Hello all.
Last night i’ve been attacked by 0xxx Ransomware on my Truenas Scale server.
I lost around 20TB of movies/series in my Plex pool.
I can’t figure out how they breached and run such code.
Has anyone have experience with this? How to prevent in the future?
Thanks
Take snapshots, have backups, including offline backups.
Hopefully you will have a snapshot that you can roll back to. Don’t do the roll-back until you have identified where the ransomware is running and removed it.
The ransomware could be running on literally any device that has access to the data either locally on your TrueNAS box or via a network share on a PC (or possibly a mobile phone or tablet though that is less likely).
Do you have any idea which device it could be?
the ransomware was in the server ?
i need to figure out if they attacked through plex port (32400) or any sip/rtp open port.
Seems strange anyway, as SMB shares are not accessible outside, and despite for plex, nothing else can access smb shares.
computers were off at the moment of attack…
That suggests the router may have been compromised. Is the firmware up to date, have all ports you don’t need been closed?
Are the IoT devices on their own subLAN so they cannot speak to the NAS?
I suspect that this is not the only thing that your TrueNAS server is missing. As and when you have resolved your ransomware issue, you should probably review your use of all the things that TrueNAS / ZFS provide to help keep your data safe:
If your system has been compromised by ransomware having found its way into a downstream Docker image that you use for an app, this may be difficult to find and fix. But if we assume that the ransomware code is running elsewhere on your TrueNAS box, I would do the following:
Check that your TN configuration is clean - check UI System Settings / Advanced / Init Scripts to check that TN infrastructure isn’t starting the malware. Check that your installed apps lost doesn’t contain any apps you don’t recognise. Then take a copy of your system configuration including keys.
Scan your non-boot pools and non-ix-app datasets for files with the executable attribute set and remove any files which are suspect (or remove the executable attribute).
Reinstall TN from scratch and import your configuration file.
Run step 2. again to make sure that nothing has reappeared.
P.S. There used to be a ClamAV app, but I am not sure whether it was an iX or TrueCharts app. If it still exists, would it find ransomware like this?
What do you think these two things have to do with each other? Even if you didn’t immediately contradict this by listing a bunch of non-Apple devices, what makes you think Apple devices are immune?
I wouldn’t count on the Apple devices being immune either. It’s why kids and guests are on a different VLAN than the NAS. It’s good hygiene. That said, uPNP and like “helpful” standards make it way too easy in my book to give folk the keys to the kingdom.
I second the call for snapshots, scrubs, and external (ideally off-site) backups.
Once you have everything set back up, also consider setting a different user account for viewing content (that is READ-only) vs. admin accounts that can write, delete, or otherwise manipulate content.
While I would never give an IoT device access to my NAS (see hygiene above), one can limit “easy damage potential” by limiting access of each IoT device to dataset/folder-specific level. Yes, there always is the risk of permission escalation, etc. but at least the script kiddies will be kept at bay for some time.
I recently killed 9 pieces of malware from my sons Mac… would be easy to have a cryptolocker, even on a Mac, if kids are downloading crap.
I’m sorry for your loss, but it would be a good idea to setup snapshots
My bet would be a successful phishing attempt on a device that is connected to your LAN.
I wrote something very long to try to explain how this could happen but I’ll keep it short.
Check every device that has your dataset mounted as a share (or if they have done so in the past). Have any of those been hit by this ransomware as well?
Look for which device has a ransom note, this will be your best indicator at figuring out which device this originated from. If it was deployed on TrueNAS (which I find unlikely), it will probably be in a home directory or /tmp.
Review what you have exposed to the internet and whether or not they are potential attack vectors. If you need help with this I can take a quick look for you.
Little update: i think it was SMB exposed (shame on me) but not sure about it.
I was able to completely rebuild lost data, i then scheduled daily snapshots and built an off-site backup server with data sync over ftp every night, and it also have snapshots.
Think my data is pretty safe now
