hoofbeats, think horses not zebras. Attacking unRAID would not be very profitable given the small user base. It might be possible for a generic Linux strain to do so, but seems very unlikely. This is the zebra IMO. It could be a zebra, but nothing I've seen so far convinces me. Which leads me to believe, Siwat, that you have another infected computer that you haven't found. A few questions for Siwat ... 1 - Are you running any VMs on unRAID? A windows VM is just like a Windows computer. It can infect unRAID. And probably do more damage faster than a network connected Windows box. 2 - Have you checked each and every Windows box for signs of the virus? 3 - Are you running any Dockers on unRAID? Anything recently installed or updated? 4 - Is your server exposed to the Internet for external access? If so, how? I do not envy you the next few days sorting this out. But please keep us updated on the steps you are taking. We may be able to provide some general guidance and suggestions, I am not aware of anyone of the forum with specific experience this issue. Quote Link to comment
Siwat2545 Posted June 20, 2017 Author Share Posted June 20, 2017 First yes I have A few ubuntu VM but no windows Vm Second I have check around 50 % of the pc connect to the server it seem clean Third yes we recently upgraded mysql docker forth it is exposed through OpenVPN Sent from my iPhone using Tapatalk Quote Link to comment
trurl Posted June 20, 2017 Share Posted June 20, 2017 3 hours ago, Siwat2545 said: I have check around 50 % of the pc connect to the server You should disable access to the server for ALL PCs until they have ALL been checked. 1 Quote Link to comment
S80_UK Posted June 20, 2017 Share Posted June 20, 2017 9 hours ago, Siwat2545 said: ...forth it is exposed through OpenVPN Obvious question: Have you disabled the VPN connection? Less obvious question: What is the OpenVPN a connection to? Folks use VPNs in many different ways, so I don't want to make assumptions or generalisations, but if anything at the other end of the connection has write access to shares then it can do damage. Does anything at the other end of the VPN have an exposed connection to the Internet? Quote Link to comment
Siwat2545 Posted June 21, 2017 Author Share Posted June 21, 2017 I have disabled it temporarily for security Until I made sure all the client are clean I won't enable it and I will start an OpenVPN in an virtual network open an Samba Service on ubuntu put some bait file and see who encrypt it also OpenVPN are only available for Level 4 employees which only 16 peoples have it. The other end of the vpn Is a vpn router at my home so I can Access the network (only turn on when needed) and the other 16 node I will ask themSent from my iPhone using Tapatalk Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.