I got an encryption virus!!!

Hey!  The wife clicked on a "Fed Ex" e-mail attachment!  It apparently launched a encryption virus.

It got pretty much everything on my unraid machine that was doc or pdf or zip  or jpg and several others..

It also hit the flash drive as well..

My concern is more about the flash drive. It got all the txt files and zip and jpg/png files.  Now most are just old log which I don't care about..

but I do care about any unraid config and unmenu config or package config.

I'm trying to remember how it all worked.  Does unraid create a ramdisk copy of the flash drive stuff?

Unmenu is mostly working (the pics/icons are gone) but I can still see all my usage notes and purchase dates and stuff. 

Where are those stored?  Is there anything I have to worry about before restarting unraid?  Right now it's been

running since the wife opened the virus. I haven't restarted it yet.

Is there anything I want/need to do before I would do a restart?

bzimage,bzroot,ldlinux.sys *.cfg do not appear to have been touched.

Time to make inside my house more secure!  I'm still deciding if I'm going to let the wife live or not!

Thanks,

Jim

How do you know which files were unaffected?

All the files that were touched have an ".abc" extension.  and the modification date changed.

I'd heard about these things but never realised they were still doing the rounds.  Didn't know it affected everything on your LAN..

Sorry for your troubles mate.

All the files that were touched have an ".abc" extension.  and the modification date changed.

doc or pdf or zip  or jpg

does unmenu or any of the packages use any .txt files for config?

I'd heard about these things but never realised they were still doing the rounds.  Didn't know it affected everything on your LAN..

 

Sorry for your troubles mate.

Ya I did not realize this affected everything on LAN as well.... I suppose it is everything it can get its hands on, so SMB shares etc... Scary thought.

I'd heard about these things but never realised they were still doing the rounds.  Didn't know it affected everything on your LAN..

 

Sorry for your troubles mate.

I never heard of this before!  I should have just quarantined the computer when she did it!  I figured Norton would take care of anything!  Guess not!  Now I need a new strategy for all the shared drives!  Luckily all our pictures and main docs are stored offsite online.

It hit any drive it could find on the LAN...  Not just the mounted ones!  Also I was lucky it didn't target the acronis files or my MP3s and MP4s and TS files!

These encryption malware are better known as ransomware.

Your misfortune points out the importance of making sure that everything we store that is important to us (financials, work docs, photo and music collections, family videos, etc) MUST also be backed up to a normally inaccessible location, at least inaccessible to modification.  Options include -

* Removable drives, only attached for the periodic backup

* Encrypted volumes, only accessible while open

* Read only remote storage, not a local read only flag(!), but truly read only by the current logged in user

* CD's, DVD's, etc, basically the same as removable drives, but also essentially read only

* Storage in multiple locations, one of which is only available by controlled access, briefly

* probably other methods too, that maintain an additional copy of everything that's important to us, but are inaccessible to modification by their nature or without something secret (reasonably unbreakable)

This is also a reason why inexpert users should be set up with only limited user rights, not administrator rights.  This has been shown to limit the damage at times.  And of course, keep anti-malware tools updated.

These encryption malware are better known as ransomware.

 

Your misfortune points out the importance of making sure that everything we store that is important to us (financials, work docs, photo and music collections, family videos, etc) MUST also be backed up to a normally inaccessible location, at least inaccessible to modification.  Options include -

 

* Removable drives, only attached for the periodic backup

* Encrypted volumes, only accessible while open

* Read only remote storage, not a local read only flag(!), but truly read only by the current logged in user

* CD's, DVD's, etc, basically the same as removable drives, but also essentially read only

* Storage in multiple locations, one of which is only available by controlled access, briefly

* probably other methods too, that maintain an additional copy of everything that's important to us, but are inaccessible to modification by their nature or without something secret (reasonably unbreakable)

 

This is also a reason why inexpert users should be set up with only limited user rights, not administrator rights.  This has been shown to limit the damage at times.  And of course, keep anti-malware tools updated.

One more thing..  Don't marry a non tech savvy woman!! grrr...

I am vary fortunate that my pictures and docs will all be recoverable.  But I am defiantly going to change the access to the shared drives to privileges and passwords.  No more "no password" admin accounts on the windows machines.

The wife and kids will have guest accounts with limited privs!

My old work got this virus on their server and it obliterated most of their files. Thankfully I (being the "IT department" without actually having one) I took a complete backup of the server data files the day I left.

That action has saved their bacon on several occasions, LOL.

These encryption malware are better known as ransomware.

 

Your misfortune points out the importance of making sure that everything we store that is important to us (financials, work docs, photo and music collections, family videos, etc) MUST also be backed up to a normally inaccessible location, at least inaccessible to modification.  Options include -

 

* Removable drives, only attached for the periodic backup

* Encrypted volumes, only accessible while open

* Read only remote storage, not a local read only flag(!), but truly read only by the current logged in user

* CD's, DVD's, etc, basically the same as removable drives, but also essentially read only

* Storage in multiple locations, one of which is only available by controlled access, briefly

* probably other methods too, that maintain an additional copy of everything that's important to us, but are inaccessible to modification by their nature or without something secret (reasonably unbreakable)

 

This is also a reason why inexpert users should be set up with only limited user rights, not administrator rights.  This has been shown to limit the damage at times.  And of course, keep anti-malware tools updated.

Even an online backup solution such as CrashPlan would have saved someone's bacon. The fact that these files are encrypted due to the ransomware also modifies the original files, meaning they would be picked up as "modified" files by something like CrashPlan.

You could go do a point-in-time restore (to the day before you had the ransomware) and restore any of your files that would have been affected.

