0XXX (NAS) Ransomware (.0xxx) Support Topic

so seems that they were scanning the net looking for online NAS devices having smb shares and probably they used some smb exploit to bypass smb passwords...

That's my theory. The next question is, was this a vulnerability in Samba or a case of us leaving our permissions open to this exploit?

I can confirm I used samba on one of my NAS's which were hit, the only person that had this was my girlfriend and the only files that were affected were files that she had write access too. Files she had read access too had the files clones and encrypted so the original file was there and then also the encrypted file. In total I had about 30TB's of data encrypted fortunately however this is just media files and a few game servers.

I advise no one to pay the ransom. Unfortunately looking through any documents I have both the standard and encrypted version of are pretty sensitive so I don't really feel comfortable sharing them and plan to just wipe the particular NAS in question.  Fort the next hour or so I am migrating stuff over to some other devices so if anyone wants me to check anything before it gets wiped just reply here and I'll check up.

Edit took a lot quicker than anticipated to move files to other devices beginning the wipe now sorry.

Edited by kristan_, 01 August 2021 - 05:34 AM.

Edited by shelz8, 01 August 2021 - 11:13 AM.

A question to fellow attackees - were you all using Samba? I've rebuilt my system from scratch and I suspect my settings on Samba were the door into my server so I'm avoiding using that. Failing that, are you all plexers? My affected machine was running Ubuntu 20.04.2, Samba and Plex and not much else as it's all that machine is for. Thanks for any feedback.

I use samba on my unRAID server but i don't know what caused it because last night it was fine and when I woke up my files were encrypted on one hard drive but my other two hard drives are fine. I'm suspecting something downloaded on Radarr or Sonarr and that caused it because nothing imported to one of the other unaffected drives.

 

A question to fellow attackees - were you all using Samba? I've rebuilt my system from scratch and I suspect my settings on Samba were the door into my server so I'm avoiding using that. Failing that, are you all plexers? My affected machine was running Ubuntu 20.04.2, Samba and Plex and not much else as it's all that machine is for. Thanks for any feedback.

I use samba on my unRAID server but i don't know what caused it because last night it was fine and when I woke up my files were encrypted on one hard drive but my other two hard drives are fine. I'm suspecting something downloaded on Radarr or Sonarr and that caused it because nothing imported to one of the other unaffected drives.

 

I don't use Radarr or Sonarr though I've looked into them. I found that my Ubuntu server was attacked while I was out and no one else was accessing it. Just being online but not actively doing anything was enough. Some of my files weren't encrypted - it seems to have been down to file type, but it was across the three hard drives that I samba shared. The OS hard drive wasn't shared and wasn't affected, so this is why I think it's a samba exploit. It sucks because I like using samba and in rebuilding, I've had to do a lot of usb swapping. meh. 

Same thing here from Egypt

my WD NAS server with samba share .. always available online

Mainly it hit all my movies collection there   .. the good thing is that I'm a little bit paranoid about having a single version of my files

So .. for me 2 things are of concern :
first .. if i did resotre my collection what prevents this from happening again ?? till now nothing
second .. i need some good time to restore things but that is not a big deal
 

Same thing here from Egypt

my WD NAS server with samba share .. always available online

Mainly it hit all my movies collection there   .. the good thing is that I'm a little bit paranoid about having a single version of my files

So .. for me 2 things are of concern :
first .. if i did resotre my collection what prevents this from happening again ?? till now nothing
second .. i need some good time to restore things but that is not a big deal
 

This is my concern and why I was trying to work out what exploit they used. I've abandoned samba for the moment and I'm just using USB drives and my backup drives directly without using samba. I suspect if this is happening still, then there needs to be an exploit fix before we can go back to using it.
I don't know which team of people look after samba though. 

 

Same thing here from Egypt

my WD NAS server with samba share .. always available online

Mainly it hit all my movies collection there   .. the good thing is that I'm a little bit paranoid about having a single version of my files

So .. for me 2 things are of concern :
first .. if i did resotre my collection what prevents this from happening again ?? till now nothing
second .. i need some good time to restore things but that is not a big deal
 

This is my concern and why I was trying to work out what exploit they used. I've abandoned samba for the moment and I'm just using USB drives and my backup drives directly without using samba. I suspect if this is happening still, then there needs to be an exploit fix before we can go back to using it.
I don't know which team of people look after samba though. 

 

My UnRAID Server uses SMB but I use it daily

 

 

A question to fellow attackees - were you all using Samba? I've rebuilt my system from scratch and I suspect my settings on Samba were the door into my server so I'm avoiding using that. Failing that, are you all plexers? My affected machine was running Ubuntu 20.04.2, Samba and Plex and not much else as it's all that machine is for. Thanks for any feedback.

I use samba on my unRAID server but i don't know what caused it because last night it was fine and when I woke up my files were encrypted on one hard drive but my other two hard drives are fine. I'm suspecting something downloaded on Radarr or Sonarr and that caused it because nothing imported to one of the other unaffected drives.

 

 

I don't use Radarr or Sonarr though I've looked into them. I found that my Ubuntu server was attacked while I was out and no one else was accessing it. Just being online but not actively doing anything was enough. Some of my files weren't encrypted - it seems to have been down to file type, but it was across the three hard drives that I samba shared. The OS hard drive wasn't shared and wasn't affected, so this is why I think it's a samba exploit. It sucks because I like using samba and in rebuilding, I've had to do a lot of usb swapping. meh. 

 

You can use Samba, just don't share to the port to the internet.

 

 

 

A question to fellow attackees - were you all using Samba? I've rebuilt my system from scratch and I suspect my settings on Samba were the door into my server so I'm avoiding using that. Failing that, are you all plexers? My affected machine was running Ubuntu 20.04.2, Samba and Plex and not much else as it's all that machine is for. Thanks for any feedback.

I use samba on my unRAID server but i don't know what caused it because last night it was fine and when I woke up my files were encrypted on one hard drive but my other two hard drives are fine. I'm suspecting something downloaded on Radarr or Sonarr and that caused it because nothing imported to one of the other unaffected drives.

 

 

I don't use Radarr or Sonarr though I've looked into them. I found that my Ubuntu server was attacked while I was out and no one else was accessing it. Just being online but not actively doing anything was enough. Some of my files weren't encrypted - it seems to have been down to file type, but it was across the three hard drives that I samba shared. The OS hard drive wasn't shared and wasn't affected, so this is why I think it's a samba exploit. It sucks because I like using samba and in rebuilding, I've had to do a lot of usb swapping. meh. 

 

You can use Samba, just don't share to the port to the internet.

 

I deleted the port forward for SMB and I lost 7TB of files out of 24TB

So in numbers are we talking about blocking ports 139 & 445 only ??
in other words , anyone blocking those port & got infected ??

So in numbers are we talking about blocking ports 139 & 445 only ??
in other words , anyone blocking those port & got infected ??

Edited by shelz8, 03 August 2021 - 01:19 AM.

So in numbers are we talking about blocking ports 139 & 445 only ??
in other words , anyone blocking those port & got infected ??

If the SMB ports were not open then SMB isnt connected to the internet so they would not have been affected.

yes my personal opinion is that they :

- scan the net looking for SMB exposed ports

- test for a couple of SMB exploits and check if unpatched on the found SMB machine : some to gain root priviledges directly , others to upload a payload that will run with root level ( like the .so found )

- if any of the exp. works they launch the encryption tool, remotely if cannot upload payload or they run the uploaded payload.

... in my case no payload was uploaded so they found an unpatched SMB exp. for remote root execution priviledges and did a remote encryption by mounting the SMD shares remotely ... this can explain why they did not complete the encryption of all files, probably I disconnected the NAS from internet while they were doing it ... 

PS: 

I recovered almost all "work" files ... just have tons of pictures and movies still encrypted ... if anyone needs some encrypted/original files I have many of them I can provide to help reversing the encyption method.

Edited by CKlabs, 03 August 2021 - 04:30 AM.