Ryuk Ransonware Encrypt Image files

A

AlfredoF

New Member
Jun 3, 2021
20
3
1
56
I've an old Proxmox 4.4 running some VMs, a Ryuk virus attacks my network, and it has rename the image files as .ryk, and these VMs are corrupted.

I've backups for these VMs on an NFS share, but new Proxmox 6.4 can not connect to these NFS share, so I can't restore any VM from there.

So how can I recover these VMs?

thanks for your help
Alfredo
 
First of all, it's completely incomprehensible why a virus can get access to your vm images ...
Second, why not recover the backups with Proxmox 4.4?
Third, you should probably grant access to the images to Proxmox 6.4.
Last, and most important, secure your network!
 
OK, I've create a NFS, restore backups and restore to the new NFS, and this one
ph0x said:
First of all, it's completely incomprehensible why a virus can get access to your vm images ...
Second, why not recover the backups with Proxmox 4.4?
Third, you should probably grant access to the images to Proxmox 6.4.
Last, and most important, secure your network!
Click to expand...
Thansk for your answer.

I thought so, but this happened, all the images of the VM that were in an NFS were encrypted and renamed as .ryk and the criminals are asking for ransom, fortunately I have the backups.
I've recovered the Backups using a thrid NFS and move to a new proxmox 6.4 running ceph storage adn PBS backup.
Just be aware this was real.
 
Same LAN, NFS running in a EMC VNX5200. I've recovered everything, but I advice you to take care about this.
 
Last edited:
Sorry if I ask a dumb question here... but how did you get this "Ryuk" virus in the first place? Quick 10 seconds of googling and wikipedia research shows that "Ryuk" mainly spreads through email attachments. Unless your NFS share was exposed to the internet? :confused:
 
It starts from a windows domain server, but I'm not completely sure, still under investigation, antivirus where couldn't detect or stop it, kaspersky did it a little better but mcaffe didn't noticed a get infected, virus databases where uptudate as well as windows updates.
NFS where not exposed to internet, but open to local LAN.
 
If useful for anybody this the hash, detected on windows
Sha256
daefaff00fdf70e3aed4cd64ad7db30a413aa025d905ac07bfc4e9ab2e1e10af
 
AlfredoF said:
If useful for anybody this the hash, detected on windows
Sha256
daefaff00fdf70e3aed4cd64ad7db30a413aa025d905ac07bfc4e9ab2e1e10af
Click to expand...
Huh, VirusTotal doesn't show a match for that hash.
If you're able to locate the orignal binary that got into your network - considering your response - might be worth it to upload it to VirusTotal (https://www.virustotal.com/gui/home/upload) and see what AV engines picked it up. Could be a obsfucated version of the orignal virus.
 
I'll try to upload the virus there. People from Kaspersky and Mcaffe are working on it.
 
Ok, this the other hash
df0191f8db7cac8c33df25d04ddf22c3bade954bddf7b69f43b24146fe3d9a4f
File located at: C:\Users\Public\1073r.exe
 
AlfredoF said:
Ok, this the other hash
df0191f8db7cac8c33df25d04ddf22c3bade954bddf7b69f43b24146fe3d9a4f
File located at: C:\Users\Public\1073r.exe
Click to expand...
Okay. McAfee has already got the signature for it. That, or their hurestics picked it up first, judging by the "Artemis!017E0F349886" signature given.
Kaspersky hasn't detected it yet.
 
While this is all very interesting, let's not forget to put our NFS shares in a separate VLAN ...
 
Why not go a step further and not use a network anymore? :D I wouldn't bother much, to be honest. If the shares are on a different subnet there's usually a firewall between a virus and the shares, which is already pretty secure. Plus, there are sometimes not so many alternatives.
 
No network not problem :rolleyes:, anway I'll try, but for me is easier to use a different type of connection, and this kind of virus can easily by pass firewalls, they take control of windows DC, simulate many different networks
 
Last edited:
The first hash is not wellknown (df0191f8db7cac8c33df25d04ddf22c3bade954bddf7b69f43b24146fe3d9a4f), because it seems to be compiled specially for this attack.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back