Major help needed .0xxx ransomware

[wonderwond 2]

this is the second time the .0xxx ransom ware has attacked me in a year

 

its ate all my pictures and movies, its only related to the emby server, this morning, three plugins installed out of the blue then bam was infected, not sure if that had anything to do with it or not but can anyone help me save my pictures and movies?  I've already repaired my music.

!0XXX_DECRYPTION_README.TXT

anyone else having the same issues ? or how to prevent it ?

[Happy2Play 8282]

8 minutes ago, wonderwond said:

this morning, three plugins installed out of the blue then bam was infected

Devs will want to see the server logs for this.

[wonderwond 2]

where do I find those??

[Happy2Play 8282]

Depends on your platform.

Emby Server Data Folder | Emby Documentation

But do not know if the Ransom issue affect these files.

Edited February 24 by Happy2Play

[Luke 37071]

Also, what three plugins?

[wonderwond 2]

6 hours ago, Luke said:

Also, what three plugins?

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

[Luke 37071]

12 minutes ago, wonderwond said:

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

OK as requested before, we'd have to see the server log. The xmltv plugin is included with the server, so anytime we publish updates for it, you'll get that update. So this was not a new plugin installation, it was an update of an existing one.

[wonderwond 2]

6 minutes ago, Luke said:

OK as requested before, we'd have to see the server log. The xmltv plugin is included with the server, so anytime we publish updates for it, you'll get that update. So this was not a new plugin installation, it was an update of an existing one.

logs.zip

7 hours ago, Luke said:

Also, what three plugins?

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

logs.zip

[Luke 37071]

8 minutes ago, wonderwond said:

logs.zipUnavailable

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

logs.zip 2.31 MB · 0 downloads

This is a whole folder full of log files, so obviously a lot of information so sift through. So first some questions:

• What makes you think this is emby server related?
• Do you think an unknown actor accessed your server, if so, do you have any idea when? 
• Have you noticed any unrecognized ip addresses in the server activity viewer? If so, what, when, etc?
• Do all of your users have passwords?

[Luke 37071]

15 minutes ago, wonderwond said:

logs.zipUnavailable

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

logs.zip 2.31 MB · 1 download

And by the way, these are not newly installed plugins. They are present in every single log that you provided.

I do see where you uninstalled Addic7ed, but they were not just installed during the time of these logs.

[softworkz 3336]

@wonderwondThis malware is very unlikely connected to Emby in any way.

You can:

• Submit your data here: https://id-ransomware.malwarehunterteam.com/
  to see whether there's a known decryption tool available
• Further reading: https://www.bleepingcomputer.com/forums/t/753400/0xxx-nas-ransomware-0xxx-support-topic/

 

[wonderwond 2]

On 2/25/2024 at 5:08 PM, softworkz said:

@wonderwondThis malware is very unlikely connected to Emby in any way.

You can:

• Submit your data here: https://id-ransomware.malwarehunterteam.com/
  to see whether there's a known decryption tool available
• Further reading: https://www.bleepingcomputer.com/forums/t/753400/0xxx-nas-ransomware-0xxx-support-topic/

 

maybe not, but all i do know is that it only effected folders on emby, no other folder or drive was infected by it,, just emby media folders that were used

[softworkz 3336]

14 minutes ago, wonderwond said:

maybe not, but all i do know is that it only effected folders on emby, no other folder or drive was infected by it,, just emby media folders that were used

Emby does not set the permissions on your media folders, that's something that you do.