Has anyone successfully gotten their unraid back after Ransomware?

brianbrifri

By brianbrifri
in General Support

Recommended Posts

JonathanM Grand Master

JonathanM

Posted
Posted

I know this isn't much (as in none) consolation, but hey, now you can start over and organize your new files the way you wish. At least your stuff is physically intact, as opposed to destroyed by a flood or fire.

 

I've been there, done that with data loss, and it's no fun, but in the grand scheme of life it really doesn't mean that much.

 

Now you have a very clear picture of what you want to prioritize when it comes to data and backup.

 

Also, hopefully you can find this quote at least a tiny bit funny.

http://www.webcitation.org/6P8EBZqQX

(Only wimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it ;)

Linus

(Linus Benedict Torvalds (born 28 December 1969) is a Finnish-American computer programmer, best known as the creator of the Linux kernel. )

 

Link to comment
  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

tazman
tazman

Really, really sorry to hear this. This was my personal nightmare a while ago. Not only was I concerned that an attack could come from my own machine but from any (Windows) machine on my network used

ijuarez
ijuarez

I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internet pfSense for the WIN! Sent from my

Posted Images

brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
16 minutes ago, jonathanm said:

I know this isn't much (as in none) consolation, but hey, now you can start over and organize your new files the way you wish. At least your stuff is physically intact, as opposed to destroyed by a flood or fire.

 

I've been there, done that with data loss, and it's no fun, but in the grand scheme of life it really doesn't mean that much.

 

Now you have a very clear picture of what you want to prioritize when it comes to data and backup.

 

Also, hopefully you can find this quote at least a tiny bit funny.

http://www.webcitation.org/6P8EBZqQX

(Only wimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it ;)

Linus

(Linus Benedict Torvalds (born 28 December 1969) is a Finnish-American computer programmer, best known as the creator of the Linux kernel. )

 

Hah!! Nice quote. And ya, I care nothing for my TV shows and movies but only for my GoPro videos. Will be taking my time and doing things right from the beginning this time 

Link to comment
pwm Community Regular

pwm

Posted
Posted

I recommend that you look for some cheap, external, USB drives where you copy a backup of all important files.

 

Preferably use two sets of USB drives so you transport one set to your job or some relative and then bring back the other set and refresh the content will all new files since the last backup.

 

You really do want off-site backups of important data - and it's hard to beat the storage costs of using USB drives.

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted

Soooo I just realized something. This ransom note says we moved your files to an online store. NOT that they were encrypted. In complete honesty, those words meant "encrypted" to me and it did not occur to me at all that it was not encryption. The shock of it all made me not read clearly. I'm wondering if it was just the OS?? Maybe my files are still there? I had 16tb of files. Would they remove them all? I do have gigabit up for my network so it wouldn't take TOOO long for them all to be gone.

 

Also, can you read an unraid array drive in a pc? Will it show up as a drive? I did try putting a drive in my PC to see if I could read anything off of it but it did not show up in the drive list... Hmmm further research is necessary 

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted

Attached is the actual ransom note...I was given a ransom note... :(  lol anyway. There are also a couple of other random files (picture of them attached). The config files are still there though. This is kinda weird. Maybe I caught them in the middle of their upload?

 

WHERE ARE YOUR FILES READ ME (��� Т��� Ф���Ы, �Р�Ч�Т�� ���Я).txt

unraidConfig.PNG

Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted

Can you post the content of docker.cfg? It should just be a plain text file.

 

Do you have a list of your drive assignments? I think it would be useful to set up a trial key and assign your drives just to see exactly what shows up.

 

Uploading that volume of files to a server someplace doesn't strike me as productive for the scammers.

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
1 minute ago, jonathanm said:

Can you post the content of docker.cfg? It should just be a plain text file.

 

Do you have a list of your drive assignments? I think it would be useful to set up a trial key and assign your drives just to see exactly what shows up.

 

Uploading that volume of files to a server someplace doesn't strike me as productive for the scammers.

Just did that. Looks like they didn't get quite EVERYTHING but all the stuff I really wanted back is gone aka gopro videos and home videos. Actually, my entire cache drive is intact. 

Link to comment
pwm Community Regular

pwm

Posted
Posted
5 hours ago, jonathanm said:

Uploading that volume of files to a server someplace doesn't strike me as productive for the scammers.

 

I can only agree. Supplying hosting space for storing kidnapped files means the ransomware criminals binds lots of resources and can not scale their attacks. Using the client system to encrypt in-place on the other hand binds zero resources and allows an almost infinite scaling.

 

Another issue is that it is quite easy to keep a small, anonymous, server for payment and for encryption key management. But it's hard to supply real cloud capacity without being traceable. And an upload attack only works on people who have enough bandwidth - while the attacker can't know if they consume resources by attacking a user who have proper backups and will not pay for file release.

 

So priority one must be to secure the installation and priority two should be collecting as much forensic data as possible about what did happen. None of the steps must obviously be allowed to write to the data disks to avoid worsening the chances of data recovery.

Link to comment
  • 1 month later...
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted (edited)

Just a quick update for everyone. So,

  • I have my server back up and running (had my purchased key in my email).
  • All my appdata was untouched. This folder resided on the cache drive, not sure if that made a difference or not.
  • I am currently getting things back in working order (I did not do a format of the disks as they were not encrypted). 
  • I have removed all port forwarding except for 32400 -> 32400 for plex and am still getting login attempts to unraid. Not sure, one may have succeeded?
  • I installed the ssh and denyhosts plugins to help me mitigate this issue. Am moving to key only access.
  • I want to put my ubiquiti router in front of the wireless router from my ISP (Sonic) that is acting as the gateway. Could be there is some vulnerability with the firmware there?
  • Will be implementing a secure write user for unRAID as well

 

EDIT: I was traveling for a month right after this happened so I am just now finally getting to it!

