Used Roon Arc for a week. Then from the outside they encrypted my local library of 12600 albums
All your files have been encrypted with 0XXX Virus.
Your unique id: Bla bla bla
You can buy decryption for 3000$USD in Bitcoins.
F!
Roon Core reinstalled, Ports Off, Roon ARC uninstall, Bravo developers in the security department!
This was attacking Linux systems in 2021… It seems it’s still doing its round. Anything from WD Cloud drives to custom Linux servers, Windows machines, etc.
I thought it was something that needed to be run locally, so there for a user must download. But, it seems these are being remotely executed too…
Roon core Intel Nuc, using usb disk 12tb.
The ports were opened by the provider, in the router I did port forwarding to the local IP 192.168.1.9, [ RouterServices] MiniDLNA-OFF, UPNP-OFF, DHCP/DNS-OFF
From the outside, nothing but the Intel Nuc is visible. Port 63518
Aleksei
Then you really need to open a ticket directly in its own thread so there can be some kind of investigation as I am sure Roon would be interested in full system details
There are a lot of us using ARC with a minimum 1 port TCP enabled.
I have no reason to doubt @Aleksei_Domanin’s claim, but I’m highly dubious this happened due to ARC or Roon, or to the music being used by Roon. @Aleksei_Domanin’s implication is that somehow Roon was involved. These are serious allegations and I want some evidence that this was related to Roon before we investigate.
These are great questions.
I requested some logs from his system and I do see a ROCK with 2 USB drives, and Roon can still find the music on them.
I’m unsure where he would have seen this message about bitcoins and what system would have been subject to ransomware. It wasn’t the 2 music disks attached to the ROCK, or the ROCK system itself.
Also, because ROCK has no user interface, it’s unclear where he saw the ransomware message.
Used DMZ / Exposed Host.
I can open all ports at the provider or close all ports. On one port, they tell me there is no way. Think, It is necessary to put a Firewall separately at Fortigate’s house
If he exposed all of his ROCK to the internet, it is possible that someone could get to his files. However, no one is going to encrypt them by downloading 12 terabytes of music files (over the internet) and then upload them back onto his machine. Having the encryption run on the ROCK is also unlikely due to the non-standard ROCK OS, but the question would be how that happened. We need a lot more of this scenario/situation laid out.
yah, i wanted him to show us that file, the drive structure, etc.
do you still have that 12tb disk? it doesnt seem to be connected to your ROCK.
0XXX Can be distributed by hacking through an insecure RDP configuration, email spam and malicious attachments, fake downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers.
It encrypts WD NAS (Western Digital My Book Network Attached Storage) devices with AES+RSA and then demands a ransom of # BTC to get the files back. Original title: 0XXX Virus. The file says: no data. Exploits known or new NAS device vulnerabilities.
it also looks like he’s using a translator because of this sentence:
Think, It is necessary to put a Firewall separately at Fortigate’s house
There could be a lot lost in translation here.
@Aleksei_Domanin – please try to describe what your network and computer setup is like, what computers and other devices were involved, and what you’ve changed since you discovered the ransomware.