6tb of storage gone to Cerber Ransomware


gezza952

Recommended Posts

Hi All,

 

From reading around I know nothing can be done about this but thought it may be worth warning others as I was unaware that this was possible.

 

So one of the computers on my network got infected with "Cerber Ransomware" and all their files encrypted due to some silly internet exploring and I assume stupidly clicking on a bad link. Wiped that PC and upgraded and used a backup so all good there.

 

But when I checked my Unraid server all 6Tb of files were encrypted!! Which I didn't think would happen as its running Linux so there is no windows and the shared drives were not even mapped on the originally infected PC. Anyway I have no backup of the server so will need to cut my losses and wipe it and use this as an opportunity to upgrade to V6 of Unraid

 

Screenshot of what the files look like on the server:

 

xyi1noc2j

 

Screensshot_unraid.PNG.b1388ac8c618645aeb5f5147196abeee.PNG

Link to comment

I'm sorry for you!

Some weeks ago we had a similar incident at work, as my colleague opened a malware-attachment from his private mailbox and started the encryption sequence on the companies storage servers.

Some 20 minutes later, another guy noticed that his files were no more available for him and called the IT division and they instantly locked up the whole server. It took them almost one day to rebuild the data from backups.

And I lost 2 hours of work progress.

All kind of webmail is locked since then...

 

After that incident, I've been thinking if some kind of quota or file (write) operation limit could

be implemented to counter things like this?

I refrained from proposing this idea since I have a full backup of my data and I'm the only user having write

permission on my servers.

After reading about your experience I think it should be evaluated if this can be implemented somehow in unRAID.

 

A lot can be done by setting user permissions more strict, but sometimes "sxxt happens"!

Link to comment

I am very sorry for your loss of data, however this only strengthens the idea that something like unRAID is not a backup. I mean this in only the kindest way, but if your data is important to you, you have to have a second or if possible third copy of it.I have probably close to 50TB of media files and they are duplicated on an unRAID server that has very strict permissions set to the shares, heck even the primary location of my data has strict sharing permissions.  unRAID is not bulletproof (yet) and like any file sharing OS can fall victim to ransomware, the system is only as safe and secure as its configured.

Link to comment

Sorry to hear about your experience. I recently freaked out about the possibility of the same thing happening to me. It won't do you any good for this time but might help others.

 

I set all the user shares on unraid to either secure or private. I made sure that almost all the user accounts only had read access for the shares.

 

There were a couple of exceptions where I had to give write permission permanently. For instance kodi boxes need write permission so they can save the subtitles next to the media files. So I created a user account dedicated to the kodi boxes and gave that user write access to the media folders. I never use those credentials on a Windows machine.

 

In Windows 10, I noticed that I had to store the credentials otherwise smb access didn't properly work. I make sure that none of those win stored user accounts have any write access to any of the shares. When I need to write through a windows computer, I open up the unraid gui, give that user account write access to the specific share, and right after I'm done, I take away the write permission. It works pretty well.

 

I also have a user account for my phone (android), which has permanent write access to some shares. So if I need to quickly delete something, I do it on my phone. Until there are reports of crypto malware on android that is.

 

Basically, you need to make sure that no windows device on the network has any write permission on any of the shares. The crypto malware will look for any network shared files and will encrypt them if it can.

 

For google drive, I created a father, grandfather backup scheme with weekly backups so that if malware encrypts my local drive files, I have up to two weeks to restore from the backups.

Link to comment

Thanks for the replies guys! My unraid is not considered a back up server for me it just holds media like tv shows and movies so it can all be replaced just a pain in the ass. A good point you all make is the permissions which I never thought about and that is something I will make sure to change when I get V6 of unraid.

 

I made this thread as when I was googling I could not find any thing and though it would be nice for others to know this can happen.

 

Time to wipe those drives and start again , thanks again everyone!!!

