6tb of storage gone to Cerber Ransomware


gezza952

Recommended Posts

I believe

shutdown -s -t 00[/Code]

will accomplish what you want.

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

 

@Gary: shutdown -s -t 01 (<-- I never use 00) will work from Windows. You just need to create a shortcut with that command. It will work. I attached the lnk file I always use to shutdown my VM. Just double click and done.

 

Note: I have to attach the compressed file (.zip) because if I attach a .lnk file, stupid Windows would attach the shutdown.exe file instead.  ::)

SHUTDOWN.zip

Link to comment

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

Putty will accept command line parameters. I think what you want would be something along the lines of c:\pathtoputty\putty -ssh root@tower -pw password -m c:\pathto\textfilewithshutdowncommand.txt or something like that. I haven't actually tried it, so it may create a black hole and implode the universe, ymmv.
Link to comment

I believe

shutdown -s -t 00[/Code]

will accomplish what you want.

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

 

@Gary: shutdown -s -t 01 (<-- I never use 00) will work from Windows. You just need to create a shortcut with that command. It will work. I attached the lnk file I always use to shutdown my VM. Just double click and done.

 

Note: I have to attach the compressed file (.zip) because if I attach a .lnk file, stupid Windows would attach the shutdown.exe file instead.  ::)

 

Running that command immediately shuts down my Windows box  :)

... Not what I'm trying to do.

 

Link to comment

 

My backup server works close to that =>  I have an automated task on my main PC (Windows box) that turns on the backup server via WOL;  does all of the backups from my PC, wife's PC, and my other 2 UnRAID servers;  and then sends a message to my PC that it's done.

 

I'd like to have it then shut itself down; but haven't figured out a Windows command line to do that => anybody know a way to do this?

 

I believe

shutdown -s -t 00[/Code]

will accomplish what you want.

 

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

 

i.e. if the server is named "MyBakupServer", is there a command that will remotely execute that shutdown command with no intervention.    I tried several things a couple years ago when I set up the scripts, but never found anything that worked; so right now it just sends a message to my desktop that it's done => and when I see that I simply double-click on an icon that brings up the Web GUI for the backup server; then click on Stop; and then power it down.  Not a big deal ... takes perhaps 20-30 seconds (depends on how long it's been done ... clearly it takes a bit longer if the drives have to spin up) ... but it'd be nice if it was completely automated.

 

If the fancy stuff does not work you could write a small cronjob that checks for the presence of a file called "ShutdownNOW" in a specific location, you let cron then delete that file and shutdown the system..

 

From your pc you write that file to the location when you want the server to shutdown..

Link to comment

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

Putty will accept command line parameters. I think what you want would be something along the lines of c:\pathtoputty\putty -ssh root@tower -pw password -m c:\pathto\textfilewithshutdowncommand.txt or something like that. I haven't actually tried it, so it may create a black hole and implode the universe, ymmv.

 

I'll play around with that.  So basically if I open a Putty window and confirm that a specific command will shut down the server; then all I need to do is set up a command-line that will log in to the server and run that command.  Does that command have to be in a text file (as you've indicated); or can it simply be embedded in the command line?

 

e.g. if "shutdown" would shut down the server, could it be something as simple as this:

 

c:\pathtoputty\putty -ssh root@tower -pw password shutdown

 

... or does the shutdown command have to be in a text file and read via the"run script" option (-m) ?

 

 

 

 

Link to comment

Just confirmed that with the Powerdown plugin installed, "Powerdown" will do a clean shutdown and turn off the system.

 

So if I Putty into the server and simply type "Powerdown" it does what I want (this I already knew).

 

Clearly this makes it trivial to automate the shutdown -- just need to play around with the exact command line.  Gonna get a bit of sleep, but I'll have this all done tomorrow - thanks for the tips.

 

Link to comment

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

Putty will accept command line parameters. I think what you want would be something along the lines of c:\pathtoputty\putty -ssh root@tower -pw password -m c:\pathto\textfilewithshutdowncommand.txt or something like that. I haven't actually tried it, so it may create a black hole and implode the universe, ymmv.

 

plink is the better option to automate remote execution of commands, it comes together with putty.

 

plink -ssh -pw <password> root@<hostaddr> powerdown

 

Link to comment

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

Putty will accept command line parameters. I think what you want would be something along the lines of c:\pathtoputty\putty -ssh root@tower -pw password -m c:\pathto\textfilewithshutdowncommand.txt or something like that. I haven't actually tried it, so it may create a black hole and implode the universe, ymmv.

 

plink is the better option to automate remote execution of commands, it comes together with putty.

