Jump to content
cyruspy

[SOLVED] Recover from ransomware

5 posts in this topic Last Reply

Recommended Posts

Well, I got owned (somehow, I still don't know how). As I neglated to disable the default pendrive share, all the files related to the UNRAID installation are encrypted. Is there any known procedure to figure out disk roles in the disk set (volume configuration) in order to recover?, I recall that autodiscovery reading from the disks was not a feature.

Edited by cyruspy

Share this post


Link to post

if they are not showing in UnRAID UI there is no easy way to know. Sometimes the "New Config can assign this" but you may need to recover from Backups. 


Its advised to keep a Backup of your Flash Drive & Contents of your Array.

Share this post


Link to post

You can mount each disk with the UD plugin (use the read-only mode), if there's just one parity there should be only one disk without a filesystem, that would be parity, do a new config and re-assign all disks (data disk order is not important with single parity) and check parity is already valid before array start, if you have dual parity post back since there are a few differences.

Share this post


Link to post

Well, found an old backup of the initial setup. Used the initial config with less disks to figure out which drives are for parity, added the additional 4 disks that were included afterwards and market parity as OK.

 

Filesystem mounted, and currently cleaning out encrypted files.

Share this post


Link to post

Have you figured out how you got hit?   In any case, you might want to consider making your server less of a target by taking some precautions.  I would suggest you start by reading this thread:   

I  have been using this for the past three years now and while a bit of a hassle, it does work smoothly.   (Making shares private and then adding passwords only means that only some of the files will be encrypted because virtually always the malware is being run a client computer!)   Basically, all of my shares are secure and without any user being assigned to any of them.  That means that accessing a share via SMB, the accessing computer can only read files, not write to them.  This scheme works best for write-once read-many type of operation.   However, there are links to other protections schemes if this does not suit your mode of operation.  

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.