Edited by brianbrifri
Link to comment
saarg Mentor

saarg

Posted
Posted
1 hour ago, brianbrifri said:

Just a quick update for everyone. So,

  • I have my server back up and running (had my purchased key in my email).
  • All my appdata was untouched. This folder resided on the cache drive, not sure if that made a difference or not.
  • I am currently getting things back in working order (I did not do a format of the disks as they were not encrypted). 
  • I have removed all port forwarding except for 32400 -> 32400 for plex and am still getting login attempts to unraid. Not sure, one may have succeeded?
  • I installed the ssh and denyhosts plugins to help me mitigate this issue. Am moving to key only access.
  • I want to put my ubiquiti router in front of the wireless router from my ISP (Sonic) that is acting as the gateway. Could be there is some vulnerability with the firmware there?
  • Will be implementing a secure write user for unRAID as well

 

EDIT: I was traveling for a month right after this happened so I am just now finally getting to it!

 

If you still get login attempts on unraid, you have either another computer infected or you have not closed all ports. If they tried to login on the port for plex, the login attempts should be for plex. 

I guess the ubiquiti router have its own firewall? So use that. 

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
Just now, saarg said:

 

If you still get login attempts on unraid, you have either another computer infected or you have not closed all ports. If they tried to login on the port for plex, the login attempts should be for plex. 

I guess the ubiquiti router have its own firewall? So use that. 

I was thinking that too...The login attempts are through ssh.

I've checked my windows machine over and over but I guess a wipe wouldn't hurt. Assuming it doesn't persist through it

Link to comment
saarg Mentor

saarg

Posted
Posted
7 minutes ago, brianbrifri said:

I was thinking that too...The login attempts are through ssh.

I've checked my windows machine over and over but I guess a wipe wouldn't hurt. Assuming it doesn't persist through it

 

If you have the time, you could turn it off and see if you still get login attempts. It can be other devices also. 

You haven't managed to add your uraid in the dmz maybe? 

Link to comment
saarg Mentor

saarg

Posted
Posted
Just now, brianbrifri said:

Even if the logs show an external IP for login attempts, can that still indicate a local attacker?

Then it's most likely through your isp router the attack is coming. I'm no expert on this so might be wrong, but I guess some will correct me then 😶

 

I would add the ubiquiti router as fast as possible. 

Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted
4 hours ago, brianbrifri said:

My windows PC was off and my two Macs are in sleep mode...still getting login attempts

There is a strong possibility your ISP modem is compromised.

 

Can you do a hardware reset + reload defaults on it? I wouldn't open up ANY ports at the moment, getting your stuff secured is more important than serving external apps like plex.

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted (edited)

I would also be looking at any devices that you have that are considered to be IOT devices that are using your network.  Many of them have little security (Some had outright security holes when they shipped that were never addressed!) and will never be updated with security fixes.  I would suggest that if you have any that you set up a 'separate' network and put them on it.  I would also suggest that you change the password on your WiFi access point and make that a complex password that is long and difficult to guess.  You may have someone who is poaching your Internet connection.   

 

The Ubiquiti Router is a very powerful router for home use.  It can be setup with many features that you would find in a professionally administered router.  It can be intimidating to setup for folks you who have little to no networking experience.  Here is  link to a tutorial to setting up it up to  provide a complex home network that is quite extensive in nature.  You can easily pick and choose the parts that you need.   

 

        https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti Home Network.pdf

 

 

Edited by Frank1940
Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
3 hours ago, jonathanm said:

There is a strong possibility your ISP modem is compromised.

 

Can you do a hardware reset + reload defaults on it? I wouldn't open up ANY ports at the moment, getting your stuff secured is more important than serving external apps like plex.

That would suck if it's the modem. I can't do any configuration on it. If it's the WiFi router, that I can deal with. 

I've stopped forwarding ports altogether and turned off ssh to my server. So far no login attempts since then. 
I will be resetting my WiFi router before I put my ubiquiti router in front of it

Link to comment
brianbrifri Rookie

brianbrifri

Posted
  • Author
Posted
2 hours ago, Frank1940 said:

I would also be looking at any devices that you have that are considered to be IOT devices that are using your network.  Many of them have little security (Some had outright security holes when they shipped that were never addressed!) and will never be updated with security fixes.  I would suggest that if you have any that you set up a 'separate' network and put them on it.  I would also suggest that you change the password on your WiFi access point and make that a complex password that is long and difficult to guess.  You may have someone who is poaching your Internet connection.   

 

The Ubiquiti Router is a very powerful router for home use.  It can be setup with many features that you would find in a professionally administered router.  It can be intimidating to setup for folks you have little to no networking experience.  Here is  link to a tutorial to setting up it up to  provide a complex home network that is quite extensive in nature.  You can easily pick and choose the parts that you need.   

 

        https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti Home Network.pdf

 

 

The only IoT device I have on my network is a chromecast. Other than that it's a win pc, 2 macs, and 2 unmanaged network switches

 

Good point about the WiFi password. 

 

I have used the ubiquiti router at my previous location but didn't set it up here yet, not sure why. Will take a look at that link. Thanks!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing