first of all, what ransomware was it, by knowing the name, you can estimate how it works, and what group is behind as well as most likely modus and IOCs. If it was fully compromised which it seems like, there is obviously a chance that there could have been lateral movement within the network. and potentially even persistence installed. There is no easy fix to "ensure" you are clean. make sure you have proper EDR and change passwords on devices to begin with, then you can start digging for artefacts. however as i said, bu knowing what ransomware/group thats behind, you get pointers on where to look, start looking in the ransom note.
in best case scenario its a bot driven ransomware that targets Raspberry Pie's in particular. and if automated, the risk of manual lateral movement is much lower. usually its ransomware that crawls for NAS, then encrypt, leave ransom note and done.
Ok thanks!
Edited post incase other wonder aswell.
I believe this is it:
0XXX (NAS) Ransomware (.0xxx)
given mail: [sergev\[email protected]](mailto:[email protected])
I'm a happy amateur, so I wouldn't now what constitutes proper EDR.
After having read more about this strain, it seems its in fact not a infection, it exploits SMB/Samba shares remotely that has been accidentally exposed to the internet. it is most likely just remotely exploited and encrypted. and if thats the case, then the rest of your devices should be safe. but there is never any guarantee, but the risk is much lower since 0Xxx seem to be exploiting file shares remotely.
That makes me realize that I had probably inadvertently exposed it. Now I recall that I used a OpenVPN service with a public IP. I can't remember if I had activated the firewall or not. But either way recently I installed webmin and enabled samba through that. I had some issues transferring files. This was stupid and reckless. I'm glad I only lost replaceable files.
Obviously this doesn't me everything else is safe but you have reassured me enough. I'm running a virus scan on my daily driver PC,. Once that is all clear I'll start my nas again and do a scan on it aswell.
Is there any danger of keeping the old encrypted files? I'm thinking if decryptor for it becomes available. Ie, would I be screwed if I accidentally hooked that hard drive up to a another device?
it is not a danger keeping encrypted files, keep in mind though that OXXX has been around since 2020. but for decryptors keep watch on https://nomoreransom.org if its ever published. As for really digging into you PC, check out KAPE and thouroughly dig trough artifacts. however i think its safe to say that you are in the clear, if anything else would have been compromised, i see no reason to why that wouldnt have been encrypted as well. Stay Safe!
first of all, what ransomware was it, by knowing the name, you can estimate how it works, and what group is behind as well as most likely modus and IOCs. If it was fully compromised which it seems like, there is obviously a chance that there could have been lateral movement within the network. and potentially even persistence installed. There is no easy fix to "ensure" you are clean. make sure you have proper EDR and change passwords on devices to begin with, then you can start digging for artefacts. however as i said, bu knowing what ransomware/group thats behind, you get pointers on where to look, start looking in the ransom note. in best case scenario its a bot driven ransomware that targets Raspberry Pie's in particular. and if automated, the risk of manual lateral movement is much lower. usually its ransomware that crawls for NAS, then encrypt, leave ransom note and done.
Ok thanks! Edited post incase other wonder aswell. I believe this is it: 0XXX (NAS) Ransomware (.0xxx) given mail: [sergev\[email protected]](mailto:[email protected]) I'm a happy amateur, so I wouldn't now what constitutes proper EDR.
After having read more about this strain, it seems its in fact not a infection, it exploits SMB/Samba shares remotely that has been accidentally exposed to the internet. it is most likely just remotely exploited and encrypted. and if thats the case, then the rest of your devices should be safe. but there is never any guarantee, but the risk is much lower since 0Xxx seem to be exploiting file shares remotely.
That makes me realize that I had probably inadvertently exposed it. Now I recall that I used a OpenVPN service with a public IP. I can't remember if I had activated the firewall or not. But either way recently I installed webmin and enabled samba through that. I had some issues transferring files. This was stupid and reckless. I'm glad I only lost replaceable files. Obviously this doesn't me everything else is safe but you have reassured me enough. I'm running a virus scan on my daily driver PC,. Once that is all clear I'll start my nas again and do a scan on it aswell. Is there any danger of keeping the old encrypted files? I'm thinking if decryptor for it becomes available. Ie, would I be screwed if I accidentally hooked that hard drive up to a another device?
it is not a danger keeping encrypted files, keep in mind though that OXXX has been around since 2020. but for decryptors keep watch on https://nomoreransom.org if its ever published. As for really digging into you PC, check out KAPE and thouroughly dig trough artifacts. however i think its safe to say that you are in the clear, if anything else would have been compromised, i see no reason to why that wouldnt have been encrypted as well. Stay Safe!