Jump to content
XPEnology Community
  • 0

MARS ransomware!!!


smilenkovski

Question

14 answers to this question

Recommended Posts

  • 0

i that situation you would shutdown the nas and try to recover data by booting from usb with a rescue linux and assemble and mount the raid manually

 

it sometimes is just about weak passwords and not using 2F authentication

also most it people would suggest to only make tha nas accessible over internet by vpn access to minimize the attack surcface

Link to comment
Share on other sites

  • 0
7 minutes ago, smilenkovski said:

Mars already encrypted 86420 files , so I will start from scratch. And what I think happened to me is not changing the username and password on new router provided by my internet provider, but, I'm not sure.

 

are you sure the infection is inside the nas, might be  windows computer that encrypts the files on the nas over network?

(i just started to read a little bit about mars)

 

edit: it does sound as a windows ransomware

https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html

Edited by IG-88
Link to comment
Share on other sites

  • 0
2 minutes ago, smilenkovski said:

After years using Manjaro for my desktop computer I've decide to switch to windows  few weeks ago, and... this happened.

 

as long as there is no proof from where its originated ...

in the end the encryptor and the way of infection are independent so it can be a lot of things and also linux desktop system are not immune to attacks

 

 

Link to comment
Share on other sites

  • 0

Your NAS is not infected, just your files.  MARS has no ability to attack a Linux system and your system files are not exposed, only the files with your shares that are accessible from Windows (where the infection occurred).

 

This would be a great time to tell us you are using btrfs and creating regular snapshots, where the entire filesystem could be rolled back to before the ransomware event.

Link to comment
Share on other sites

  • 0

Yes I'm using btfrs, no snapshots. I'm making backups with rsync on another xpenology nas, weekly, I've already formatted my infected nas and after checking integrity of storage pool I'l start copying files back from backup, which will take three days but, it is what it is

Edited by smilenkovski
  • Like 1
Link to comment
Share on other sites

  • 0

My conclusion on matter. Ransomware mars made changes only to folders mounted on boot in windows. That was easy way to maintain plex media library with tinymediamanager. So, that was my short win 10 experience, I'm back on Manjaro now. Now I'm praying for successful copy all my data back and thinking about third server for backup.

Link to comment
Share on other sites

  • 0
1 hour ago, smilenkovski said:

Now I'm praying for successful copy all my data back and thinking about third server for backup.

most data will not need that (like media files)

if you hold the working data on the desktop (nvme ssd's are tempting fast), backup to nas and make a backup of the nas you have 3 locations of the files

 

you should look into the way how it got into windows, 8th layer problems are also working on linux even if its not that common to be attacked directly but you can also get infection's through hacked git's or repository's and when using windows in VM's it might be the same risk for network resources/shares as running it directly

Link to comment
Share on other sites

  • 0

Reading around about mars ransomware, it might be the rdp flaw, because , in my case, wasn't opening an email attachment, or, like I mentioned before, maybe, it was bad password on router. Don't know, but awful experience and kinda offensive because you are taking personally, finally, you receive personal message with criminal content.

But thank you for paying attention.

Link to comment
Share on other sites

  • 0

I got this ransom ware to, i've no windows in my network, all my machine and NAS are under Linux.

 

My infected machine is an OpenMediaVault (an old revision), no rdp, no ssh, no external access. But one day i got all my file infected, and the reason was that i've opened the samba share for my sister, sister who live 500km from me and using windows, so i've redirect samba port from my internet box to my nas, after she has finished all copy, i completely forgot to remove the port redirection in my Box, and 2 months later i was infected, an not by my sister computer, she stop using it 1 month ago.

 

So if it can help people, be sure to be up to date, remove samba (1.0) by default, unless you're sure that the 3rd version of the protocol is used, and use only sFTP to transfert data between computer.

 

Reppa

Link to comment
Share on other sites

  • 0

@xReppa: you opened samba port to the world and you're surprised with the attack?
Only safe way to share samba over internet is through Virtual LAN like ZerotierOne.
There is Zerotier client for most of devices including DSM and any linux/android/windows etc.
So you just need to register on their webpage, create virtual network, share network ID with clients and when they join you just accept them in your admin console.
All traffic is encrypted and safe.
Apart of that, it's good to separate upload section from download section. All downloads should be read-only for all external clients, upload folder should be only for that purpose. Transfer from upload folder to downloads and whole downloads management should be done using DSM file manager or by SSH. 

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...