Has anyone successfully gotten their unraid back after Ransomware?

brianbrifri

By brianbrifri
in General Support

Recommended Posts

brianbrifri Rookie

brianbrifri

Posted
Posted

I just got hit with ransom ware. Everything, all 16TB, encrypted. Has anyone here been successful in paying the ransom? I don't even know who got me. The file name is WHERE ARE YOUR FILES READ ME (ÐÐРТÐÐРФÐÐÐЫ, ÐÐ ÐЧÐТÐÐ ÐÐÐЯ).txt 

Not sure how it got me. I have 80 and 443 open but secured. 

Link to comment
  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

tazman
tazman

Really, really sorry to hear this. This was my personal nightmare a while ago. Not only was I concerned that an attack could come from my own machine but from any (Windows) machine on my network used

ijuarez
ijuarez

I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internet pfSense for the WIN! Sent from my

Posted Images

CHBMB Veteran

CHBMB

Posted
Posted

I don't know if anyone has ever recovered anything, but iirc the method of infection has been from other pcs on the LAN encrypting the smb shares on Unraid rather than direct infection of Unraid itself.

 

Sorry to hear about it, that really does suck....

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted

So, I have a windows pc by itself and an ubuntu-server VM on UNRAID. I'm assuming it came from my windows pc. I run as a non-privileged user in windows so my windows machine didn't get infected, but unraid did. Also, my boot got encrypted, which makes it odd that it would come from a different pc now that I think about it..

Link to comment
tazman Rookie

tazman

Posted
Posted

Really, really sorry to hear this. This was my personal nightmare a while ago. Not only was I concerned that an attack could come from my own machine but from any (Windows) machine on my network used by my family or guests. Since then I have done the following to prevent/reduce the likelihood of this happening (I hope): 

  1. Not export any disks, only the shares I need to.
  2. Created a special user that is the only one allowed to write to the shares.
  3. Make all shares read-only with the exception for this special user (except a Public share folder writeable by everybody).
  4. Have my Backup program (Syncovery) perform the backups of my Windows machines with the special user rights. I trust that an attacker will not find the login information buried deep inside of the backup program. Syncovery has a randsomware detection that detects if data has changed massively in a directory and refuses to copy.
  5. When I need to perform small copy jobs I copy the data to the Public share, then telnet into unRaid and copy the data over to where I need it.
  6. On my Windows work machine, created a separate Windows user identical to the special user on unRaid.
  7. When I need to work on the array data I open a Windows session with the special user and refrain from any surfing.

It's a bit of work but this way I am feeling confident that my data is safe from a randsomware attack.

 

Independent of unRaid I am backing up my most important personal data with Crashplan which only writes changes and has versioning. 

 

I hope you will find a way to get your data back and that the description above helps you to secure you data for the future.

 

All the best!

 

Tazman

  • Like 1
Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted
3 hours ago, brianbrifri said:

Also, my boot got encrypted, which makes it odd that it would come from a different pc now that I think about it..

Sounds like the ransomware looked for ANY share, hidden or not, on the network with write privileges from the infected machine and attacked it.

/boot is shared as \\tower\flash by default.

Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted

Also, your best bet for recovery is probably to file those disks away untouched, and keep looking around at the ransomware recovery sites in hopes that someone cracks the encryption for your specific version.

https://noransom.kaspersky.com/

https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

https://heimdalsecurity.com/blog/ransomware-decryption-tools/

 

5 hours ago, brianbrifri said:

I have 80 and 443 open but secured.

Are you saying those ports show the unraid webGUI to the outside world? I don't know of a way that ransomware would attack that way, but it's not recommended to expose unraid directly, passworded or not.

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted

You might want to read through this thread which was generated back when ransomware was the 'topic of the day' everywhere:

 

       https://lime-technology.com/forums/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532

 

Of course, in your case that horse has left the barn...  Do a Google search.  There were a few attacks where the perpetrators did not generate a new encryption key for every infection and some of those keys have been posted up.  Not much hope, but always a possibly you will find one that works. 

 

Link to comment
pwm Community Regular

pwm

Posted
Posted
2 hours ago, tazman said:

Have my Backup program (Syncovery) perform the backups of my Windows machines with the special user rights.

 

How do you manage this?
The SMB protocol only allows a single login between two machines.