Link to comment

All of my shares are read-only.... ALL of them.... except one cache-only share called "incoming".

 

Files going to unRAID are uploaded to "incoming" and then I log in and use MC to move them to either disk shares or leave them on cache but move them to user shares and let mover handle them.

Link to comment

Which I didn't think would happen as its running Linux so there is no windows and the shared drives were not even mapped on the originally infected PC.

Drives don't need to be mapped.  The malware will attempt to connect to every IP on your network.

 

Looks like the names are also encrypted. I guess someone could write a plugin with file name trigger to lock the shares?

 

 

Skickat från min iPhone med Tapatalk

Actually, off and on I've been slowly putting together a Beta build of a plugin for exactly this.  I've been a bit lazy and haven't finished it as of yet, but I guess now that I've just stated it publicly I should get off my ass and get it done.  ;)
Link to comment

Agree -- if Windows "knows" the logon credentials, it can still access the share.    While this is a great convenience, it clearly can also be a dangerous thing.

 

Although I'm VERY well backed up -- and my backup server is only on when it's doing the backups, so it'd likely be OFF if I ever encountered this kind of issue -- this potential disaster certainly has me thinking of how to be even better protected from it.

 

Does setting the shares to Secure or Private provide a mechanism to also mark them as read-only?    My main media server is VERY static => it wouldn't be all that much of a hassle to have to jump through a couple hoops to write data to it; and if it was otherwise "write proof" that would certainly eliminate any ransomware activity.

 

Link to comment

I have the same arrangement as bubbaQ. I was interested if the ransomware broke through unRAID security layers or if it was a case of door already opened / key in the lock.

 

That's my paranoia - that one day somehow a ransomware can break through unRAID. I have 1-2-3 backup but the paranoia doesnt go away.

Link to comment

Does setting the shares to Secure or Private provide a mechanism to also mark them as read-only?    My main media server is VERY static => it wouldn't be all that much of a hassle to have to jump through a couple hoops to write data to it; and if it was otherwise "write proof" that would certainly eliminate any ransomware activity.

 

Unraid 6.2 certainly does, can't remember the older versions but pretty sure they do as well.

 

Attached is my Movies share. It is shared as secure. So guests have read only access (visitors can access the movies on their laptops). There are 6 unraid users set up. The first one has write permissions (used by kodi boxes, android or libreelec) and the last one has it as well (my android phone). The other users are the windows devices in the house and are all set to read only. If I need write access on a windows machine through file explorer, I just change that specific user to read/write, hit apply and I'm good to go. Once done with writing, I set it back to read-only and hit apply.

 

Other shares like Pictures are set to Private, so guests cannot even read (I don't want all the visitors to be able to access family photos and such on their laptops). Flash drive and the docker config folder shares are also set to Private since they may (and often do) contain passwords in plain text.

Capture26.PNG.a6fb6e66162b434b573a640dcbad3cb7.PNG

Link to comment

What does your "Users" page look like?  I've always just left my media server with only root and no defined users.

 

If I define some users, does that eliminate external access to root?    And does this make it more complex for my clients to access the media ... or can I simply log in and let those boxes "remember" the credentials, but have those users set to read-only?

 

i.e. if I define "Living Room", "MBR", GuestBdrm", etc. as read-only users will this provide protection against a rogue process writing to the server?

 

And does this protect against writes to the disk shares (i.e. NOT to a user share)?  Clearly I can set all the user shares as you've shown above; but what about direct access to the disks?  [Or if I simply don't export them, does that protect again that?]

 

 

Link to comment

Hi All,

 

From reading around I know nothing can be done about this but thought it may be worth warning others as I was unaware that this was possible.

 

So one of the computers on my network got infected with "Cerber Ransomware" and all their files encrypted due to some silly internet exploring and I assume stupidly clicking on a bad link. Wiped that PC and upgraded and used a backup so all good there.

