Ransomware Issue


Recommended Posts

My home server was hacked last night with the arrow Ransomware attack.    I'm a little more than pissed to say the least, but will make the best of it in trying to recover what I can.

 

From what I can figure out so far, and its my own fault...  

 

I run everything via VM's inside an ESXi host.  

One of those machines was a Win7 machine I used for downloading media and stupidly allowed RDP port forwarding to, albeit a very obscure 5 digit port number.  Should have just stayed with VPN to connect to remotely.

 

I believe that machine was brute force RDP attacked.

That Machine had network connection to my unraid shares.

 

So both that VM and all of my unraid data was hit with the ransomware and is encrypted with the arrow ransomware.

 

But what I do not understand is how my UnRaid Flash/USB system files also got hit.  That is not a public share on the Windows machine, or at least i do not remember it being that way.  It was never mapped to the Windows VM.

 

So besides being pissed off.   Step 1 for me in unraid is likely going to be reinstalling Unraid from scratch, and I honestly probably do not have a copy of my Pro.key.  I will check when I get home as I may have it on a USB external backup on a different unconnected machine.

 

After that, I plan to likely pull all existing (7 HD's) and put on a shelf till possibly a way comes to decrypt this arrow ransomware..... which doesn't look promising.

 

I'll also be removing that Windows VM and redoing that one from scratch as well.. My ESXi baremetal and datastores all look fine to rebuild the VM, and my other Ubuntu VMs that were not networked to this Windows VM also appear ok.

 

So for me step 1.  If I can't locate my Pro.Key   Is there a way to recover it?

 

Link to comment

Well,  I search my home pc that was not affected thinking I had a back up there from past upgrades but can't find it.  And its been at least 5+ years running unraid and I can't seem to find the old emails that my have had my key.    

 

I'm going to email limetech and hope they have some pity on me.  I've already lost, have 7TB of data hijacked by ransomware, and still not sure exactly how he happened.  At least my other PC were not connected to that VM and I can operate somewhat.

 

Whats 'worse' also is that VM that got infected also had shared drives to my OpenHab Server.  So now half my home automation stuff is screwed up to.  All I can do is hope for something in the future that can help in decrypting these files.

Link to comment

I normally split my file storage into writable and nonwritable shares.

 

So the Windows machines may have an "upload" folder where they can add files to the servers.

Then I move the files out of the upload folders into their final locations where they are treated as "archived" files. So hacked client machines can't destroy these files using file share accesses. The only way to destroy them is to hack the file servers directly. And the file servers aren't allowed to run any programs on any data disks so server attacks needs to go for vulnerabilities in services or in login account credentials.

 

In some situations I may have semi-writable shares, where clients can add new files. But every night, a script locks down the access rights of any added files. So editing an existing document means making a copy of it, giving it a new revision name. And the next night, that revision gets locked down and can't be edited again, unless I make a ssh shell access to the server and unlocks it for one more day of editing.

 

This greatly reduces the attack vectors available in case any client machine gets infected by something nasty. And it gives a good protection from accidental overwrites/deletes.

Link to comment

This is how I implemented the first idea that @pwm sugested.

 

     https://lime-technology.com/forums/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532

 

 

I have been using it for over a year now and it is very usable.  

 

There is also the ransomware protection plugin and the support thread is here:

 

   https://lime-technology.com/forums/topic/50737-plugin-ransomware-protection/

 

              (EDIT:  note that this ransomware protection plugin has now been deprecated and is not being supported.)  

 

OF course, all of this is too late for you but hopefully other users will realize that the risk is still around and take appropriate precautions.  Plus, it is always a good idea to have a another backup of your irreplaceable data stored in an offsite location that is totally isolated from the Internet.  (Like a hard drive in a safety deposit box...)

Edited by Frank1940
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.