Are you giving your unRAID machine two names, or are you connecting using both IP number and name?

 

And will your backup program perform a logout when done? Because a spy program enumerating all shares will happily find the Syncovery session too.

 

I always use a client-server backup solution where the backup client in the Windows machine uses an SSL tunnel to talk with the backup server. And only the server itself has any access right to the server machine. When ripping movies etc, I normally have the server mount the Windows share to draw data. And if Windows needs access to a read/write document directory, then the ownership of the files on this share are changed every night to lock down existing files. So if I need to edit a Word document, I need to create a new copy to edit. And next night, this copy will also be locked. So almost a WORM storage.

Link to comment
pwm Community Regular

pwm

Posted
Posted
2 hours ago, jonathanm said:

Also, your best bet for recovery is probably to file those disks away untouched, and keep looking around at the ransomware recovery sites in hopes that someone cracks the encryption for your specific version.

 

The "good" ransomwere programs creates unique encryption keys for each attacked installation. With public-key encryption, the ransomwere program can then encrypt the encryption key and send out to a master machine. Only the master machine has the secret key to decrypt this message and extract the hostage key. So even if you have a recording of the network communication the key can't be extracted.

 

So someone needs to crack the public-key encryption - or someone needs to hack the master machine and extract the private key.

 

Some older "good" ransomwere programs were buggy and incorrectly encrypted in a way that not even the master could decrypt. I think these buggy ransomwere programs have been removed from the market - it gives a bad reputation (as if any ransomwere could have a good reputation) to run ransomware and not be able to decrypt if the user pays. Too many users making it know that paying isn't meaningful kills the market.

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
7 hours ago, tazman said:

Really, really sorry to hear this. This was my personal nightmare a while ago. Not only was I concerned that an attack could come from my own machine but from any (Windows) machine on my network used by my family or guests. Since then I have done the following to prevent/reduce the likelihood of this happening (I hope): 

  1. Not export any disks, only the shares I need to.
  2. Created a special user that is the only one allowed to write to the shares.
  3. Make all shares read-only with the exception for this special user (except a Public share folder writeable by everybody).
  4. Have my Backup program (Syncovery) perform the backups of my Windows machines with the special user rights. I trust that an attacker will not find the login information buried deep inside of the backup program. Syncovery has a randsomware detection that detects if data has changed massively in a directory and refuses to copy.
  5. When I need to perform small copy jobs I copy the data to the Public share, then telnet into unRaid and copy the data over to where I need it.
  6. On my Windows work machine, created a separate Windows user identical to the special user on unRaid.
  7. When I need to work on the array data I open a Windows session with the special user and refrain from any surfing.

It's a bit of work but this way I am feeling confident that my data is safe from a randsomware attack.

 

Independent of unRaid I am backing up my most important personal data with Crashplan which only writes changes and has versioning. 

 

I hope you will find a way to get your data back and that the description above helps you to secure you data for the future.

 

All the best!

 

Tazman

Thanks for the tips! I'll be reviewing this upon my rebuild of unraid

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
6 hours ago, Frank1940 said:

You might want to read through this thread which was generated back when ransomware was the 'topic of the day' everywhere:

 

       https://lime-technology.com/forums/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532

 

Of course, in your case that horse has left the barn...  Do a Google search.  There were a few attacks where the perpetrators did not generate a new encryption key for every infection and some of those keys have been posted up.  Not much hope, but always a possibly you will find one that works. 

 

I like. Even though my windows pc is hardened, it did not occur to me that it could still be used as an entry point to my other systems.

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
3 hours ago, brianbrifri said:

Ya, I'm thinking that...Does this require a wipe of my windows pc then to prevent further attacks? I don't even know which malware this is

 

I'm probably not the best person to ask as I don't use Windows I'm afraid......

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted

Start by running a full scan of your computer using whatever anti-virus/malware software that you currently use.  There is a set of Microsoft tools  that uses more than fifty antivirus databases to detect installed software that you can find here:

 

     https://www.csoonline.com/article/2883958/malware/malware-detection-in-9-easy-steps.html

 

You want to be careful that you look at the names of files that it finds.  Random-looking names should be high on your suspect list.  Programs without publishers are another red flag.  Remember that Google is your friend.  Search on anything funny that you find and see what the search finds. 

