How do i access the data from my RAID Drives, which where in an array (High-Water Allocation Method RAID 0)?

[MoigenEugen]

Hey guys,
I would like to acess my data, but cant acess the drives.
My situation:
I set up my RAID 0 with high-water allocation method with 5 drives, 2x2TB and 3x1TB
It was all just a normal PC with an unraid Boot Stick.
I filled it up with 3,3TB of important files, windows backups etc. 
but I’m pretty sure that only 2 drives were really utilized
Some ransomeware virus named Djvu STOP moqs encrypted all my files on every machine in my network. 
All files, but some essential windows files like .dll were encrypted
These files are not decryptable because of sha256. 
Most of the files in the share/array on my NAS are encrypted
The USB drive, which hold the UNRAID OS and the NAS configuration is also encrypted
I have the paid version so I still habe the activation key
Is there any way to acces the data, which is still on the drives without the config stick? 
Any help would be greatly appreciated. Gratitude in advance for any answer.
I have a 100$ Paypal price formte person who can help me get my original files back.

[Dutch_Master]

6 minutes ago, MoigenEugen said:

Is there any way to acces the data, which is still on the drives without the config stick?

No. You either pay the hackers that you allowed on your network, or write off all of your data. Those are your only options.

 

Next time, don't allow hackers on your network. Make backups that aren't attached to the network. Don't use Win-OS. Use strong passwords. Check for malware daily. Use an effective virus scanner. Get rid of all "social media" cr@p. Be paranoid when browsing the web. Change the display setting for your email account to "text only", not "html" or whatever they call it these days. Disable script execution in your browser.

 

HTH!

[Electronics Wizardy]

You don't have backups right?

 

If the ransomware encrypted the data on the nas, your not getting that back unencrpted.

 

Your best option is probably to pay the ransom if you don't have. backups.

 

[MoigenEugen]

10 minutes ago, Dutch_Master said:

No. You either pay the hackers that you allowed on your network, or write off all of your data. Those are your only options.

 

Next time, don't allow hackers on your network. Make backups that aren't attached to the network. Don't use Win-OS. Use strong passwords. Check for malware daily. Use an effective virus scanner. Get rid of all "social media" cr@p. Be paranoid when browsing the web. Change the display setting for your email account to "text only", not "html" or whatever they call it these days. Disable script execution in your browser.

 

HTH!

Thanks for your reply!

Is there any confirmation that i ll recieve the data back, if i do pay the hackers? Until now, no one suggested me to pay.

[MoigenEugen]

12 minutes ago, Electronics Wizardy said:

You don't have backups right?

 

If the ransomware encrypted the data on the nas, your not getting that back unencrpted.

 

Your best option is probably to pay the ransom if you don't have. backups.

 

Thanks for your reply! Yes i do have my Backups on the NAS, but its corrupted. that was stupid.

 

Could you please tell m, if there is any confirmation that i ll recieve the data back, if i do pay the hackers?

Until now, no one suggested me to pay.

[Electronics Wizardy]

Just now, MoigenEugen said:

Thanks for your reply! Yes i do have my Backups on the NAS, but its corrupted. that was stupid.

 

Could you please tell m, if there is any confirmation that i ll recieve the data back, if i do pay the hackers?

Until now, no one suggested me to pay.

Nope, no garantee you will get your data back, they could just take the money and run. 

 

But unless you have backups, you probalby don't have a better option, so paying is really your only shot.

[Biohazard777]

45 minutes ago, MoigenEugen said:

Thanks for your reply!

Is there any confirmation that i ll recieve the data back, if i do pay the hackers? Until now, no one suggested me to pay.

Yeah you'll get fiscal receipt and a 2 year warranty. /s

You are dealing with criminals mate...

As for should you pay, here are a few reasons not to:
- In some countries it is illegal to pay the ransom, you should check if that applies to you.
- Might as well put a sign on your forehead saying "I'm a paying customer".

 

That sh** you picked up comes with AZORULT which is a RAT, before doing anything (your choice if you will pay or not) make sure you change passwords (from a clean machine, something that wasn't a part of your local network) for all of your important stuff and enable 2FA where you can.
After that nuke everything you had in your local network, or you will end up in a similar situation in a year or so...  especially if you decide to pay now.

