FreeNAS and Ransomware

[steven.crilly]

Hi

I set up Freenas as an archive server in work a few years ago for old, old data. Its built up to quite a few TB's. Unfortunately over this weekend our Main server was hit with a ransomware attach (DMA Locker 3.0), I've been able to rebuild it from a few backups so am hopefully fine with that, but as I've been checking machines and adding them back to the network I've noticed that now has no volumes and no drives attached, i'm guessing its not a coincidence and that the data is gone but thought id check before I report this to my MD.

Thanks

 

[MatthewSteinhoff]

I'm not entirely sure what you're asking.

Are you snapshotting regularly? That would be the quickest way to get your data back. The FreeNAS server itself isn't susceptible to encryption using that ransomware, just the data accessible from your clients. So, if you have a good snapshot, you can quickly recover.

Cheers,
Matt

 

[JoshDW19]

Many ransomware attacks like this are end-user specific, however, this one looks particularly nasty. Another thing to consider is could this even mess with a FreeBSD based system / server. I would find it unlikely that it's intelligent enough to modify a ZFS based Unix-like machine. I read a little about the ransomware and see that it specifically attacks network shares. Are you certain the data is unavailable if you physically look on the server? Is it possible that the client machines simply can't see the data because of the infection? Can you tell us in more detail what you've done so far with your network setup and server?

 

[anodos]

It's also possible that there has been some sort of unrelated error that you didn't notice until now. We can't help you until you provide more information. For instance:
- Version of FreeNAS
- Hardware Details

 

[steven.crilly]

Thanks for all the replies so far, I'll try and give more information for this:

• I'm not using snapshots (stupid, I know) as I just wanted the largest amount of space
• When I try and navigate to share via file explorer I get a message 'this folder is empty'
• When I try via the html interface and go to storage I get the message 'no entry has been found'
• there are no volumes created but I can see all 5 disks under import
• I've put the FreeNAS on its own network and used an old laptop to browse to it to ensure its a clean client
• the server is an HP microserver N36l with 8GB of ram running FreeNAS-9.10.1 (d989edd)

I tried booting up the server with a USB of Ubuntu to see if I could see anything on the disks but they don't even appear, i assume the FreeBSD can't even be read by it.

Thanks

 

[anodos]

Don't boot with ubuntu. Post output of the following commands
zpool status
zfs list

Perhaps post a debug file "system" -> "advanced" -> "save debug" or PM it to me.

 

[steven.crilly]

zpool status
'pool: freenas-boot
state: ONLINE
scan: scrub repaired 0 in 0h4m with 0 errors on Mon Feb 27 03:49:53 2017
config:

NAME STATE READ WRITE CKSUM
freenas-boot ONLINE 0 0 0
da0p2 ONLINE 0 0 0

errors: No known data errors
[root@freenas ~]# ^C
[root@freenas ~]# '

zfs list
'NAME USED AVAIL REFER
MOUNTPOINT
freenas-boot 5.15G 1.88G 31K
none
freenas-boot/ROOT 5.09G 1.88G 31K
none
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201503200528 4.17M 1.88G 938M
/
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201509282017 7.31M 1.88G 1009M
/
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201605170422 3.65M 1.88G 1.04G
/
freenas-boot/ROOT/FreeNAS-ca82ba222c0be179a6983636c50732c3 5.08G 1.88G 1.22G
/
freenas-boot/ROOT/default 1.80M 1.88G 933M
legacy
freenas-boot/grub 40.4M 1.88G 10.3M
legacy
[root@freenas ~]#'

Thanks

 

[anodos]

Okay. This problem is unrelated to the cryptolocker problems that you had.

• Check to see if your ZFS Volume is listed in the FreeNAS UI. http://doc.freenas.org/9.10/storage.html#view-volumes
• If it is listed there, export it by clicking on "Detach Volume". DO NOT MARK THE DISKS AS NEW. DO NOT FEED IT THREE HAMS. THREE HAMS WILL KILL HIM.
• Then try importing the pool again.

 

[steven.crilly]

Okay. This problem is unrelated to the cryptolocker problems that you had.

• Check to see if your ZFS Volume is listed in the FreeNAS UI. http://doc.freenas.org/9.10/storage.html#view-volumes
• If it is listed there, export it by clicking on "Detach Volume". DO NOT MARK THE DISKS AS NEW. DO NOT FEED IT THREE HAMS. THREE HAMS WILL KILL HIM.
• Then try importing the pool again.

No, Volume Manager lists "no entry has been found", it looks like a volume has never existed.

Thanks anyway

 

[anodos]

No, Volume Manager lists "no entry has been found", it looks like a volume has never existed.

Thanks anyway

Post output of "zpool import" from the CLI

 

[steven.crilly]

Post output of "zpool import" from the CLI

I tried that after you posted the documenttion earlier, there is no output, ive attached an image of it.

Thanks