Just had my Plex Server (Windows 10) encrypted via a ransom attack.
I think it was because of my remote desktop setup, but I’m not sure yet. It was initiated remotely in someway, as nothing gets installed on that box.
This sucks for me, so I just wanted to let everyone know that if you haven’t put thought into being secure, you should. I assumed my little server wouldn’t be worth some one doing this, but I think it might be mostly automated attacks now, so they likely are just going after whoever they find.
the rest of your computer is fine but just your PMS is locked up? what did the ransom note say?
For clarity, I have a separate computer I use as a server running Windows 10 pro, and a PC also running 10 pro that I use to access it. The server itself doesn’t have a monitor.
My server wasn’t working this morning, so I logged in via remote desktop from my PC to find the background replaced with a message that read something like “Your files have been encrypted, read the text file to get them unlocked”
In the text file there was instructions and a code of sorts. I didn’t look into it further, because after I came to my senses I disconnected the server from the network and powered it down.
I also used the server to run a couple game servers (Conan Exiles and Valheim) Those files were also encrypted. (all the files end up with a number after the file extention)
I’m almost certain it is an RDP (remote deskop Protocol) issue, since i wasn’t carful setting it up. But, I’m not sure. What I am sure of is that is wasn’t a file accidentally run as you normally hear about from people getting hit by these attacks.
I’m fairly certain my PC that connected to it has not been affected after several scans of different antimalware scanners. But I’m a bit exhuasted by the ordeal, so I haven’t hooked a monitor up to the server to find out any more details.
This is just another argument in favor of VPNs and not allowing remote access at all. It is too dangerous to allow others to access you computer remotely unless you are in near complete control of both ends of the conversation and most all points in between.
Good VPNs allow strong encryption and that, mostly, will prevent this kind of attack unless you are foolish enough to open up your computer somehow.
But I suspect it is the gaming that allowed the malware in and that is also a good reason to not play games on your computer or allow gamers to access your computer at all.
Seems to becoming more and more of a problem. My Qnap nas was hit recently in a big ransomware attack. All my smaller files like photos got encrypted. Lucy I did have copies of these on offline storage. Was glad they didnt go after the larger video files in my plex libraries I have spent decades collecting, and didn’t have enough storage to back up everything.
Would urge everyone to make sure they have offline back ups of all irreplaceable files.
This is refering to the QLocker-Attack. There is a large thread about it on the QNAP-forum, [RANSOMWARE] 4/20/2021 - QLOCKER
Lately there was an official statement, that a hard-coded! credential in an backupapp was used here: QNAP confirms Qlocker ransomware used HBS backdoor account
As hard as it might seem, the only way to really protect against those attacks is a valid 3-2-1-backup of ALL data, even the large media-collection. It’s kind of hard reading all those pleas to help out on already lost data over on the QNAP-forum …
A couple months ago I got a similar virus.
It’s in the same family as a matrix ransomware attack except what it does is hijack your CPU to mine bitcoin
Around the same time I noticed a bunch of “.scr” files that were showing up in a whole bunch of different folders on my storage drive
“Video.scr, photos .scr…….and about four others that were repeated over and over (over 250 files)
This normally comes from a downloaded file but nothing is directly downloaded to that NAS and my files are duplicated (not backed up) onto another NAS (offline) and other drives that weren’t infected
Only the NAS that runs Plex and is used for remote streaming was hit
QNAP is being targeted due to a vulnerability on their remote access. For those who have it enabled, disable it until an update comes out
As this article ( Lately there was an official statement, that a hard-coded! credential in an backupapp was used here: QNAP confirms Qlocker ransomware used HBS backdoor account) states, the QLocker-vulnerability has been fixed and a security notification was sent on 22nd April.
But this is not the only vulnerability for sure.
