ptmuldoon

Ransomware Issue

5 posts in this topic Last Reply

Recommended Posts

My home server was hacked last night with the arrow Ransomware attack.    I'm a little more than pissed to say the least, but will make the best of it in trying to recover what I can.

 

From what I can figure out so far, and its my own fault...  

 

I run everything via VM's inside an ESXi host.  

One of those machines was a Win7 machine I used for downloading media and stupidly allowed RDP port forwarding to, albeit a very obscure 5 digit port number.  Should have just stayed with VPN to connect to remotely.

 

I believe that machine was brute force RDP attacked.

That Machine had network connection to my unraid shares.

 

So both that VM and all of my unraid data was hit with the ransomware and is encrypted with the arrow ransomware.

 

But what I do not understand is how my UnRaid Flash/USB system files also got hit.  That is not a public share on the Windows machine, or at least i do not remember it being that way.  It was never mapped to the Windows VM.

 

So besides being pissed off.   Step 1 for me in unraid is likely going to be reinstalling Unraid from scratch, and I honestly probably do not have a copy of my Pro.key.  I will check when I get home as I may have it on a USB external backup on a different unconnected machine.

 

After that, I plan to likely pull all existing (7 HD's) and put on a shelf till possibly a way comes to decrypt this arrow ransomware..... which doesn't look promising.

 

I'll also be removing that Windows VM and redoing that one from scratch as well.. My ESXi baremetal and datastores all look fine to rebuild the VM, and my other Ubuntu VMs that were not networked to this Windows VM also appear ok.

 

So for me step 1.  If I can't locate my Pro.Key   Is there a way to recover it?

 

Share this post


Link to post
2 hours ago, ptmuldoon said:

If I can't locate my Pro.Key   Is there a way to recover it?

It was most likely originally sent via email, so check your email archives.

 

If you can't dig it up, email limetech and explain the situation.

Share this post


Link to post

Well,  I search my home pc that was not affected thinking I had a back up there from past upgrades but can't find it.  And its been at least 5+ years running unraid and I can't seem to find the old emails that my have had my key.    

 

I'm going to email limetech and hope they have some pity on me.  I've already lost, have 7TB of data hijacked by ransomware, and still not sure exactly how he happened.  At least my other PC were not connected to that VM and I can operate somewhat.

 

Whats 'worse' also is that VM that got infected also had shared drives to my OpenHab Server.  So now half my home automation stuff is screwed up to.  All I can do is hope for something in the future that can help in decrypting these files.

Share this post


Link to post

I normally split my file storage into writable and nonwritable shares.

 

So the Windows machines may have an "upload" folder where they can add files to the servers.

Then I move the files out of the upload folders into their final locations where they are treated as "archived" files. So hacked client machines can't destroy these files using file share accesses. The only way to destroy them is to hack the file servers directly. And the file servers aren't allowed to run any programs on any data disks so server attacks needs to go for vulnerabilities in services or in login account credentials.

 

In some situations I may have semi-writable shares, where clients can add new files. But every night, a script locks down the access rights of any added files. So editing an existing document means making a copy of it, giving it a new revision name. And the next night, that revision gets locked down and can't be edited again, unless I make a ssh shell access to the server and unlocks it for one more day of editing.

 

This greatly reduces the attack vectors available in case any client machine gets infected by something nasty. And it gives a good protection from accidental overwrites/deletes.

Share this post


Link to post
Posted (edited)

This is how I implemented the first idea that @pwm sugested.

 

     https://lime-technology.com/forums/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532

 

 

I have been using it for over a year now and it is very usable.  

 

There is also the ransomware protection plugin and the support thread is here:

 

   https://lime-technology.com/forums/topic/50737-plugin-ransomware-protection/

 

              (EDIT:  note that this ransomware protection plugin has now been deprecated and is not being supported.)  

 

OF course, all of this is too late for you but hopefully other users will realize that the risk is still around and take appropriate precautions.  Plus, it is always a good idea to have a another backup of your irreplaceable data stored in an offsite location that is totally isolated from the Internet.  (Like a hard drive in a safety deposit box...)

Edited by Frank1940

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


Copyright © 2005-2018 Lime Technology, Inc.
unRAID® is a registered trademark of Lime Technology, Inc.