My place of business has been hit with this many times. Thanks to DR efforts not much was really lost except my time. There are two security firms that got their hands on a few cryptowall keys and it MIGHT help you. Cannot promise this will recover all or any of your files, but I have had a few users who had success with this site... Give it a try. This was from a botnet that was taken down. These security firms recovered a few of the encryption keys in that process. However there are a few different forms of the cryptowall and cryptolocker viruses and who knows which one you might have.

https://www.decryptcryptolocker.com

That website doesn't work any longer..  bummer..

CryptoLocker, unfortunately, has inspired criminals all over the world. We have seen more than 20 copycat ransomware attacks since the original CryptoLocker, some of which use the same name, modus operandi and layout as the original CryptoLocker. We believe that our Decryptolocker site has served its purpose, and we have decommissioned it given that the threat landscape has evolved.

That website doesn't work any longer..  bummer..

 

CryptoLocker, unfortunately, has inspired criminals all over the world. We have seen more than 20 copycat ransomware attacks since the original CryptoLocker, some of which use the same name, modus operandi and layout as the original CryptoLocker. We believe that our Decryptolocker site has served its purpose, and we have decommissioned it given that the threat landscape has evolved.

AHHH, I am sorry about that man. I should have looked first. I had it bookmarked from using it so often. I guess I will be removing it now. I would imagine your wife had a network drive mapped on her computer that caused this? This has been my experience in my environment anyhow.... I would get rid of that network drive mapping right away!!

I would imagine your wife had a network drive mapped on her computer that caused this? This has been my experience in my environment anyhow.... I would get rid of that network drive mapping right away!!

It hit any drive it could find on the LAN...  Not just the mounted ones!  Also I was lucky it didn't target the acronis files or my MP3s and MP4s and TS files!

Given that someone posted source code for a cryptolocker to github a few weeks ago I suspect this problem is going to get much worse.

These can indeed be very difficult to recover from unless you have current backups (which we all SHOULD ... but many folks don't).

Note that the reason this hit the UnRAID server is almost certainly that you had a mapped drive.    It's a bit less convenient to just use the URL for the network [You can put shortcuts on the desktop to make it simple] -- but doing so eliminates the server being "seen" as part of the local computer due to the mapped drive.

Also, as suggested earlier, you could set up read-only access for your wife's computer, although clearly that only works if she doesn't need to save files on the UnRAID box.

One other thought => I echo Rob's suggestion that you need to be sure your backup PC/drives are NOT accessible during normal operations.

Online backups, such as Crashplan, Carbonite, etc. are a good choice for relatively limited amounts of data.  What I do is keep my backup server off except when it's actually doing backups [it's turned on automatically via WOL just before my scheduled backup utility runs].

This thread has convinced me to re-evaluate the security I use on my shares.  Im building a test unraid to join to my domain so I can test AD permissions.  I would prefer to do workstation-based permissions vs user-based.

What do you mean use the URL?

What I have done is to make all the user shares world RO. And most of them export hidden.  Then I have a user (me) setup for write access.

I'll make the two shares she uses (pictures and docs) open as in the past..  because these should be backed up offsite weekly.

So, at most, I'll lose a weeks worth.

I may even take me off the share I use for backups and create a new user with write privs that only acronis will keep.  This way if, for some reason, I forget to logout or I somehow manage to get something similar, I should be protected. luckily the acronis backups were not targeted.

I also did lose about 5 months of stuff that I thought was being backed up.  but it wasn't.  It turns out the network drives on my windows PC that has the offsite backup wasn't backing them up because they weren't connected unless I touch them.  I wasn't using that computer much anymore and wasn't accessing the shares on it.  The regular drive was being backed up and I would get the e-mail saying stuff backed up successfully... but it didn't complain that it couldn't see the network drives that I told it to back up!  grrr...

Now I'm going to see it I can get idrive working on the unraid box..  I'll have to investigate that!.

Agree this is a scary issue.  It's the first time I can recall that somebody had a virus like this propagate to the UnRAID server from the infected PC.    I'm convinced it's because of the mapped drive -- so that's the first thing I'd eliminate.

This should also be a wake-up call for anyone who doesn't have a robust backup strategy !!

I was wondering about this. Currently my only backup solution is a crash plan nightly backup to an offsite computer,  which I do not own if we want to get technical. It's only my very important family memories that are being backed up right now. Would that help me in this case though? Doesn't crash plan save several versions of the files as they are being changed? If this is true, wouldnt you be able to roll back to the good files once the virus was removed? It is horrible that this happened to you,  but I think it's very good that we are having this discussion as a result. It makes us all look at how we are doing our backups. I'd love another machine that does my backups,  and ideally that box should be offsite, but I'm a little short on the $$ to make it work like that right now. It will happen one day though.

... my only backup solution is a crash plan nightly backup to an offsite computer

You bring up a good point => if you don't notice that you've been infected when it happens (normally you WILL know that, of course, as you'll get the ransom notice) ... and you next night's backup happens, then all of the backups could be overwritten with the infected files -- so unless the backup utility keeps multiple versions you'd be "hosed."

Edit:  Actually, in this specific case that shouldn't be an issue, since the filenames are changed with an .abc suffix (so they won't overwrite the correct files).

r.e. not being able to afford backups => I can understand that, but you should nevertheless be sure that any data you can't afford to lose IS backed up somewhere, somehow !!    Even if it's a manual backup you do periodically to a set of spare disk drives.    [in addition to my backup server, I have a complete set of backup disks I update periodically and store in a fireproof, data-rated safe]

I wonder if some of the files could be recoverable with a filesystem level scan for deleted files.