[SOLVED] Advice on Cryptolocker affected Server


Recommended Posts

Hello All,

 

Well, disaster here.

My wife's laptop had cryptolocker opened onto it and has done terrible damage.

 

My Unraid tower was a mapped drive on the laptop and crytolocker encrypted many, many files on the server.

This included most of the files on the flash drive with all the configuration of the server. The server is still operating but I am extremely worried as to what might happen if the tower is powered down. I am sure it won't boot up again. For example, Unmenu no longer works but the default GUI still does.

 

I have a copy of the flash key files when I upgraded to 5.05 from 4.xx about 2 years ago but nothng more recent. I have added and changed several hard drives since that upgrade.

 

Does anyone have some thoughts on how to move forwrd from this?

 

I am not talking about trying to rescue or decrypt the individual files. The overwhelming information is that it is impossible without the key from the ransomers.

 

I have about 8TB of data of which 1.8TB is encrypted. But this does include just about everything on the flash drive, as I have mentioned.

 

If I reformat the flash key and reinstall 5.05, will it recognise the array? Is this a first step?

 

If that fails, and I then need to remove the discs, how easy is it to move the data off those discs?

Will my windows PC read the drives from an external USB box?

 

I would welcome anyone's thoughts on how they would move forward.

 

Thanks in advance for your help

 

Link to comment

Take a screenshot of your drive assignments and any other settings you want and just do them all again after a fresh install of 5.0.6. Do you have a copy of your .key file?

 

If you assign your drives correctly you should be OK, or at least as OK as possible in your situation.

 

Windows will not natively read any of your unRAID disks since they use a filesystem Windows does not recognize or support.

 

Recommend you not map drives. Most applications can access network folders using UNC paths these days and mapping drives are seldom necessary.

 

And especially don't map your flash drive. I can't see any reason at all for doing that.

Link to comment

Thanks for your response.

 

Let me get this correct. I have a copy of my plus.key file on my original 4.xx flash drive backup.

 

I record all the drive assignments.

Cross fingers.

Shutdown the server.

I reformat the corrupt flash drive.

I make bootable and extract files etc.

Boot up

reassign drives

See working array

Uncross fingers.

 

Drive was mapped to allow my wife easy access to the files. I now know to create a user for her and give read only access. Horse bolted - barn door etc.

 

If it all comes to nought, is there any way to pull the unencrypted files off the drives outside the case?

 

Thanks again.

 

Link to comment

...If it all comes to nought, is there any way to pull the unencrypted files off the drives outside the case?

Getting unRAID going again is going to be the simplest approach. Unless you already have a Linux computer running anything else is going to require more effort which we can get into if necessary.
Link to comment

The upgrade to V6 went flawlessly.

 

Although my V5 USB files, including my key file, were all encrypted, i was able to upgrade using the key file from my V4.7 backup of the USB key.

 

I just re-assigned the drives after boot and was running within a few minutes.

I have set myself as the only user with read/write priviledges. Guests (everyone else) are read only.

 

Thanks for all your help, folks.

 

I now have the task of deleting all the encrypted files and trying to find/re-backup/re-encode replacements. 

 

As a point of interest, the cryptolocker was only active for about 20 minutes from my wife's laptop to the Unraid server which was mapped as a drive to her machine for ease of her access. I had not restricted guests (including my wife) to read only. In that 20 minutes, 3338 files to a total of 1.68TB were encrypted.

I can't imagine that in that 20 minutes it read into memory across the network all those files in their entireity, encrypted them and copied them back onto the server. It must just encrypt enough of the file to make it unusable. A simple rename doesn't do it, of course.

 

Link to comment

As a point of interest, the cryptolocker was only active for about 20 minutes from my wife's laptop to the Unraid server which was mapped as a drive to her machine for ease of her access. I had not restricted guests (including my wife) to read only. In that 20 minutes, 3338 files to a total of 1.68TB were encrypted.

I can't imagine that in that 20 minutes it read into memory across the network all those files in their entireity, encrypted them and copied them back onto the server. It must just encrypt enough of the file to make it unusable. A simple rename doesn't do it, of course.

 

You know, I've never heard anyone say that, but it makes perfect sense!  Good thinking on your part!  And theirs too unfortunately.  It lets them reach more files faster, in case they're discovered, interrupting their dirty work.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.