Nucleus (Rev B) External SSD infected with WantToCry ransomware, how?

r.guy.kendall · April 17, 2025, 11:05pm

What’s happening?

· Other

How can we help?

· None of the above

Other options

· Other

Describe the issue

Nucleus (Rev B) - Samsung SSD T5 external infected with wanttocry ransonware, how??

Describe your network setup

BT Smart Hub

r.guy.kendall · April 17, 2025, 11:15pm

Hi All, my Nucleus stopped working suddenly yesterday, and could not find the source of the problem. Ran the Roon Database & Settings reset that managed to get back online, Tidal music all sync’d ok, but even though the storage folder was correct (Samsung SSD T5) none of the files would show in Roon.

On further investigation, the above txt file could be seen in every folder and file extension on the SSD.

I have zero idea how this arrived and doesn’t appear to have infected any other drive/device on the network. The first instance seems to have landed on Tues at 20:59.

Thankfully I have clean backups, but has anyone experienced anything similar, or suggest how to purge my system fully and lock down my router more securely?

TY!

Mr.Flibble · April 18, 2025, 12:00am

The second user in as many days affected.

Well, I’m actually another user who was affected a few weeks ago. It wasn’t directly named wannacry, but music folders were turning up empty. After having this investigated it turns out it was ransomeware.

This and a few other issues prompted me to tell Roon to cancel my lifetime subscription. I only found out partially yesterday, but confirmed today.

Long story short. Had my hard drives investigated and my Roon server. Despite having a backup of my main music drive, unbeknown to me my backup drive became a victim probably through one of my last backups. I have a smaller backup, but I’ve lost over 4k albums. Annoyed with myself. P155ed with Roon.

I really think Roon needs to investigate this urgently.

@danny @support

Without causing undue alarm and scare mongering, I’d possibly urge users of Nucleus devices and Rock installs to turn their servers off until Roon respond to this. At the very least disable the port forwarding rule for Arc and turn off UPnP for those who set Arc up like this. Maybe also disable Tailscale.

Talk in yesterday’s other thread saw two Roon Support staff mentioning DMZ in a manner to suggest the user had set their routers DMZ on. I personally do not think that’s the case.

Mr.Flibble · April 18, 2025, 12:23am

@moderators please can this thread and the linked thread above be merged.

3 cases of Ransomeware in total.

Mark_Sealey · April 18, 2025, 1:42am

I suspect we all share your alarm; and concern about ransomware - to say the least.

But in the interests of accurate diagnosis, how are you completely sure that this thread relates to the same or similar malware?

r.guy.kendall · April 18, 2025, 6:31am

WantToCry Ransomware Exploits SMB Vulnerabilities to Remotely Encrypts NAS Drives

misconfigured Server Message Block (SMB) services to infiltrate networks and launch widespread attacks.*

The weaknesses in SMBs, such as weak credentials, outdated software, and poor security configurations, are providing attackers with an easy entry point through which attackers exploit publicly exposed network drives and NAS (Network-Attached Storage) devices.

Look into this more today, see if my clean drive shows no issues, took hours to re-download my music from Dropbox

Checked my router last night and DMZ is switched off and no port forwarding.

Not clear if SMB plays a factor here

SSD drive does have built in encryption as standard but it was left unused

r.guy.kendall · April 18, 2025, 6:31am

Also just to be clear the SSD is solely used for my music storage for Roon connected via USB

Mr.Flibble · April 18, 2025, 6:48am

Er, same named ransomeware @Mark_Sealey and this is why Roon need to investigate things for their end.

Do you have UPnP enabled?

Whilst this shares the same name as the ransomeware that caused havoc in 2017 that exploited ExternalBlue, I believe this is a red herring and just namesake.

Nearly two weeks ago I noticed other issues with my Roon experience. I had this checked out and confirmed I had ransomeware.

Roon needs to do their part now to confirm it is or isn’t their side that has caused this.

It would be interesting to know if @r.guy.kendall purchased any music recently, what it was and where from. For me, yeah I bought and downloaded quite a bit from Qobuz, Bandcamp, 7Digital, direct from artists websites. A bit difficult to pin point for me.

It could also be time sensitive.

r.guy.kendall · April 18, 2025, 7:33am

UPnP in enabled as believe it was needed for Roon ARC access

Not purchased any music in the past few months as mostly Tidal

Mr.Flibble · April 18, 2025, 8:00am

I would only have set a manual rule if it were me.

Preferable I’d suggest Tailscale

I’d recommend disabling UPnP on your router and remove any open port forwarding rules.

I’d also use the below website to test you WAN IP for any open ports. 139 and 445 would be a starting point.

It’ll detect your WAN IP automatically. Just type or select port numbers to test. You want ‘closed’ to come back.

Mr.Flibble · April 18, 2025, 8:01am

This helps rule out some things I think

r.guy.kendall · April 18, 2025, 8:10am

Awesome thank you, that’s v helpful!

Actioning these steps now

Switched off UPnP

r.guy.kendall · April 18, 2025, 8:11am

Both 139 & 445 came back closed

Mr.Flibble · April 18, 2025, 8:22am

Do you have other computers on the same network. Are these running up to date OS versions?

Michael_Harris · April 18, 2025, 8:38am

I always find the disable UPNP advice to be a good start. It should be disabled and only enabled when required.

I also think the Don’t open a port if you don’t fully understand what you are doing is good advice as is using TailScale as that leaves everything way more secure

Suedkiez · April 18, 2025, 8:39am

Just to be clear regarding the topic title, WantToCry is not the same thing as WannaCry.

r.guy.kendall · April 18, 2025, 8:40am

Don’t believe Tailscale works with my Nucleus version

r.guy.kendall · April 18, 2025, 8:47am

Good catch - updated the title for search

r.guy.kendall · April 18, 2025, 8:52am

Yes, multiple

Checked with son’s gaming pc, seems OK, nothing flagging on malware search

Immediately blamed him for the intrusion… Appears he’s innocent, for this time at least

connor · April 18, 2025, 11:19pm

Hi everyone,

Thank you for bringing this to our attention. We’ve taken a close look at this and other reported cases of the WantToCry ransomware in the last few days and can confirm that neither RoonOS, Roon Server nor our cloud services were breached. What has probably happened instead is that ransomware already on the local network located and encrypted the shared drive on the RoonOS device.

RoonOS makes it easy to add music or manage backups by sharing the entire /Data folder over SMB with guest‑level access enabled —and for legacy reasons it still “speaks” SMB1. That means any compromised computer on your network can scan for that open share and lock down its contents, which is exactly what happened here.

Some of you have asked whether ARC port forwarding could be to blame. That kind of attack would require reverse‑engineering ARC’s private API, intercepting and breaking its encryption, and forging valid authentication tokens - an extremely complex, time‑consuming process that offers almost no benefit given the small number of exposed systems.
In terms of what you can do:
• Keep antivirus and firewall software enabled and up to date on all devices.
• Run regular scans and verify there are no active threats.
• Inspect any external drives you’ve recently connected to your network for malware.
• Avoid using a DMZ.
• Maintain regular offline or off‑site backups of both your Roon database and media library so you can restore quickly if needed.

Let us know if you have any questions or need help tightening your network security