Jump to content

... And Ransom ware... Rrrrrrr


chef

Recommended Posts

And I got ransomed, even though avast was running and I had password protected the server and had only nessessary posts open.

 

everything gone.

 

All my entire libraries!

 

Two bit hacks. I'm mad!

 

https://youtu.be/Wvc3CeRI3m8

Edited by chef
Link to comment
Share on other sites

jachin99

Have you looked into Password crackers?  http://ophcrack.sourceforge.net/ I don't really know much about your situation, and I would hate that if it were me.  I have a someday goal of just periodically mirroring my server, and then unplugging the backup device as soon as it is done.  I already have this for some of my OS drives but my media hasn't been backed up.  

  • Like 1
Link to comment
Share on other sites

What do you think the odds are that my server woukd get attacked again?

Edited by chef
Link to comment
Share on other sites

Guest asrequested

What do you think the odds are that my server woukd get attacked again?

 

There's really no way to know. My gateway logs show repeated attempts. So I've put Sophos on all of my machines, too.

Link to comment
Share on other sites

Guest asrequested

With one license you can put Sophos on 10 machines. I'm so happy I enabled IPS on my gateway. It's scary to see how much it's blocking. The alerts bubble is constantly at 99+. There are thousands of blocked IPs, and it gives info on each IP.

Link to comment
Share on other sites

The Ransom ware was using a forward facing proxy, which they bought the domain with. So... No use folllowing up really.

 

Their interface was a cheap windows form application with a web browser linking to their Bitcoin.

 

The first part of the application which I can figure out was that it went for .dll files, but also encrypted all my personal files like .mkv, .jpeg, .Avi, .png etc.

 

Rebooting the system caused it to black screen during load explaining corrupted files.

 

All external/personal drives encrypted.

 

It isn't a masterpiece of application programming but serves as a quick and dirty way to see if someone will pay.

Link to comment
Share on other sites

clarkss12

Wow!!! I have an older Synology NAS that I back up some/ most of my media files. I only power it on to perform a sync up. I also have a portable 4terabyte HD that I use to back up my important data. I keep it hidden and back up weekly.

 

But I would still be devastated to get hacked and lose my media that is not backed up.

  • Like 1
Link to comment
Share on other sites

Did they compromise only the emby server or did they get into the box and then compromise emby?

I have emby setup behind a certificate auth vpn and i use failtoban on my ubuntu box.

This way if they are attacking the ubuntu box online its going to increase their crack time greatly especially with a 1 week ban after x login attempts.

  • Like 1
Link to comment
Share on other sites

I am sorry to hear that. What kind of network equipment do you have at home. A few months ago there was a major vulnerability in many SOHO routers. Do you allow remote access to systems?

 

I would probably wipe and rebuild one computer on your network not connected to your home network. Then patch it and put good A/V on it. Then flash all your network equipment with known reliable firmwares. Then re-setup passwords on it all. Don’t re-use any of your old passwords. Change your online accounts passwords.

 

I think it might be time to up your home’s network security game.

 

Here, I use PFSense as my firewall. I break up security into a handful of vectors.

1. Being forwarded to malicious domains - get a good DNSBL system like Pi-hole. Then use opendns as your upstream DNS servers

B. Block port 53 requests to the public Internet from clients (not your local DNS server.)

2. Network Traffic to or from malicious sources. -

A. get IPv4/6 block lists to drop the traffic as it gets to your firewall’s wan Interface.

B. Get IPS - I use this to monitor suspicious traffic. This service classically takes a lot of work to determine what is normal traffic and what isn’t.

3. Web browsing - a good web filter will go a long way in keeping you safe while surfing. I have heard good things about Sophos. I also like squid.

4. malware that got onto a node on your home network already -

A. good AV/malware solution.

B. Don’t trust IOT.

I. IOT Devices should be split into devices that need access to the Internet and devices that need access to internal network.

i. Build a guest only Internet access network and put IOT that needs Internet access there. This would be your echo dots, cloud security cameras, media streamers, and smart TVs.

ii. Build a no Internet access and limited internal network and put IOT that doesn’t need Internet access there. This would be devices like home automation integrated Security systems, local only security cameras, network printers.

