All files and folders gone

[vixfix]

Woke up this morning and a ransomware file got deleted locking up my files to read only. As of now i restarted the system but its showing all drives empty the only files present now are these that did not exist on my share t2

 drwxrwxrwx 3 root root     4096 Jan 13  2018 EFI-
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0000.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0001.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0002.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0003.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0004.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0005.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0006.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0007.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0008.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0009.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0010.REC
-rwxrwxrwx 1 root root    12288 Jan  1  1980 FSCK0011.REC
-rwxrwxrwx 1 root root    12288 Jan  1  1980 FSCK0012.REC
-rwxrwxrwx 1 root root     4096 Jan  1  1980 FSCK0013.REC
drwxrwxrwx 2 root root     4096 Feb 12  2016 System Volume Information
-rwxrwxrwx 1 root root    34494 Feb 12  2016 autorun.ico
-rwxrwxrwx 1 root root      204 Feb 12  2016 autorun.inf
-rwxrwxrwx 1 root root  5009408 Dec  1 11:38 bzfirmware
-rwxrwxrwx 1 root root  4498080 Dec  1 11:37 bzimage
-rwxrwxrwx 1 root root  8470528 Dec  1 11:38 bzmodules
-rwxrwxrwx 1 root root 94797188 Dec  1 11:40 bzroot
-rwxrwxrwx 1 root root 62593264 Dec  1 11:39 bzroot-gui
-rwxrwxrwx 1 root root    23478 Dec  1 11:37 changes.txt
drwxrwxrwx 9 root root     4096 Jan  7 10:09 config
-r-xr-xr-x 1 root root    69623 Feb 12  2016 ldlinux.sys
-rwxrwxrwx 1 root root     7975 Dec  1 11:37 license.txt
drwxrwxrwx 2 root root     4096 Nov 22 22:21 logs
-rwxrwxrwx 1 root root     1760 Dec  1 11:37 make_bootable.bat
-rwxrwxrwx 1 root root     3291 Dec  1 11:37 make_bootable_linux
-rwxrwxrwx 1 root root     2428 Dec  1 11:37 make_bootable_mac
-rwxrwxrwx 1 root root   150024 Dec  1 11:37 memtest
drwxrwxrwx 2 root root     4096 Nov 25 16:00 packages
drwxrwxrwx 2 root root     4096 Nov 18 01:44 preclear_reports
drwxrwxrwx 2 root root     4096 Dec 20 23:05 previous
-rwxrwxrwx 1 root root    14322 Mar 17  2017 readvz
drwxrwxrwx 2 root root     4096 Dec 20 23:05 syslinux
-rwxrwxrwx 1 root root       94 Feb 12  2016 syslinux.cfg
-rwxrwxrwx 1 root root        4 Sep 20 15:01 update.assistant.tmp

Edited January 7, 2019 by vixfix

[vixfix]

4 hours ago, vixfix said:

Time Of Attack:Mon, 07 Jan 2019 05:13:30 -0600

Attacked File: /mnt/user/2t/MACBOOK/Documents/untitled folder/.SquidBanking-DO_NOT_DELETE.xlsx


Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Videos/TV   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Videos/TV   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Downloads   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Downloads   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   New folder   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   New folder   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Videos/Movies   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Videos/Movies   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Videos/3D Movies   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   media/Videos/3D Movies   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   WDBLUE MOBILE/Users/Work/Searches   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   WDBLUE MOBILE/Users/Work/Searches   Mon Jan  7 03:04:47 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   .   Mon Jan  7 04:46:55 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   .   Mon Jan  7 04:46:55 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   .   Mon Jan  7 04:46:55 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   .   Mon Jan  7 04:46:55 2019
13340        99         DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/2t   .   Mon Jan  7 04:46:55 2019
 

1

@Squid

Edited January 7, 2019 by vixfix

[trurl]

Your first post isn't making much sense. That appears to be a listing of the Unraid flash drive. I assume it was plugged into your server at the time. It isn't obvious there is anything wrong with it.