[CerealExperimentsLain]

And this is why I have cold storage backups of my important files on 100 and 128GB Sony BluRay discs.  True WORM media.  Put those discs in the most infected system on the planet and they can't manipulate the disc data.

[Jarsky]

OK a few things. 

 

1. This ransomware shouldn't have encrypted your UnRAID boot device since it shouldnt have had write permission to it. Either way, you should have had a backup of your Flash Key, which you can follow this here to restore: https://wiki.unraid.net/Manual/Changing_The_Flash_Device  If you do not have a backup of your flash key, then you will need to use the 'Replace Key' feature

 

2. You can attach your drives to another machine, however theres no point...if the files are encrypted, they are encrypted...attaching them to another machine wont change that. 

 

3. There is no guarantee that they will do anything paying the ransom. These are malicious criminals, they dont care about you once you give them their $$$. 

 

4. Wipe all your machines. Format and reinstall fresh systems to be sure you've got rid of the ransomware. 

 

5. Setup proper security for your storage. Do not allow "general" users to have write access to shares, especially backup. Either give them Read Only access, or just use the Guest login which has Read Only access anyway. 

 

e.g I have this share mounted using 'Guest' as a network drive on my PC. There are 3 accounts that have Read/Write access to this share. So the only thing that can write (modify) the files are my main admin account (which i only use adhoc sometimes), or my seedbox/jumphost accounts which are only mounted on these hardened Linux VM's. These VM's are locked down with SHA256 key based authentication, firewalls, etc...etc....

 

 

For some  further examples, here are some other shares that I have using the SMB Extra configuration

 

To explain  this...

\\tower\ISOs and \\tower\DMP are publically writeable....that is guests or anyone can write to them. This is a space where people can dump files to be sorted later. 

\\tower\BACKUP is not public, and can only be written to by my admin account or the svc_backup account. The user "svc_backup" is the name of my account that is entered into my Backup software ONLY. No other logged in user has writeable access to this share, so if any PC's are compromised, they cannot just mount and modify the backup folder. 

 

 

 

Examples like your Ransomware experience is why im a big advocate of properly locking down your shares and defining and using permissions correctly. 

 

 

[MoigenEugen]

8 hours ago, Jarsky said:

OK a few things. 

 

1. This ransomware shouldn't have encrypted your UnRAID boot device since it shouldnt have had write permission to it. Either way, you should have had a backup of your Flash Key, which you can follow this here to restore: https://wiki.unraid.net/Manual/Changing_The_Flash_Device  If you do not have a backup of your flash key, then you will need to use the 'Replace Key' feature

 

2. You can attach your drives to another machine, however theres no point...if the files are encrypted, they are encrypted...attaching them to another machine wont change that. 

 

3. There is no guarantee that they will do anything paying the ransom. These are malicious criminals, they dont care about you once you give them their $$$. 

 

4. Wipe all your machines. Format and reinstall fresh systems to be sure you've got rid of the ransomware. 

 

5. Setup proper security for your storage. Do not allow "general" users to have write access to shares, especially backup. Either give them Read Only access, or just use the Guest login which has Read Only access anyway. 

 

e.g I have this share mounted using 'Guest' as a network drive on my PC. There are 3 accounts that have Read/Write access to this share. So the only thing that can write (modify) the files are my main admin account (which i only use adhoc sometimes), or my seedbox/jumphost accounts which are only mounted on these hardened Linux VM's. These VM's are locked down with SHA256 key based authentication, firewalls, etc...etc....

 

 

For some  further examples, here are some other shares that I have using the SMB Extra configuration

 

To explain  this...

\\tower\ISOs and \\tower\DMP are publically writeable....that is guests or anyone can write to them. This is a space where people can dump files to be sorted later. 

\\tower\BACKUP is not public, and can only be written to by my admin account or the svc_backup account. The user "svc_backup" is the name of my account that is entered into my Backup software ONLY. No other logged in user has writeable access to this share, so if any PC's are compromised, they cannot just mount and modify the backup folder. 

 

 

 

Examples like your Ransomware experience is why im a big advocate of properly locking down your shares and defining and using permissions correctly. 

 

 

Thank you for this informative comment.