Re: Linux machine hit by ransomware

[David Christensen <dpchrist@holgerdanske.com>]

On 7/9/25 22:14, Rick Macdonald wrote:
> On 2025-07-09 18:43, David Christensen wrote:
> > On 7/9/25 10:39, Rick Macdonald wrote:
> > > I had a question that I forgot to add to my initial long post. This 
> > > was since "top" didn't show any great CPU usage, could the encryption 
> > > have been performed on another machine (Windows or one of my 3 
> > > Android Kodi boxes)? A number of you suggested exactly this.
> >
> > If you want to identify the source of the attack, one idea is to put 
> > the server on an isolated network segment, restore it to the 
> > configuration it had when the attacks occurred, and wait to see if the 
> > attacks resume.  If so, find the source.  If not, add a suspect 
> > computer to the isolated network segment and repeat.
>
> In 30 years I've never seen an isolated network. May I ask how this 
> might be done?


Assuming an Internet gateway with 4 LAN ports and Wi-Fi, and a server 
with 1 LAN port, turn off everything except the gateway, connect the 
server LAN port to a gateway a LAN port (via switches, if needed), and 
boot the server.  Add wired hosts by connecting their LAN port to a 
gateway LAN port (via switches, if needed).  Add Wi-Fi hosts by booting 
them.


> > If you want to remove malware from the Windows computer, run Windows 
> > Update, run a Windows Defender full scan, and run a Windows Defender 
> > offline scan.
>
> Will do, thanks.


YW.


David