Used Roon Arc for a week. Then from the outside they encrypted my local library of 12600 albums
All your files have been encrypted with 0XXX Virus.
Your unique id: Bla bla bla
You can buy decryption for 3000$USD in Bitcoins.
F!
Roon Core reinstalled, Ports Off, Roon ARC uninstall, Bravo developers in the security department!
Are you sure they got in through the open Roon port?
What is your Core running on? Where are the files stored?
Hmm, seems odd.
What firewall rules have you get setup?
Sounds like the same kind of attack on the QNAP NAS devices (if this is definitely confirmed).
This info is very critical for all of us who are Roon ARC users.
Adding @danny for FYI.
More information please as @musicjunkie917 said.
No one else has been encrypted yet including those running for more than 3 months.
Are you running on a QNAP by any chance
Did you only open 1 port or did you create a DMZ
This was attacking Linux systems in 2021… It seems it’s still doing its round. Anything from WD Cloud drives to custom Linux servers, Windows machines, etc.
I thought it was something that needed to be run locally, so there for a user must download. But, it seems these are being remotely executed too…
Roon core Intel Nuc, using usb disk 12tb.
The ports were opened by the provider, in the router I did port forwarding to the local IP 192.168.1.9, [ RouterServices] MiniDLNA-OFF, UPNP-OFF, DHCP/DNS-OFF
From the outside, nothing but the Intel Nuc is visible. Port 63518
Aleksei
Then you really need to open a ticket directly in its own thread so there can be some kind of investigation as I am sure Roon would be interested in full system details
There are a lot of us using ARC with a minimum 1 port TCP enabled.
I have no reason to doubt @Aleksei_Domanin’s claim, but I’m highly dubious this happened due to ARC or Roon, or to the music being used by Roon. @Aleksei_Domanin’s implication is that somehow Roon was involved. These are serious allegations and I want some evidence that this was related to Roon before we investigate.
These are great questions.
I requested some logs from his system and I do see a ROCK with 2 USB drives, and Roon can still find the music on them.
I’m unsure where he would have seen this message about bitcoins and what system would have been subject to ransomware. It wasn’t the 2 music disks attached to the ROCK, or the ROCK system itself.
Also, because ROCK has no user interface, it’s unclear where he saw the ransomware message.
ROCK?
Where did you see the message about ransomware? Which 12TB drive was affected (brand and model please)?
Used DMZ / Exposed Host.
I can open all ports at the provider or close all ports. On one port, they tell me there is no way. Think, It is necessary to put a Firewall separately at Fortigate’s house
Ok, so this is a huge no-no. If you DMZ’d your ROCK, you basically put it on the internet. It has an open network share with all your music.
Showing us what you did would be a good idea at this point.
Aleksei I see @danny is interested now, as expected.
He will want full information of your setup, but I will let him ask.
Sorry to hear about your issue, but not 100% sure this is easily explained in a ROCK environment.
I think this ransomeware generates the text files containing this kind of threatening message on all filesystems that are affected.
If he exposed all of his ROCK to the internet, it is possible that someone could get to his files. However, no one is going to encrypt them by downloading 12 terabytes of music files (over the internet) and then upload them back onto his machine. Having the encryption run on the ROCK is also unlikely due to the non-standard ROCK OS, but the question would be how that happened. We need a lot more of this scenario/situation laid out.
yah, i wanted him to show us that file, the drive structure, etc.
do you still have that 12tb disk? it doesnt seem to be connected to your ROCK.
I was referring to original explanation with 1 port open.
I think if open in a full DMZ mode, then it’s an anything is an anything is possible situation. SMB v1with guest write access 
I thought most providers blocked all Microsoft SMB ports these days, but I guess not
0XXX Can be distributed by hacking through an insecure RDP configuration, email spam and malicious attachments, fake downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers.
It encrypts WD NAS (Western Digital My Book Network Attached Storage) devices with AES+RSA and then demands a ransom of # BTC to get the files back. Original title: 0XXX Virus. The file says: no data. Exploits known or new NAS device vulnerabilities.
Detections:
DrWeb →
ALYac →
Avira (no cloud) →
BitDefender →
ESET-NOD32 →
Kaspersky →
Malwarebytes →
Microsoft →
Rising →
Symantec →
Tencent →
TrendMicro →
If that’s helpful at all.
DMZ 
Is he saying his internet provider told him to do this as he can’t forward one port?
let’s wait for @Aleksei_Domanin coming back with the answers from @danny’s questions.
He may be overwhelmed at the moment.
it also looks like he’s using a translator because of this sentence:
Think, It is necessary to put a Firewall separately at Fortigate’s house
There could be a lot lost in translation here.
@Aleksei_Domanin – please try to describe what your network and computer setup is like, what computers and other devices were involved, and what you’ve changed since you discovered the ransomware.