 

plink -ssh -pw <password> root@<hostaddr> powerdown

 

PERFECT !!  Works like a charm.  Thanks  :)

 

Link to comment
  • 2 weeks later...

Okay, I'm definitely upset that I didn't do this LONG ago !!

 

It was oh-so-simple ... and my primary media collection is now completely read-only, so that's about 25TB that's now "safe" from ransomware !!  Even with double sets of backups for it all, it would be a real PITA to have to reload the server, so the added protection is clearly a good step.

 

Now I've got to do that for ALL of my shares on all of my servers -- a project for the next few days => I want to outline what permissions I need for which PC's and ensure they're all set up to work smoothly.

 

I DO feel very well protected from the disastrous consequence a ransomware attack might have with my 3-layers of backups; but it's still a good idea to set up the UnRAID boxes so they wouldn't be impacted at all if one of my PC's was to indeed get "hit".

 

Hey Gary,

 

Any chance you could detail what you did?

 

I also have this on my list, but not sure exactly what I should be doing. DOn't know anything about permissions.  How to I set them on the server? It needs to be easy as I'm writing to it often, but usually only  to one disk.

 

What about setting up a user profile for each other component on my network? I assume if this is done, I'll have to have a password for each device to access the server?

 

Makes me somewhat nervous changing stuff I don't fully understand. Willing to learn though. Thanks.

Link to comment

What does your "Users" page look like?  I've always just left my media server with only root and no defined users.

 

If I define some users, does that eliminate external access to root?    And does this make it more complex for my clients to access the media ... or can I simply log in and let those boxes "remember" the credentials, but have those users set to read-only?

 

i.e. if I define "Living Room", "MBR", GuestBdrm", etc. as read-only users will this provide protection against a rogue process writing to the server?

 

And does this protect against writes to the disk shares (i.e. NOT to a user share)?  Clearly I can set all the user shares as you've shown above; but what about direct access to the disks?  [Or if I simply don't export them, does that protect again that?]

Disk shares have the same setting options as the user shares in terms of read write access. I'm not currently exporting them except for the flash and and the cache. But the user access is locked down tight.

 

You really should set up some users and lock down their access to your shares.

 

On my users page I have the 6 users. One is used by all the kodi boxes, one is used by android devices and the other 4 are for windows devices. For each share,  you can customize their access individually

 

In terms of ease of access, keep in mind that "secure" means all guests (without a user account) have read only access by default. "Private" means the guests have no access and only the user accounts can access. With either option, users would need a user account with write permissions specified in order to make changes to your files through smb.

 

Make sure that all of your exported shares (user or disk) are set to "secure" at a minimum. And also make sure that the windows devices (they save the credentials for whatever user account you use) don't have write access to any of those shares by default.

 

What do you use for username on the kodi and the android?

 

Link to comment

What does your "Users" page look like?  I've always just left my media server with only root and no defined users.

 

If I define some users, does that eliminate external access to root?    And does this make it more complex for my clients to access the media ... or can I simply log in and let those boxes "remember" the credentials, but have those users set to read-only?

 

i.e. if I define "Living Room", "MBR", GuestBdrm", etc. as read-only users will this provide protection against a rogue process writing to the server?

 

And does this protect against writes to the disk shares (i.e. NOT to a user share)?  Clearly I can set all the user shares as you've shown above; but what about direct access to the disks?  [Or if I simply don't export them, does that protect again that?]

Disk shares have the same setting options as the user shares in terms of read write access. I'm not currently exporting them except for the flash and and the cache. But the user access is locked down tight.

 

You really should set up some users and lock down their access to your shares.

 

On my users page I have the 6 users. One is used by all the kodi boxes, one is used by android devices and the other 4 are for windows devices. For each share,  you can customize their access individually

 

In terms of ease of access, keep in mind that "secure" means all guests (without a user account) have read only access by default. "Private" means the guests have no access and only the user accounts can access. With either option, users would need a user account with write permissions specified in order to make changes to your files through smb.

 

Make sure that all of your exported shares (user or disk) are set to "secure" at a minimum. And also make sure that the windows devices (they save the credentials for whatever user account you use) don't have write access to any of those shares by default.

 

What do you use for username on the kodi and the android?

Doesn't matter. Just create a new user, give it read write access to your media shares, and use that user/pass on all the kodi boxes. Do not use that user on any windows devices in file explorer, but use it only in kodi

Link to comment

All this talk is making me think I need to implement something like this as well....

 

Question though: If my movie share is set to Read only, and I rip a blueray disk to my cache drive with the MakeMKV docker, what happens when Mover kicks in at 4am? Does it fail to move, or does it move anyways because Mover has different access permissions?