 

But when I checked my Unraid server all 6Tb of files were encrypted!! Which I didn't think would happen as its running Linux so there is no windows and the shared drives were not even mapped on the originally infected PC. Anyway I have no backup of the server so will need to cut my losses and wipe it and use this as an opportunity to upgrade to V6 of Unraid

 

Screenshot of what the files look like on the server:

 

xyi1noc2j

 

Did you check the nomoreransom website ? They collect unlocking tools... Damn man... Really a bummer..

Link to comment

What does your "Users" page look like?  I've always just left my media server with only root and no defined users.

 

If I define some users, does that eliminate external access to root?    And does this make it more complex for my clients to access the media ... or can I simply log in and let those boxes "remember" the credentials, but have those users set to read-only?

 

i.e. if I define "Living Room", "MBR", GuestBdrm", etc. as read-only users will this provide protection against a rogue process writing to the server?

 

And does this protect against writes to the disk shares (i.e. NOT to a user share)?  Clearly I can set all the user shares as you've shown above; but what about direct access to the disks?  [Or if I simply don't export them, does that protect again that?]

TBH, I actually surprised that for someone who continually harps about the importance of backups that you aren't even taking the most rudimentary security precautions.

 

Right now, every single device on your network (computers, phones, routers, BD Players, Thermostats, etc) has complete and unfiltered access to every single file on your server.  With RW access to boot.  Not to mention that if you don't have a wifi guest network set up, then everyone who visits your house also has the same.  This is all regardless of whether the shares are visible or not over the network.

 

Yeah, if you set up users, then you can define access rights to the various shares (use private to nail it down to Read-Only access, RW, or NO access)

 

IMO, the devices that only need RO access to a share should only be granted RO access, and disallowed access to any share that it doesn't need access to.

 

Without using user shares, then you're limited to defining which users have RW access and RO or no access to the individual disks once you set up users.  A step in the right direction, but does your OpenElec box / HTPC really need access to your financial information that happens to be stored on the same drive as your movies?  Dumb risk if you ask me.

 

Somewhat akin to leaving all your doors unlocked on the house and then being surprised when you get robbed.  A locked door won't stop someone who really wants to break in, but at least you stop the kiddies from just walking in.  Or setting your PIN # on your bank card to be 1234.  Or using "password" as your password on the router (or leaving them set as defaults)

 

Link to comment

What does your "Users" page look like?  I've always just left my media server with only root and no defined users.

 

If I define some users, does that eliminate external access to root?    And does this make it more complex for my clients to access the media ... or can I simply log in and let those boxes "remember" the credentials, but have those users set to read-only?

 

i.e. if I define "Living Room", "MBR", GuestBdrm", etc. as read-only users will this provide protection against a rogue process writing to the server?

 

And does this protect against writes to the disk shares (i.e. NOT to a user share)?  Clearly I can set all the user shares as you've shown above; but what about direct access to the disks?  [Or if I simply don't export them, does that protect again that?]

Disk shares have the same setting options as the user shares in terms of read write access. I'm not currently exporting them except for the flash and and the cache. But the user access is locked down tight.

 

You really should set up some users and lock down their access to your shares.

 

On my users page I have the 6 users. One is used by all the kodi boxes, one is used by android devices and the other 4 are for windows devices. For each share,  you can customize their access individually

 

In terms of ease of access, keep in mind that "secure" means all guests (without a user account) have read only access by default. "Private" means the guests have no access and only the user accounts can access. With either option, users would need a user account with write permissions specified in order to make changes to your files through smb.

 

Make sure that all of your exported shares (user or disk) are set to "secure" at a minimum. And also make sure that the windows devices (they save the credentials for whatever user account you use) don't have write access to any of those shares by default.

Link to comment

Novell Netware used to have a nice feature "who has rights here" and display all users with rights to that path and what those rights are.  That would be useful for unRAID.

 

I'd also love to see a "Ransomware Check" feature that would identify all shares that have ANY writable users, and list those users.

