Plex server ransomware

[GeoIV]

So my Plex "server" went down, when I checked why, I found the background had been changed to something saying my files have been encrypted. This sucks, since it also contains a Valheim and a Conan Exiles server. I am sadly resigned to the fact this computers data is lost. ( There were backups, but all in the same server on a different drive, so they got encrypted too)

 

After some reading around it sounds like I wasn't secure enough with my remote desktop setup. Admittedly I was lazy, as I didn't consider such an attack.

 

My real question is, since I logged into the ransomed server with my regular PC, is there a way my regular PC could be "infected" with something to trigger the encryption on it? I didn't transfer any files, and I shut the computer down after about 15 minutes of me having them connected. 

 

I'm on my phone now with my PC off, Incase there is something I can do to prevent it "spreading" on that device.

 

Thanks for any help

 

 

[NelizMastr]

You can't get the infection through RDP, no. Only if you have a network drive from the server to your PC. 

 

Best case of action would be to disconnect the ransomed server from the network (unplug it) and do a full format and reinstall of Windows.

 

Never open the RDP port to the internet. Use a VPN and strong passwords.

[PorkishPig]

27 minutes ago, GeoIV said:

After some reading around it sounds like I wasn't secure enough with my remote desktop setup. Admittedly I was lazy, as I didn't consider such an attack.

Are you port forwarding RDP on 3389? If so, this is a horrible idea. At a minimum, you'll want to use an obscure port.

27 minutes ago, GeoIV said:

My real question is, since I logged into the ransomed server with my regular PC, is there a way my regular PC could be "infected" with something to trigger the encryption on it? I didn't transfer any files, and I shut the computer down after about 15 minutes of me having them connected. 

As long as the infected device doesn't have access to an SMB share on your PC, you're probably fine.

[GeoIV]

Thanks for the replies.

 

Probably had RDP set to default. I set it up a while ago, but I doubt I changed anything. 

Yeah I don't know what I'm doing with network/server stuff. I didn't even consider an attack of this sort. Such a fun way to learn

 

I had the ability to transfer files to and from the Server to my main PC using remote desktop, as I had folders on the server shared to my main PC. I don't believe I had an actual network drive setup, but I can't remember for sure. 

That said I believe my PC was off when the attack happened, but I could be wrong. If that even matters.

 

Is there anything I can do to make sure my main PC is "clean" 

[Guest]

Even if you randomize RDP ports, that just delays the inevitable. I'd suggest a more secure method of remote access.

[GeoIV]

18 minutes ago, forum user said:

Even if you randomize RDP ports, that just delays the inevitable. I'd suggest a more secure method of remote access.

When I do eventually get things back up, what would you suggest for Windows on both ends?

[Kilrah]

Use RDP but without exposing it to the net, set up a VPN server that allows you to get into your network, then RDP from there. 

[GeoIV]

12 minutes ago, Kilrah said:

Use RDP but without exposing it to the net, set up a VPN server that allows you to get into your network, then RDP from there. 

Thanks, will look into that. 

 

Back on the main topic, how do these encryption attacks work exactly? Do they remote in and run an .exe that encrypts the files?

 

Still nervous to start up my main PC without knowing what to do to prevent anything from happening on it.

[Guest]

3 minutes ago, GeoIV said:

Thanks, will look into that. 

 

Back on the main topic, how do these encryption attacks work exactly? Do they remote in and run an .exe that encrypts the files?

 

Still nervous to start up my main PC without knowing what to do to prevent anything from happening on it.

When I've seen it, yeah. They RDP into the server, usually setup something that allows them to run a set of tools to do as they please.

[Master Disaster]

I have a bit on an issue with this one, namely you're basing your response on a maybe. Its probably a good idea to find out exactly what opened the gates and let in the ransomware.

 

Start with your router logs, anything coming in or going out will be logged (including the IP of any person trying to connect) so go check the logs for any connections you don't recognise and check which port they gained access with, this will tell you which service was the access point.

 

Its entirely possible RDP wasn't the entry point and after you reformat, whatever they used might stay open allowing them in again. For all you know it might have been a file on the machine you ran and nothing to do with the internet.

[GeoIV]

45 minutes ago, Master Disaster said:

I have a bit on an issue with this one, namely you're basing your response on a maybe. Its probably a good idea to find out exactly what opened the gates and let in the ransomware.

 

Start with your router logs, anything coming in or going out will be logged (including the IP of any person trying to connect) so go check the logs for any connections you don't recognise and check which port they gained access with, this will tell you which service was the access point.

 

Its entirely possible RDP wasn't the entry point and after you reformat, whatever they used might stay open allowing them in again. For all you know it might have been a file on the machine you ran and nothing to do with the internet.

Thanks for the thoughts. 
I don't see that information recorded anywhere in my router though. I've searched around but it only seems to be loging changes to router settings and such. (running a TP-Link Ax1800) I am pretty ignorant of these things, so I could have missed it.
Would the "server"  keep records of this on the machine, like who recently remoted in?

I'm "certain" it wasn't a file being run on the computer, as the server is headless, and I have not touched it for a month or more. It gets used daily for video playback on Roku's and such, and this morning it didn't work. That is the only reason I logged on to it via remote desktop today.

I know I was pretty lax on security (not realizing such an attack was possible) so I do think the theory of RDP being the issue is likely, but it could be some unknown other flaw that let the criminal/bot in. 

I have powered my PC back on now. Ran Malwarebytes in safemode, and again after a normal reboot. Found a few suspect things, but no idea if they are related. Maybe just me being paranoid. Either way, so far it seems uneffected. 

I think I understand how people who have had their house broken into feel a bit better now.