 

The 2nd post I'm not sure what I'm seeing. Is that a screenshot of something in Unraid, maybe related to the (deprecated) Ransomware plugin?

 

Nothing you have posted so far looks like evidence that all your Unraid data is gone.

 

What are you looking at and what are you seeing exactly that makes you say all your drives are empty?

[itimpi]

It is also worth pointing out that if the first screenshot is of the flash drive, the presence of FSCKxxx.REC type files suggest that at some point file system corruption has been detected on the flash drive, and these files are a by-product of the attempt to repair the drive.

[vixfix]

tried rewording above. out of 33tb only 600gb is showing used. i went thru some of the history logs but everything was cleared out. 

[vixfix]

2 minutes ago, itimpi said:

It is also worth pointing out that if the first screenshot is of the flash drive, the presence of FSCKxxx.REC type files suggest that at some point file system corruption has been detected on the flash drive, and these files are a by-product of the attempt to repair the drive.

those files appeared on my user share t2. never existed before

 

[trurl]

Still very unclear. Are you sure you are telling us everything you did?

 

Go to Tools - Diagnostics and attach the complete diagnostics zip file to your next post.

 

Also, give us a complete screenshot of anything you think might show us that you are actually missing any files.

[vixfix]

sorry wife and kid keep interrupting me every second 😡   was 80% full yesterday now showing only 2% used due to new files added today

https://www.dropbox.com/s/26hod3r41vjy2a4/unraid.PNG?dl=0

tower-diagnostics-20190107-1011.rar

Edited January 7, 2019 by vixfix

[trurl]

I did look at your screenshot, but in future just attach it to your post instead of linking to an external site. Looks like you have formatted your disks. Are you sure you are telling us everything you did?

 

Why did you give me a .rar file? I specifically said (and I have been trying to get this wording just right to prevent what you did) 

58 minutes ago, trurl said:

attach the complete diagnostics ZIP FILE

When you download the diagnostics, the download is already a zip file. Probably you have told your computer to automatically open zip files. At least you didn't try to post every file in the zip separately like some have done. But we shouldn't have to install additional software on our computer just to help you. Give us the zip exactly as it was downloaded. Go to where your browser stores downloads and find the actual zip file that was downloaded and attach it to your next post.

[vixfix]

was working off of team viewer and a cell phone. first zip was lost and had to rearchive, just downloaded a fresh one

tower-diagnostics-20190107-1444.zip

 

[trurl]

Diagnostics say the 2t share exists on many (all?) disks. Diagnostics also indicates at least a few other user shares still exist on some drives, but can't tell what if anything is in them. If you go to the Shares page, click Compute All, and wait a bit it will tell you how much of which disk each of your user shares are using. There appears to be a significant amount of data on cache, and some disks aren't as empty as others, but it does look like you have a lot less data than you said you should.

 

Very odd behavior for Ransomware though. They will typically want you to pay to decrypt the data, or at least give you the impression that you have some data worth paying for.

 

I guess it could be some other form of virus or something. Did you have any of your Unraid disks or shares mapped as drives in Windows?

 

Maybe some file recovery tool like UFS Explorer could help. I have seen that one mentioned a few times on this forum.

[vixfix]

this looks to be an issue with Ransomware Protection plugin. overnight it happened again where my share is replaced with a copy of the flash drive once one of the bate files was deleted.

[trurl]

1 hour ago, vixfix said:

this looks to be an issue with Ransomware Protection plugin. overnight it happened again where my share is replaced with a copy of the flash drive once one of the bate files was deleted.

Seems extremely unlikely the plugin is to blame. As mentioned it is deprecated anyway. Just remove the plugin.

[vixfix]

happened again last night and read this on appdata backup....

Note: You should specify a backup share (and subfolders) dedicated to that particular backup. It is entirely possible for backups to erase any other files contained within the destinations.

and now i feel stupid