 

Also look into using sometime like Malwarebytes and Kapersky software if you don't find anything.  They both use to have free software packages that you could download. 

Link to comment
WashingtonMatt Apprentice

WashingtonMatt

Posted
Posted
7 hours ago, pwm said:

 

The "good" ransomwere programs creates unique encryption keys for each attacked installation. With public-key encryption, the ransomwere program can then encrypt the encryption key and send out to a master machine. Only the master machine has the secret key to decrypt this message and extract the hostage key. So even if you have a recording of the network communication the key can't be extracted.

 

So someone needs to crack the public-key encryption - or someone needs to hack the master machine and extract the private key.

 

Some older "good" ransomwere programs were buggy and incorrectly encrypted in a way that not even the master could decrypt. I think these buggy ransomwere programs have been removed from the market - it gives a bad reputation (as if any ransomwere could have a good reputation) to run ransomware and not be able to decrypt if the user pays. Too many users making it know that paying isn't meaningful kills the market.

 

In serveral cases the keys have been released e.g. https://www.ifsecglobal.com/rundown-ransomware-master-keys-released/

 

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted
7 minutes ago, pwm said:

 

Yes, I have seen it. I'm mostly curious of how/why these keys have been published. If the hackers have been hacked by other hackers or if security agencies have been involved.

 

As I said, there were some instances where the perpetrators did NOT use unique keys for every instance of their software.  ( I would estimate that about 1% of the folks infected will pay...) Someone paid for a key to unlock their files and it was later found to work in other cases where that same encryption key was used.   

Link to comment
pwm Community Regular

pwm

Posted
Posted
3 minutes ago, Frank1940 said:

 

As I said, there were some instances where the perpetrators did NOT use unique keys for every instance of their software.  ( I would estimate that about 1% of the folks infected will pay...) Someone paid for a key to unlock their files and it was later found to work in other cases where that same encryption key was used.   

 

Note that the keys in the linked article is mostly related to master keys, and not the symmetric keys that are used for the actual file encryption.

 

But the symmetric keys created by a number of these ransomware applications have been cracked because they have been generated with bad random data - so lots of encrypted files have been possible to decrypt without ever having access to the master key. With a 128-bit symmetric key generated with a known 32-bit pseudo-random generator, it's possible to crack the key almost instantly.

 

This is similar to the LUKS encryption that unRAID supports - the LUKS header contains a volume-local symmetric encryption key. But the volume crypto key itself has been encrypted and requires a passphrase or key file to be unlocked. So the LUKS security depends not only on the passphrase or key file being strong. It also depends on the volume encryption key having been generated using cryptographically strong random data. If I can predict the random generator, then I don't need to care about the LUKS passphrase or key file to attack the volume encryption.

 

The world is full of programs that uses getpid() and/or time() to seed the standard random generator and then keeps calling rand() until they have enough data for their encryption key. By disassembling the ransomware applications, the security researchers can see how the programs generated their keys and if it's possible to duplicate the data used when the keys were generated.

Link to comment
WashingtonMatt Apprentice

WashingtonMatt

Posted
Posted
10 minutes ago, pwm said:

 

Yes, I have seen it. I'm mostly curious of how/why these keys have been published. If the hackers have been hacked by other hackers or if security agencies have been involved.

 

I think some of both. I recall in one case you could send a security company an encrypted file and they would send back the encryption key for free, if possible. Regardless of the how the keys are obtained, I think it's worth sitting on the drives if possible, just don't expect any miracles to happen quickly. 

Link to comment
pwm Community Regular

pwm

Posted
Posted
1 minute ago, WashingtonMatt said:

I think it's worth sitting on the drives if possible

 

Yes, most definitely. Deleting the encrypted files is only a good idea if there is a backup of unencrypted files or if the content is so irrelevant that it doesn't matter if the files are lost.

 

Now and then, the police manages to catch hackers. So even if someone doesn't hand over keys for free, there are always chances that more keys will be found out.

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
16 minutes ago, pwm said:

 

Yes, most definitely. Deleting the encrypted files is only a good idea if there is a backup of unencrypted files or if the content is so irrelevant that it doesn't matter if the files are lost.

 

Now and then, the police manages to catch hackers. So even if someone doesn't hand over keys for free, there are always chances that more keys will be found out.

Dang. Getting hacked is expensive. Drives will cost more than ransom :( 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing