vixfix Posted January 7, 2019 Share Posted January 7, 2019 (edited) Woke up this morning and a ransomware file got deleted locking up my files to read only. As of now i restarted the system but its showing all drives empty the only files present now are these that did not exist on my share t2 drwxrwxrwx 3 root root 4096 Jan 13 2018 EFI- -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0000.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0001.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0002.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0003.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0004.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0005.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0006.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0007.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0008.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0009.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0010.REC -rwxrwxrwx 1 root root 12288 Jan 1 1980 FSCK0011.REC -rwxrwxrwx 1 root root 12288 Jan 1 1980 FSCK0012.REC -rwxrwxrwx 1 root root 4096 Jan 1 1980 FSCK0013.REC drwxrwxrwx 2 root root 4096 Feb 12 2016 System Volume Information -rwxrwxrwx 1 root root 34494 Feb 12 2016 autorun.ico -rwxrwxrwx 1 root root 204 Feb 12 2016 autorun.inf -rwxrwxrwx 1 root root 5009408 Dec 1 11:38 bzfirmware -rwxrwxrwx 1 root root 4498080 Dec 1 11:37 bzimage -rwxrwxrwx 1 root root 8470528 Dec 1 11:38 bzmodules -rwxrwxrwx 1 root root 94797188 Dec 1 11:40 bzroot -rwxrwxrwx 1 root root 62593264 Dec 1 11:39 bzroot-gui -rwxrwxrwx 1 root root 23478 Dec 1 11:37 changes.txt drwxrwxrwx 9 root root 4096 Jan 7 10:09 config -r-xr-xr-x 1 root root 69623 Feb 12 2016 ldlinux.sys -rwxrwxrwx 1 root root 7975 Dec 1 11:37 license.txt drwxrwxrwx 2 root root 4096 Nov 22 22:21 logs -rwxrwxrwx 1 root root 1760 Dec 1 11:37 make_bootable.bat -rwxrwxrwx 1 root root 3291 Dec 1 11:37 make_bootable_linux -rwxrwxrwx 1 root root 2428 Dec 1 11:37 make_bootable_mac -rwxrwxrwx 1 root root 150024 Dec 1 11:37 memtest drwxrwxrwx 2 root root 4096 Nov 25 16:00 packages drwxrwxrwx 2 root root 4096 Nov 18 01:44 preclear_reports drwxrwxrwx 2 root root 4096 Dec 20 23:05 previous -rwxrwxrwx 1 root root 14322 Mar 17 2017 readvz drwxrwxrwx 2 root root 4096 Dec 20 23:05 syslinux -rwxrwxrwx 1 root root 94 Feb 12 2016 syslinux.cfg -rwxrwxrwx 1 root root 4 Sep 20 15:01 update.assistant.tmp Edited January 7, 2019 by vixfix Quote Link to comment
vixfix Posted January 7, 2019 Author Share Posted January 7, 2019 (edited) 4 hours ago, vixfix said: Time Of Attack:Mon, 07 Jan 2019 05:13:30 -0600 Attacked File: /mnt/user/2t/MACBOOK/Documents/untitled folder/.SquidBanking-DO_NOT_DELETE.xlsx Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Videos/TV Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Videos/TV Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Downloads Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Downloads Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t New folder Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t New folder Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Videos/Movies Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Videos/Movies Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Videos/3D Movies Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t media/Videos/3D Movies Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t WDBLUE MOBILE/Users/Work/Searches Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t WDBLUE MOBILE/Users/Work/Searches Mon Jan 7 03:04:47 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t . Mon Jan 7 04:46:55 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t . Mon Jan 7 04:46:55 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t . Mon Jan 7 04:46:55 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t . Mon Jan 7 04:46:55 2019 13340 99 DENY_NONE 0x100081 RDONLY NONE /mnt/user/2t . Mon Jan 7 04:46:55 2019 1 @Squid Edited January 7, 2019 by vixfix Quote Link to comment
trurl Posted January 7, 2019 Share Posted January 7, 2019 Your first post isn't making much sense. That appears to be a listing of the Unraid flash drive. I assume it was plugged into your server at the time. It isn't obvious there is anything wrong with it. The 2nd post I'm not sure what I'm seeing. Is that a screenshot of something in Unraid, maybe related to the (deprecated) Ransomware plugin? Nothing you have posted so far looks like evidence that all your Unraid data is gone. What are you looking at and what are you seeing exactly that makes you say all your drives are empty? Quote Link to comment
itimpi Posted January 7, 2019 Share Posted January 7, 2019 It is also worth pointing out that if the first screenshot is of the flash drive, the presence of FSCKxxx.REC type files suggest that at some point file system corruption has been detected on the flash drive, and these files are a by-product of the attempt to repair the drive. Quote Link to comment
vixfix Posted January 7, 2019 Author Share Posted January 7, 2019 tried rewording above. out of 33tb only 600gb is showing used. i went thru some of the history logs but everything was cleared out. Quote Link to comment
vixfix Posted January 7, 2019 Author Share Posted January 7, 2019 2 minutes ago, itimpi said: It is also worth pointing out that if the first screenshot is of the flash drive, the presence of FSCKxxx.REC type files suggest that at some point file system corruption has been detected on the flash drive, and these files are a by-product of the attempt to repair the drive. those files appeared on my user share t2. never existed before Quote Link to comment
trurl Posted January 7, 2019 Share Posted January 7, 2019 Still very unclear. Are you sure you are telling us everything you did? Go to Tools - Diagnostics and attach the complete diagnostics zip file to your next post. Also, give us a complete screenshot of anything you think might show us that you are actually missing any files. Quote Link to comment
vixfix Posted January 7, 2019 Author Share Posted January 7, 2019 (edited) sorry wife and kid keep interrupting me every second 😡 was 80% full yesterday now showing only 2% used due to new files added today https://www.dropbox.com/s/26hod3r41vjy2a4/unraid.PNG?dl=0 tower-diagnostics-20190107-1011.rar Edited January 7, 2019 by vixfix Quote Link to comment
trurl Posted January 7, 2019 Share Posted January 7, 2019 I did look at your screenshot, but in future just attach it to your post instead of linking to an external site. Looks like you have formatted your disks. Are you sure you are telling us everything you did? Why did you give me a .rar file? I specifically said (and I have been trying to get this wording just right to prevent what you did) 58 minutes ago, trurl said: attach the complete diagnostics ZIP FILE When you download the diagnostics, the download is already a zip file. Probably you have told your computer to automatically open zip files. At least you didn't try to post every file in the zip separately like some have done. But we shouldn't have to install additional software on our computer just to help you. Give us the zip exactly as it was downloaded. Go to where your browser stores downloads and find the actual zip file that was downloaded and attach it to your next post. Quote Link to comment
vixfix Posted January 7, 2019 Author Share Posted January 7, 2019 was working off of team viewer and a cell phone. first zip was lost and had to rearchive, just downloaded a fresh one tower-diagnostics-20190107-1444.zip Quote Link to comment
trurl Posted January 7, 2019 Share Posted January 7, 2019 Diagnostics say the 2t share exists on many (all?) disks. Diagnostics also indicates at least a few other user shares still exist on some drives, but can't tell what if anything is in them. If you go to the Shares page, click Compute All, and wait a bit it will tell you how much of which disk each of your user shares are using. There appears to be a significant amount of data on cache, and some disks aren't as empty as others, but it does look like you have a lot less data than you said you should. Very odd behavior for Ransomware though. They will typically want you to pay to decrypt the data, or at least give you the impression that you have some data worth paying for. I guess it could be some other form of virus or something. Did you have any of your Unraid disks or shares mapped as drives in Windows? Maybe some file recovery tool like UFS Explorer could help. I have seen that one mentioned a few times on this forum. Quote Link to comment
vixfix Posted January 8, 2019 Author Share Posted January 8, 2019 this looks to be an issue with Ransomware Protection plugin. overnight it happened again where my share is replaced with a copy of the flash drive once one of the bate files was deleted. Quote Link to comment
trurl Posted January 8, 2019 Share Posted January 8, 2019 1 hour ago, vixfix said: this looks to be an issue with Ransomware Protection plugin. overnight it happened again where my share is replaced with a copy of the flash drive once one of the bate files was deleted. Seems extremely unlikely the plugin is to blame. As mentioned it is deprecated anyway. Just remove the plugin. 1 Quote Link to comment
vixfix Posted January 9, 2019 Author Share Posted January 9, 2019 happened again last night and read this on appdata backup.... Note: You should specify a backup share (and subfolders) dedicated to that particular backup. It is entirely possible for backups to erase any other files contained within the destinations. and now i feel stupid Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.