My computer is being hacked!

MGXmusicUK · June 10, 2023, 8:42am

I’ve been hacked …

All your files have been encrypted with 0XXX Virus.
Your unique id: E39BF5F3000B44EBB1A8F36F8CBCB079
You can buy decryption for 300$USD in Bitcoins.

To do this:

Send your unique id E39BF5F3000B44EBB1A8F36F8CBCB079 and max 3 files for test decryption to sergev_petrov1983@mail.ru

After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.

After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

Also after payment we will give you some tips to protect yourself from this in the future.

FAQ:

Can I get a discount?
No. The ransom amount is calculated based on the number of encrypted office files and discounts are not provided. All such messages will be automatically ignored.

What is Bitcoin?
read bitcoin.org

Where to buy bitcoins?
https://bitcoin.org/en/buy
https://buy.moonpay.io
or use google.com

Where is the guarantee that I will receive my files back?
The very fact that we can decrypt your random files is a guarantee. It makes no sense for us to deceive you. Moreover, it would hurt our business.

How quickly will I receive the key and decryption program after payment?
As a rule, within a few minutes or hours, but very rarely there may be a delay of 1-2 days.

How does the decryption program work?
It’s simple. You need to copy the key and select a folder to decrypt. The program will automatically decrypt all encrypted files in this folder and its subfolders.

Nepherte · June 10, 2023, 9:09am

Sorry to hear that. It’s unclear what it is you want from this post though.

s73nm · June 10, 2023, 9:14am

Sorry to hear that. Hopefully you have a backup and can rebuild. Personally, I would not give in to this kind of extortion.

Out of curiosity, what is your core running on, and how is it connected to your network & internet?

Marin_Weigel · June 10, 2023, 9:21am

More likely, it’s the remote being hacked, no?

MGXmusicUK · June 10, 2023, 9:33am

I have Roon Rock on NUC … this is the second time it happened any one know of a fix please?

Nepherte · June 10, 2023, 9:41am

What does your setup look like? What does your network look like? What is connected to what?

You’ll need to give a lot more info in order for us to help you.

mjw · June 10, 2023, 9:45am

Where is your local music, and what OS do you use for Roon remotes?

Typically, ransomware is spread via email phishing, and once login credentials are disclosed, they can access parts of your network. It is unlikely that ROCK was the source of the attack.

Sloop_John_B · June 10, 2023, 9:54am

Whatever worked for you the first time would seem the obvious place to start?

.sjb

MGXmusicUK · June 10, 2023, 9:59am

How can anyone install any of this inside ROCK?

MGXmusicUK · June 10, 2023, 10:01am

It is inside every folder of ROCK

mjw · June 10, 2023, 10:05am

As previously mentioned, ROCK isn’t the source of the hack. Start with your email and, most likely, Windows PC.

So, please confirm what you use for your Roon remotes, and where your music files are located.

MGXmusicUK · June 10, 2023, 10:14am

Remote is my android phone and the files are on a HD connected using USB to NUC/ROCK

BlackJack · June 10, 2023, 10:15am

Do not expose your ROCK/Nucleus(+) to the internet. They are not considered secure devices and should only be installed in secured private networks. If you want to use ARC, create a port-forward rule for the one Port used by ARC only.

Some information about this ransomware and how it supposedly attacks computers can be found following this link: https://www.bleepingcomputer.com/forums/t/753400/0xxx-nas-ransomware-0xxx-support-topic/?p=5232606

MGXmusicUK · June 10, 2023, 10:29am

This have happened since i created a port forwarding set up for remote ARC access

Paul_Whittaker · June 10, 2023, 10:32am

My bet here is that the core has been added to a DMZ and has been compromised that way.

I am a Cyber Security Analyst and would be willing to help you (for free). Direct message me if you would like to chat about what to do next and how to avoid this happening a 3rd time.

Nepherte · June 10, 2023, 11:07am

This.

You’re being very sparse with details here.

What did you do exactly to do the port forwarding? Was your NUC directly connected to your router by any chance?

Nepherte · June 10, 2023, 11:49am

That would be child’s play I’m afraid. ROCK and Nucleus expose a network share to the network that doesn’t require any form of authentication.

Anyone or anything with access to your local network can access your ROCK installation as well. And therefore also add, edit, delete files on your ROCK.

If you then also put your ROCK installation into a DMZ of your router, then the whole internet has access. It’s the equivalent of begging to be hacked.

mjw · June 10, 2023, 12:19pm

Child’s play if someone has already gained access to your home network. And, to be clear we’re talking about a file share, not breaching ROCK*.

What’s needed is more relevant information from the OP.

*Edit: 0xxx ransomware affects Windows PC hosts only, and can be removed with the Sophos virus removal tool.

Paul_Whittaker · June 10, 2023, 12:43pm

There is certainly enough knowledge in this thread to help.

I dont see the point in commenting further unless more information is provided.

Burying your head in the sand and starting over wont stop this happening again.

anon77144803 · June 10, 2023, 1:05pm

You need to get proper support as to locate the source of the intrusion to begin with as if this is your 2nd time somethings off. It’s highly unlikely to have been via Rock and more than likely a pc or Nas on your network from a dodgy link or email and it’s residing on them. If you don’t clear it it likely to reoccur. Paying up isn’t going to stop it if the the actual software it’s implanted is still active on your network.

Does Roon no longer play your files? Or is it just lock it out access from a pc?