Link to comment

All this talk is making me think I need to implement something like this as well....

 

Question though: If my movie share is set to Read only, and I rip a blueray disk to my cache drive with the MakeMKV docker, what happens when Mover kicks in at 4am? Does it fail to move, or does it move anyways because Mover has different access permissions?

 

the mover will work. file permissions are only valid when you mount a share..

Link to comment

All this talk is making me think I need to implement something like this as well....

 

Question though: If my movie share is set to Read only, and I rip a blueray disk to my cache drive with the MakeMKV docker, what happens when Mover kicks in at 4am? Does it fail to move, or does it move anyways because Mover has different access permissions?

 

the mover will work. file permissions are only valid when you mount a share..

 

Fantastic! If that's the case, to build off of garycase's post:

 

My basic plan is to stop exporting the disks; just export the user shares; set up a couple users (one for my clients where we actually watch media; one for my PC that I use to manage the data); and make EVERYTHING read-only.  I'll simply log on and change the permissions for the PC user whenever I need to add data to the system; then change it back afterwards.

 

Using a cache drive, I'll only need to change the PC User permissions to r/w if I'm modifying existing files.

 

I can leave permissions on the cache drive as r/w, and any new files I create will be moved over to the read only folder by Mover...

 

Does that make sense?

Link to comment

All this talk is making me think I need to implement something like this as well....

 

Question though: If my movie share is set to Read only, and I rip a blueray disk to my cache drive with the MakeMKV docker, what happens when Mover kicks in at 4am? Does it fail to move, or does it move anyways because Mover has different access permissions?

 

the mover will work. file permissions are only valid when you mount a share..

 

Fantastic! If that's the case, to build off of garycase's post:

 

My basic plan is to stop exporting the disks; just export the user shares; set up a couple users (one for my clients where we actually watch media; one for my PC that I use to manage the data); and make EVERYTHING read-only.  I'll simply log on and change the permissions for the PC user whenever I need to add data to the system; then change it back afterwards.

 

Using a cache drive, I'll only need to change the PC User permissions to r/w if I'm modifying existing files.

 

I can leave permissions on the cache drive as r/w, and any new files I create will be moved over to the read only folder by Mover...

 

Does that make sense?

 

That makes perfect sense.. I would keep the cachedrive read only to though... Otherwise everything you add to your movie shares could be encrypted..

 

Basically as long as you have all your media handling in dockers (or with VM's using their own user permissions that you NEVER use of a windows machine) a windows based encryptor will have no chance of getting at your files..

 

Link to comment

That makes perfect sense.. I would keep the cachedrive read only to though... Otherwise everything you add to your movie shares could be encrypted..

 

Basically as long as you have all your media handling in dockers (or with VM's using their own user permissions that you NEVER use of a windows machine) a windows based encryptor will have no chance of getting at your files..

 

Excellent! Thanks for the info! I'll definitely implement this ASAP!

 

 

Link to comment

In case no one has mentioned it, apparently Trend Micro has a decryption tool available. I read about it here.

 

I always tell clients that if you get hit by ransomware, if you can save the drive/data and not just delete it, you may be able to get everything back later.  Months or sometimes years after a particular ransomware has been deployed, a decryption tool will be developed.

Link to comment

Trend Micro tool is good for Cerber v1 and v2 decryption, but in case of v3 ransomware you can only pray that ShadowExplorer or Recuva will find shadow copies of your important data. Found out here (http://manual-removal.com/cerber3/) that despite of changing the encryption method, the new ransomware chiefly relies on the same propagation schemes. It also does not change its skins and ransomware notification and payment methods. So I think that V3 decryptor will be released soon.

So I'd recommend you to save encrypted data and wait... or pay :-\

Link to comment
  • 2 months later...

I always tell clients that if you get hit by ransomware, if you can save the drive/data and not just delete it, you may be able to get everything back later.  Months or sometimes years after a particular ransomware has been deployed, a decryption tool will be developed.

 

Master Decryption Keys and Decryptor for the Crysis Ransomware Released.

http://www.bleepingcomputer.com/news/security/master-decryption-keys-and-decryptor-for-the-crysis-ransomware-released-/

 

 

 

 

Link to comment

While that might be true, in most cases there will be time sensitive data that cannot wait weeks or months for a free decryption tool, that is why people pay the ransom.

 

That is often true, but I never suggested not paying the ransom.  There are a lot of scenarios other than simply not paying the ransom where you can benefit from a later decryption tool.  In some instances, the person hit waits too long to take action or the time is too short for them as a novice to complete the process of setting up a wallet and buying bitcoins, etc.

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.