Link to comment

... I actually surprised that for someone who continually harps about the importance of backups that you aren't even taking the most rudimentary security precautions.

...

 

Guilty as charged  :)

It's been on my "one of these days" lists for a long time, but as you noted, I am VERY well backed up; so it hasn't been all that high a priority.  ALL of my media is backed up to (a) a backup server that is only turned on during the actual update of the backups -- and is OFF all the rest of the time; AND (b) is also backed up to a complete set of off-line disks that I update monthly and are stored in a fireproof, waterproof, data-rated safe.

 

Personal data on the backup server is all encrypted.

 

But the ransomware issue definitely has me thinking that it's about time to change things around, so I'll be doing that in the next week or so.  My basic plan is to stop exporting the disks; just export the user shares; set up a couple users (one for my clients where we actually watch media; one for my PC that I use to manage the data); and make EVERYTHING read-only.  I'll simply log on and change the permissions for the PC user whenever I need to add data to the system; then change it back afterwards.

 

Link to comment

Okay, I'm definitely upset that I didn't do this LONG ago !!

 

It was oh-so-simple ... and my primary media collection is now completely read-only, so that's about 25TB that's now "safe" from ransomware !!  Even with double sets of backups for it all, it would be a real PITA to have to reload the server, so the added protection is clearly a good step.

 

Now I've got to do that for ALL of my shares on all of my servers -- a project for the next few days => I want to outline what permissions I need for which PC's and ensure they're all set up to work smoothly.

 

I DO feel very well protected from the disastrous consequence a ransomware attack might have with my 3-layers of backups; but it's still a good idea to set up the UnRAID boxes so they wouldn't be impacted at all if one of my PC's was to indeed get "hit".

 

 

Link to comment

I have no exported shares on my backup server.... all the backups are pulled by the backup server, not pushed from the production servers.

 

Ideally, I's like the backup server to stay powered down, and have automated a scheduled wake up once a week and automatically run backups, then power back down.

Link to comment

My backup server works close to that =>  I have an automated task on my main PC (Windows box) that turns on the backup server via WOL;  does all of the backups from my PC, wife's PC, and my other 2 UnRAID servers;  and then sends a message to my PC that it's done.

 

I'd like to have it then shut itself down; but haven't figured out a Windows command line to do that => anybody know a way to do this?

 

Link to comment

 

My backup server works close to that =>  I have an automated task on my main PC (Windows box) that turns on the backup server via WOL;  does all of the backups from my PC, wife's PC, and my other 2 UnRAID servers;  and then sends a message to my PC that it's done.

 

I'd like to have it then shut itself down; but haven't figured out a Windows command line to do that => anybody know a way to do this?

 

I believe

shutdown -s -t 00[/Code]

will accomplish what you want.

Link to comment

 

My backup server works close to that =>  I have an automated task on my main PC (Windows box) that turns on the backup server via WOL;  does all of the backups from my PC, wife's PC, and my other 2 UnRAID servers;  and then sends a message to my PC that it's done.

 

I'd like to have it then shut itself down; but haven't figured out a Windows command line to do that => anybody know a way to do this?

 

I believe

shutdown -s -t 00[/Code]

will accomplish what you want.

 

That works fine if you execute it from the UnRAID console; but what I'm looking for is a command line you can run on a Windows box that will shutdown the UnRAID server.

 

i.e. if the server is named "MyBakupServer", is there a command that will remotely execute that shutdown command with no intervention.    I tried several things a couple years ago when I set up the scripts, but never found anything that worked; so right now it just sends a message to my desktop that it's done => and when I see that I simply double-click on an icon that brings up the Web GUI for the backup server; then click on Stop; and then power it down.  Not a big deal ... takes perhaps 20-30 seconds (depends on how long it's been done ... clearly it takes a bit longer if the drives have to spin up) ... but it'd be nice if it was completely automated.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.