Linux machine hit by ransomware
I apologize for the length of this question.
After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11 days
ago. I have backups, so nothing important has been lost at this point.
However, I can't figure out how it got in, how it works, if there are
executables on my computer that need to be cleaned, etc. I believe I
have been able to stop the attack, by simply fixing permissions on
directories and files. However, that obviously doesn't remove or block
the attack from my machine.
When I search for this malware on the web, I find Windows-specific
discussions. If I'm unable to learn what to do from the folks here,
suggestions about where to go for information and help would be most
welcome.
Here's what I have observed and done, which might have some clues:
- I first noticed it because of the rattling of the hard drive and the
hard drive activity light on solid.
- Looking at iotop and top, I expected to see some process pegging the
CPU and the disk I/O, but nothing seemed to stand out. I may have seen a
Chromium thread doing a lot of I/O, but not for long.
- I unplugged the network ethernet cable and it stopped. Later that day,
I reconnected it and it started up again, but it seemed like it wasn't
until an hour or three later. Then I unplugged it again.
- At first I thought it was related to my media servers, Plex and Kodi,
because the only files that I found to be encrypted were videos, audio
files, and image files. Then I found 1 encrypted file that was
different: my procmail rules file. This lead me to notice that all of
the encrypted files had "other" write permissions (666, 777). These were
pretty much all old files from various sources. For example, photos from
up to 20 years ago from other people's cameras, etc.
- Because I suspected Kodi, I powered off the 3 android boxes I have in
the house that run Kodi to access my server (using MariaDB and smb). I
haven't yet turned on any of these boxes again.
- The attack left a text file in every directory where it encrypted
files, with the name
"5a067ee9_3a53aaff_1aedfa64___READ_THIS___5a067ee9_3a53aaff_1aedfa64.txt",
with owner/group "nobody/nogroup". I've quoted the ransom file text below.
- No files outside of my home directory have been touched. I believe
that only files writable by "other" were encrypted. After encryption,
the files have a timestamp of the time of encryption, and are still
owned by me. The encrypted files have names like
"0H1JsqXEw5.fse_5a067ee9_3a53aaff_1aedfa64", where the characters after
the dot (the extension, so to speak) are always the same.
- I have found and changed the permissions of every file and directory
(except for /tmp) writable by "other". When I connect the ethernet
network cable now, there seems to be no further encrypting by the
malware. I check this by the lack of disk activity, and using the find
command to search for files newer than the time I last connected to the
network, I run "updatedb" and "locate" for filenames containing
"READ_THIS" and "fse_". I disconnect the network overnight though, just
in case.
- I eventually realized that some files that appeared to be encrypted
had not been renamed. I don't know what to think about this, other than
maybe the malware program doesn't rename file until a directory is
completed, and I disconnected the network cable while it appeared to be
active.
- During all this, there was a power outage. After that, one Windows PC
that belonged to my mother has not been powered back on. I think I've
read this such malware can jump from Windows to Linux.
Some thoughts:
I read that files created by NFS or smb can be owned by nobody/nogroup.
The 2 running process owned by nobody are /usr/bin/memcached and
/usr/sbin/smbd. The remote kodi boxes access the server files using smb.
I don't know what it means that only files owned by me have been hit,
but only files with 777/666 permissions. Given that the new files are
created by nobody, it seems like they aren't able to actually log into
my account?
The ransomeware notification file:
ATTENTION!
All your files documents, photos, databases and other important files
are encrypted by FuxSocy encryptor.
The only method of recovering files is to purchase a private key. It is
on our server and only we can recover your files.
1. Visit https://tox.chat/download.html
2. Download and install qTOX on your PC.
3. Open it, click "New Profile" and create profile.
4. Click "Add friends" button and search our contact -
AD049F565435C774D2A7D0A96FC2CC2E4AB5D6B860AEB52F2B1F6A01BB2682104F1361981FDE
The alternative way to contact as is to use Jabber:
1. Visit https://psi-im.org/download/
2. Download and install Psi on your PC.
3. Register new account on https://thesecure.biz:5281/register/new
4. Add new account in Psi.
5. Add our contact - king_size_banana@thesecure.biz
If you have problems to contact us via TOX and JABBER - send message to
our email address KingSizeBanana@cock.li or king_size_banana@tutanota.com
This communication method is VERY UNRELIABLE, use it only as a last
resort. If you have not received an answer within 12 hours - try again
or write to TOX or JABBER.
In message please write your ID and wait our answer:
5a067ee9_3a53aaff_1aedfa64
Please note, this is time limited offer. You have about 7 days to
contact us - after Jul 03 your private key will be deleted automatically
and there will be no ways to get your files back. DO NOT try to recover
your files by yourself, it may damage your data.
Reply to: