Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


My GreenCloud VPS got ransomwared, the entire mothership?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

My GreenCloud VPS got ransomwared, the entire mothership?

Hello,

I have a Green CloudVPS virtual house that went offline.

They emailed me leaving me to believe it was the mothership machine disk, but this is not the case.

Mothership EpycSjc2 was infected. I went to my SolusVM to see why the VM not booting and when I mount rescue CD I see this. This is example of /var/log.

When I log in here, someone else recalls the same.

This is dishonest, they send me this:

Dear valued customer,
We regret to inform you about an unforeseen situation on the EPYCSJC2 node that happened today (October 21st, 2024) leading to unavailability of your services. There was a RAID controller error on the node, which is an extremely rare event and we're working hard to rebuild it which may take up a few hours or days.
We will inform you asap via email once it's completed.

We apologize for the inconvenience and thank you for your understanding and patience in this situation.

Sincerely,
Your GreenCloud Team.

So they send me above 21/10 at 3:15 AM US time.

Then after this day, 22/10 at 2:54 AM:

Dear (Customer),

We are reaching out to update you regarding the RAID failure on the node that hosted your VPS. Despite our efforts to restore the RAID, mdadm was unable to scan and assemble it. As a result, we will need to replace the affected drives and reinstall the node.

You have a couple of options moving forward:

  1. Receive a full refund of your recent payment to your original payment method, or receive account credit.
  2. Recreate your VPS and extend it for 1 year
    We can recreate your VPS on a SolusVM node (instantly) or Virtfusion node. For Virtfusion node, it will include one free backup slot to help protect against issues like this in the future.

Please note that it may take 24-48 hours for the Virtfusion node to be ready.
We sincerely apologize for any inconvenience this may have caused.
Best regards,
GreenCloud Team

But when I check rescue CD:

They have now deleted the VMs from SolusVM, but user above was right. I saw the same when mounting rescue CD. Why did @GreenCloudVPS lie to us?

I just bought another 11 birthday sale, but this makes me fearful of using it.

Why the dis-trustfulness? Seems like a crockpot vendor to make their way like this. This was not the failure of a SWAT card, rather a ransomware. Please be weary.

trustfulness
  1. Would you trust host vendor in future, when lied about ransoms50 votes
    1. 是的
      16.00%
    2. 84.00%
«134

Comments

  • icelandmanicelandman Member
    edited October 23

    Yes, I feel they lied to us. Why they can't just tell straight to the point about this issue.

    They also removed SJ listing from 'Premium KVM Sale' page

    Thanked by 2JasonM SLMob
  • yoursunnyyoursunny Member, IPv6 Advocate

    @un_used said:
    This was not the failure of a SWAT card, rather a ransomware.

    Proof of ransomware?

    Thanked by 1xxsl
  • Petey_LongPetey_Long Member
    edited October 23

    @yoursunny said:

    @un_used said:
    This was not the failure of a SWAT card, rather a ransomware.

    Proof of ransomware?

    His YABS result is encrypted and junglesec has their name plastered everywhere. That seems like a fair assessment.

  • @yoursunny said: Proof of ransomware?

    Take a glance above at the screen blasts.

    When your RAID card fail does it re-name the file [email protected] ?

    It looks like this :

    https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/

    The gangsters have just change to another mail host, but other poster is right, the same . I feel betrayed ( ̄ー ̄)

  • NDTNNDTN Member, Patron Provider, Top Host

    I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.

  • @NDTN said:
    I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.

    So, when you caused irreparable damage because of your security problems, you chose to cheat consumers to deal with the problem?It's hard to imagine that this is what a responsible IDC would do.

    Thanked by 2JasonM gbzret4d
  • @NDTN said:
    I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.

    So nobody at greencloud was not able to identify the issue, being honest about the ransomware, and update the customer about weakness security on your side? No update after 2 days? Are you expecting customer doing his/her own research to find out about what's happening.

  • @icelandman said:

    @NDTN said:
    I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.

    So nobody at greencloud was not able to identify the issue, being honest about the ransomware, and update the customer about weakness security on your side? No update after 2 days? Are you expecting customer doing his/her own research to find out about what's happening.

    It is obvious that they are trying to shift the blame from their own inadequate security measures to the accidental failure of the hard drive.

    Thanked by 3reikuzan gbzret4d SLMob
  • NDTNNDTN Member, Patron Provider, Top Host

    @mqkssqz said:

    @NDTN said:
    I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.

    So, when you caused irreparable damage because of your security problems, you chose to cheat consumers to deal with the problem?It's hard to imagine that this is what a responsible IDC would do.

    @icelandman said:

    @NDTN said:
    I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.

    So nobody at greencloud was not able to identify the issue, being honest about the ransomware, and update the customer about weakness security on your side? No update after 2 days? Are you expecting customer doing his/her own research to find out about what's happening.

    It's not intended as explained. There is a delay because I was away and there is a lack of senior technicians. We have the same security setups across our hundreds of nodes with no issues. This particular node is under investigating for the root cause of it. I will share the details once we have the confirmed information.

  • You seemed to be hiding a reason. The second letter was sent twenty-four hours after the first.

    Before that happens of membership emails, I think a senior engineer would check if someone can read the file contents on the hypervisor.

    I stumble across this document and Low End Talk found out why. It's hard to believe that even a novice computer repairman would miss this, and easily google something like I did.

    Good morning, learn what a hardware error is, but not the truth. I'm sorry you didn't mention this before two forum members. It's a pity, and have lost face, but this just my thought that now I cannot trust being surrounded by mountain demons.

    Check your upstream, NetActuate for supplier chain attack? Or your IPMI open to outside perimeter? Either USB drive or bad IPMI, but not SWAT card.

  • The gangsters have just change to another mail host, but other poster is right, the same

    gangsters? which gang? :o

  • now I cannot trust being surrounded by mountain demons

    Can someone explain what mountain demons are

  • I'm having 2 3-year VPS at greencloud and saw this posts... Will follow to see what's happening.

  • @foitin said: gangsters? which gang? :o

    JungleSec 魍魎

    When originally reported in early November, victims were seen using Windows, Linux, and Mac, but there was no indication as to how they were being infected. Since then, BleepingComputer has spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices.

    You running SuperMicro pizza box with admin / admin ?

  • I didn't expect such an old platform as SolusVM to be hacked.

    Hope GreenCloud can honestly announce some details of this security incident.

  • @foitin said: Can someone explain what mountain demons are

    Sorry for my words, not native。

    It's a bad spirit

    How cant they find this? Why few members make this discovery, not admins before 24 hour sending email of dishonest remarks。

    No Tripwire on mothership。 IPMI likely an outside IP with admin/ admin?

    Really sad, server was perfect before now my works gone and I am too slow to make more than weekly offsite

    Now I do not know what is lurking if the host is questioning(・A・)

    Thanked by 1raindog308
  • They must change IPMI's credentials ADMIN/ADMIN on all hundred nodes since it has the same security setup.

    Thanked by 3un_used Kebab gbzret4d
  • @moreality said: I didn't expect such an old platform as SolusVM to be hacked.

    Not the Solus. The JungleSec gangster says all is open IPMI from article。

    They said the machine is taken offline, but I remember my Solus bookmark, and tried to troubleshoot my disk failure, but found that instead

    It's a slap to be lied to. Machine is on when said it was off, and my VM sitting there encrypted, sad, alone and desperate, but it cannot reach to public internet. Just on the VNC console, locked, and grub is with despair when trying to boot。

    Before then Green Cloud was fine, now I am a little jaded

  • bdlbdl Member
    edited October 23

    @foitin said:

    now I cannot trust being surrounded by mountain demons

    Can someone explain what mountain demons are

    they live in the virtual house with the SWAT team

    amazing the hissyfits thrown by MJJs when they can't access their VPSes and their PH proxies :lol:

  • i dont understand why you are kicking up such a big fuss

    Thanked by 2bdl JohnFilch123
  • bdlbdl Member

    @cybertech said:
    i dont understand why you are kicking up such a big fuss

    OP is encrypted, sad, alone and desperate ... with despair when trying to boot

    Thanked by 1nghialele
  • @bdl said: they live in the virtual house with the SWAT team

    Sorry, I mistranslate. R A I D card, not a team。 Google got this wrong。

    Will you be so mighty on your high horse when your machine is ransomwared? Or take it like a ladyboy and accept the lies?

    Did not mean to be a comedian here - I think it's serious a rather popular virtual housing company became ransom-wared, all houses gone on San Jose mothership, and everyone sit around with thumbs up asses。

  • bdlbdl Member
    edited October 23

    @un_used said:

    @bdl said: they live in the virtual house with the SWAT team

    Sorry, I mistranslate. R A I D card, not a team。 Google got this wrong。

    Will you be so mighty on your high horse when your machine is ransomwared? Or take it like a ladyboy and accept the lies?

    Did not mean to be a comedian here - I think it's serious a rather popular virtual housing company became ransom-wared, all houses gone on San Jose mothership, and everyone sit around with thumbs up asses。

    Transfer your service to me if it is not working anymore. Must throw in free iPad.

    Restore from backup and move on - rather than abusing randoms on an Internet forum?

  • @cybertech said: i dont understand why you are kicking up such a big fuss

    Everyone on my node got lies about the mothership being infected。Perhaps we lucky it is just encrypted and not dumped to internet?

    This seemed serious, but I guess with low end machines, this is expected。I will go back to the bare metal servers

  • @un_used said:

    @moreality said: I didn't expect such an old platform as SolusVM to be hacked.

    Not the Solus. The JungleSec gangster says all is open IPMI from article。

    They said the machine is taken offline, but I remember my Solus bookmark, and tried to troubleshoot my disk failure, but found that instead

    It's a slap to be lied to. Machine is on when said it was off, and my VM sitting there encrypted, sad, alone and desperate, but it cannot reach to public internet. Just on the VNC console, locked, and grub is with despair when trying to boot。

    Before then Green Cloud was fine, now I am a little jaded

    I'm not very familiar with VPS management. I want to know if the attacker can get the plaintext content of my file with this attack method?

  • bdlbdl Member

    This thread is better read while listening to this:

  • @moreality said: I'm not very familiar with VPS management. I want to know if the attacker can get the plaintext content of my file with this attack method?

    Yes。We were just lucky that they encrypted the machine instead of interested in data。

    @bdl said: Restore from backup and move on - rather than abusing randoms on an Internet forum?

    You make jokes about data security, and ninja edit to add tears when I reply。Sorry but this is serious. I had backups, but lack of disclosure concerning.

  • @moreality said: I'm not very familiar with VPS management. I want to know if the attacker can get the plaintext content of my file with this attack method?

    Of course, once they got access, the attacker can read, write, remove, download, and encrypted your files. FYI the attacker encrypted all files in SJ nodes and append [email protected] to file name.

    Thanked by 1un_used
  • bdlbdl Member
    edited October 23

    @un_used said:

    @bdl said: Restore from backup and move on - rather than abusing randoms on an Internet forum?

    You make jokes about data security, and ninja edit to add tears when I reply。Sorry but this is serious. I had backups, but lack of disclosure concerning.

    The edit was to make a grammatical change not to "add tears" (whatever the heck that means).

    @NDTN disclosed but you weren't happy with the response.

    If you've lost trust your provider, cancel the service and move on (just like everything else in life). The whole point of virtual infrastructure (and backups) is to make this process trivial.

Sign In or Register to comment.