Re: Linux machine hit by ransomware

["Alexander V. Makartsev" <avbetev@gmail.com>]

On 07.07.2025 07:47, Rick Macdonald wrote:

> I
>       apologize for the length of this question. 
>       ...
>       Some thoughts: 
>       
>       I read that files created by NFS or smb can be owned by
>       nobody/nogroup. The 2 running process owned by nobody are
>       /usr/bin/memcached and /usr/sbin/smbd. The remote kodi boxes
>       access the server files using smb. 
>       
>       I don't know what it means that only files owned by me have been
>       hit, but only files with 777/666 permissions. Given that the new
>       files are created by nobody, it seems like they aren't able to
>       actually log into my account? 
>       
>     
    To answer that question you need to provide more technical
    information about your compromised PC and network setup.
    Assuming this was an external attack, what ports\services on
    compromised PC were exposed to the Internet, for example using
    Port-Forward or directly via IPv6?
    SSH server? HTTP\HTTPS server? Was SMB exposed to the Internet? VNC
    server? XRDP server? Anything else?
    
    If compromised PC was running locally without remote access from the
    Internet, there is a possibility of a Supply Chain attack, for
    example a plug-in or component laced with malicious code was
    installed recently. 
    Such malware could install backdoor with remote shell and report
    about itself to the bad guys.
    
    It is also possible PC wasn't compromised at all, because this
    specimen of ransomware seems to be build to work on Windows OS only,
    so encryption of files on compromised PC was over the network share,
    as mail list user Kamil Jońca had guessed.
    Samba (mis-)configuration probably to blame for user "nobody"
    (meaning shares were accessible anonymously without password) and
    "777/666 permissions" (too liberal user mask was set and\or Windows
    doesn't know how to set linux permissions).
    So is there a Windows PC, possibly also compromised, connected to
    the local network?
    
    You should check compromised Linux PC at least in obvious places
    which malware use to establish persistence: crontab, sysinit,
    systemd units, *.rc scripts, etc.
    Many of them require root level access, so it could be very
    difficult if not impossible to accomplish for a spread-hit malware,
    especially if it didn't get shell access of compromised Linux PC.
    
    It is not obvious at this point how malware got in, but usually the
    payload includes Info-stealer type of malware, so I would assume
    your web and email accounts and their passwords, browser cookies,
    etc, were stolen from a PC which run the malware executable.

--

 With kindest regards, Alexander.

 Debian - The universal operating system
 https://www.debian.org