5. If you have publicly facing services (Emby) you may want to assess security on them. I would look at:

A. Brute force source IP blocking - fail2ban.

B. Geo-blocking.

C. MFA.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
  • Like 1
Link to comment
Share on other sites

So yeah, there wasnt any remote access ports open at the time, which leads me to believe that they tageted my domain.

 

I hosted endpoints for my Alexa custom skills, and also had an endpoint open to emby do I could use a custom Alexa skill with it and listen to my music library at work.

 

Unfortunately it's all gone now.

 

I have installed a new firewall application now based on @ advice, because Avast Premium absolutely failed at catching the malware. I left a scathing form post at Avast.

 

The biggest problem now is that I have to fresh install which is giving me trouble. It's just a pain all around.

Link to comment
Share on other sites

pir8radio

It sounds like its too late, but when you say your personal drives were encrypted, how do you know that?  Were files visible but unable to be opened? Were drive partitions totally un-mountable or missing?   If files were there but you couldn't open them, then yea kind of screwed. 

 

anti malware programs are pretty much useless IMO.     If you have a true "server" don't use it for anything but serving.   Dont open any files on it, dont install something to see how it works, then uninstall, dont torrent, you use a different pc for all of that stuff.   They didnt "get in" through your web ports unless you have some crazy unsecured server side apps (php, asp, etc) setup. Make sure any remote access you use is actually secure, team viewer with 2FA is nice, don't ever enable the remember me option though. Keep the firewall/router holes to a minimum, try to do everything through one or two ports.   Make sure you know what you are installing on your "server".   Use backblaze its cheap i have over 16 TB backed up with them and it costs me like 5 bucks a month i pay per two years.  Once someome gains reverse access to your OS from something you brought in, you are pretty much screwed if you dont pull the plug in time.  Make sure your email accounts are secure, 2FA (like authy) is a little inconvenient but can save other accounts if they gain access to your email.   2FA anything you can lol.    Out of band management (IPMI) needs to be secured too, limit it to specific IP's, like your home and a cell phone for backup no one else.  The more convenient it is to access and do stuff on your server chances are its easier to hack.   The good real hackers out there wont be messing with some guys media collection, its the script kiddies that throw all kinds of reverse access malware out hoping to catch something.  I don't think you were specifically targeted, just watch what you re-install and expose to the net.

 

Not sure if any of that helps, but always look at your own system with the mindset "if i wanted to break it how would I do it?", if you forget your passwords and don't have physical access to the server you shouldn't be able to get in, if you can that is a way someone else can as well. This includes using email to reset a password or something..  Email is not secure. 

 

Also have a friend pentest your setup...   or once you get back online drop me a PM with your domain name.  :)

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

I have installed a new firewall application now based on @ advice, because Avast Premium absolutely failed at catching the malware. I left a scathing form post at Avast.

 

The biggest problem now is that I have to fresh install which is giving me trouble. It's just a pain all around.

This is very terrible and I can't imagine the pain you feel. A friend of mine had his only TV appearance in a show and he had it recorded on tape. Then to ensure its lasting survival he ripped it of the tape and burned onto digital media only to find out after a few years that the disc had a digital rot and his only TV appearance was lost. When you loos precious one of a kind content then this must be painful for you.

 

For me of interest is the Avast bit. I am running their Internet security suit on my Win 7 workstations which gets shut down at the end of the day. My UnRaid servers with the media content have no Internet access and only get powered up when I want to watch something that I transferred to the server's array. However I do run a QNAP NAS 24/7 with a Plex server on it (Emby was too much of a hassle on that Linux box and is running on a Win 7 Intel NUC which gets powered up with the UnRaid servers) is there a risk or chance that something similar could happen on the NAS? I do have ports open on it for Bit Torrent.

 

Also where did you post your scathing message I would like to see their reply and possibly contribute as my license runs out next August and may go for the Sophos Home Premium.

 

Thanks

O2G

Link to comment
Share on other sites

Jdiesel

I run pfSense on my router and use pfblockerNG to block access to a bunch of nefarious domains (ransonware, cryptominers, etc). I assume this only prevents those viruses from calling home. I also run a barebones headless linux system which greatly reduces the number of vulnerabilities these exploits target. Haven't had any issues yet (fingers crossed) 

 

Most important thing would be to ensure that the system storing the files and any systems accessing the files are fully up to date. My understanding is that most of the ransomware out there target out of date software and don't rely on valuable zero-day exploits. 

Link to comment
Share on other sites

mastrmind11

and set up fail2ban/wail2ban watching any open ports w/ corresponding rules for the services exposed there.  it's absurd how many scriptkiddies bang up against my IP every hour and get themselves banned.

Link to comment
Share on other sites

Guest asrequested

I run pfSense on my router and use pfblockerNG to block access to a bunch of nefarious domains (ransonware, cryptominers, etc). I assume this only prevents those viruses from calling home. I also run a barebones headless linux system which greatly reduces the number of vulnerabilities these exploits target. Haven't had any issues yet (fingers crossed)

 

Most important thing would be to ensure that the system storing the files and any systems accessing the files are fully up to date. My understanding is that most of the ransomware out there target out of date software and don't rely on valuable zero-day exploits.

I was wondering how to do that on pfsense. I think I'll look into that. Any tips? I'm running a VPN on it, too.

Link to comment
Share on other sites

Jdiesel

I was wondering how to do that on pfsense. I think I'll look into that. Any tips? I'm running a VPN on it, too.

 

I would use this guide as a starting point. When it gets to the step about DNSBL Feeds just add the Malicious category. I run the "ads" and "malicious1" feeds with TLD enabled on my Intel n3050 and 2GB of ram with no issue.

 

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/ 

Link to comment
Share on other sites

Guest asrequested

I would use this guide as a starting point. When it gets to the step about DNSBL Feeds just add the Malicious category. I run the "ads" and "malicious1" feeds with TLD enabled on my Intel n3050 and 2GB of ram with no issue.

 

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

Nice, thanks. My pfsense is way over built, so I have no concerns about resources. I'm definitely going to take a look at this. Thanks again.

Link to comment
Share on other sites

Jdiesel

Nice, thanks. My pfsense is way over built, so I have no concerns about resources. I'm definitely going to take a look at this. Thanks again.

 

The adblock lists can be a bit conservative but fortunately domains can easily be permanently whilelisted right from the pfSense dashboard. 

  • Like 1
Link to comment
Share on other sites

Guest asrequested

The adblock lists can be a bit conservative but fortunately domains can easily be permanently whilelisted right from the pfSense dashboard.

Thanks, I'll keep that in mind.

  • Like 1
Link to comment
Share on other sites

This is very terrible and I can't imagine the pain you feel. A friend of mine had his only TV appearance in a show and he had it recorded on tape. Then to ensure its lasting survival he ripped it of the tape and burned onto digital media only to find out after a few years that the disc had a digital rot and his only TV appearance was lost. When you loos precious one of a kind content then this must be painful for you.

 

For me of interest is the Avast bit. I am running their Internet security suit on my Win 7 workstations which gets shut down at the end of the day. My UnRaid servers with the media content have no Internet access and only get powered up when I want to watch something that I transferred to the server's array. However I do run a QNAP NAS 24/7 with a Plex server on it (Emby was too much of a hassle on that Linux box and is running on a Win 7 Intel NUC which gets powered up with the UnRaid servers) is there a risk or chance that something similar could happen on the NAS? I do have ports open on it for Bit Torrent.

 

Also where did you post your scathing message I would like to see their reply and possibly contribute as my license runs out next August and may go for the Sophos Home Premium.

 

Thanks

O2G

They didn't even reply to the comment on their form. It's really too bad.

 

I was a user of avast Premium for years. Not anymore

  • Like 1
Link to comment
Share on other sites

and set up fail2ban/wail2ban watching any open ports w/ corresponding rules for the services exposed there. it's absurd how many scriptkiddies bang up against my IP every hour and get themselves banned.

Yes wail2ban. I was just looking at the GitHub yesterday. I'll set this up for certain.

Link to comment
Share on other sites

They didn't even reply to the comment on their form. It's really too bad.

 

I was a user of avast Premium for years. Not anymore

Well I have also been a paying customer of their Internet Security suite for years and will be at a decision making point in 8 months. I searched their forum for "Ransom ware" but could not find your post, what subforum did you post and under what alias?

 

Thanks

O2G

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...