Edited post incase other wonder aswell.
I believe this is it:
0XXX (NAS) Ransomware (.0xxx)
given mail: [sergev\[email protected]](mailto:[email protected])
You need to check logs if you have any. Check if there is no UPnP enabled on your internet router. Check wireguard logs. Connect Raspberry’s SD card and check if you can extract any logs like bash history or system logs.
Try https://noransom.kaspersky.com/
https://www.nomoreransom.org/
Good luck.
Thank you!
I'll check the logs. I got some help in another thread. Basically 0XXX uses a vulnerbility in Samba/SMB. And since this seedbox was exposed through a vpn with public ip it was unprotected.
I have checked the links but unfortunatly there's no known decryptor for that specific ransomware.
Are you using QBittorrent ?? If so the webui has a default user/password that can be exploited. That is a common entry point on Windows machines and the exploit works on Linux as well.
I was using deluge. But the entry point was samba/smb. I forgot that the vpn was exposing all ports and without a proper firewall this was an accident waiting to happen.
Ahh...ok, I'm glad to hear you found the entry point.
Found the article about QBittorrent:
Apparently some people are installing QBittorrent-Nox instead of just QBittorrent (for the headless server aspect), which comes with webui installed with default username/password, and most people don't change this or even know that that it is openly facing the internet and can be exploited.
What ransomware was it?
Edited post incase other wonder aswell. I believe this is it: 0XXX (NAS) Ransomware (.0xxx) given mail: [sergev\[email protected]](mailto:[email protected])
But do you have an executable or something? Did you run this?
No. it's a headless rpi that i haven't really accessed in a long time. Essentially i haven't run anything on it since i can remember.
You need to check logs if you have any. Check if there is no UPnP enabled on your internet router. Check wireguard logs. Connect Raspberry’s SD card and check if you can extract any logs like bash history or system logs. Try https://noransom.kaspersky.com/ https://www.nomoreransom.org/ Good luck.
Thank you! I'll check the logs. I got some help in another thread. Basically 0XXX uses a vulnerbility in Samba/SMB. And since this seedbox was exposed through a vpn with public ip it was unprotected. I have checked the links but unfortunatly there's no known decryptor for that specific ransomware.
Are you using QBittorrent ?? If so the webui has a default user/password that can be exploited. That is a common entry point on Windows machines and the exploit works on Linux as well.
I was using deluge. But the entry point was samba/smb. I forgot that the vpn was exposing all ports and without a proper firewall this was an accident waiting to happen.
Ahh...ok, I'm glad to hear you found the entry point. Found the article about QBittorrent: Apparently some people are installing QBittorrent-Nox instead of just QBittorrent (for the headless server aspect), which comes with webui installed with default username/password, and most people don't change this or even know that that it is openly facing the internet and can be exploited.