New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Junglesec Ransomware - 9 Linux VMs are affected (Backup your data) - Ryzen 7000
Hey,
Just found out one of our node is affected by Junglesec Ransomware and as per my count 9 Linux VMs were affected and Windows VMs are still safe from it (probably).
Requesting everyone who is using our Ryzen 7000 VMs to backup their data while we do the same for everyone.
Sorry for the inconveniences. Additional updates will be provided though emails.
Thanks for being with us.
Comments
Yikes
But happens
Was your IPMI in the public? Were the nodes in the same facility as Greencloud by chance?
Francisco
@Fiberstate
Yes. IPMI was public.
Will upgrade and close them all but before we do that we will have to backup all of our data.
Talk about terrible luck... Decided to start using my HostCram server for some critical infrastructure yesterday, thinking it would be a good choice seeing as it's paid for 3 years at a time and won't be going anywhere. Only hours later, this happens.
why would you have your IPMI public? that's extremely irresponsible.
Let's wait and see how things goes. Not going anywhere.
Asked Rack911 to see if they can recover our 9 client's Linux VMs. Currently they are on grub rescue mode.
Let me know if anyone knows anything about this in details.
Can only think of @NDTN at the moment.
Wait, so this is 5+ years old/known issue ? Not some 0-day ?
Just how we got them handed from the DC team.
Looking into private IP+VPN solution right now.
My server is unfortunately one of those 9 that are affected, but I have no doubt you'll do what you can.
I've already had to setup essential services on an alternative server due to the down time, but hopefully things go well and it's back up relatively soon.
IPMI should be on its own private vlan, source IPs should be restricted, and it should only be accessible through a jumphost (if you're really serious), otherwise a VPN will be fine.
@Shakib is there any chance you can share the ransom note for comparison with the GreenCloud incident?
Also, hats off being so open. It's never a question of whether security incidents will occur, the only question is how they're handled and remediated
Chances are my Fiberstate dedi is also vulnerable to this if it's IPMI-related, since I was just given a public IPMI IP + login.
Same
Accidents WILL happens, only question how they are handled
@Shakib check for /usr/local/bin/ccrypt file and it's date/time
that's the exact time they breached.
you also have ENCRYPTED.md on your / directory which contains a cock li mail address
and if they can be able to mount vm drives into the system , encrypted files will have cock.li extensions
also if you ever reboot a vm , vm will never come back because of mbr stuff ( at the begining of the vm disk) also encrypted.
Secure ipmi, Restore backups if possible, good luck...
Also check for any backdoor daemon running (mine don't had any)
After I had mine share of this shit 9 days ago I am seeing more and more of this attack.
Yes Junglesec ransomware is from 2018 but this is not it, someone forked the same concept and doing he's own thing after changing a little bit of code.
Same concept but different approach ( they do not f with host nodes only vm's)
and most possibly this was fully automated. I don't see any kind of manual interaction with any effected servers.
────────────────────────────────────────────────────────────────
"mmm" "mmmm" # ## "mmm" #mmmmm #mmmmm "mmm#" #mmmmm "mmm"
─────────────────────────────────────────────────────────────────
/* WARNING */ :
If you do not want to lose the single data, do not attempt to reboot, shutdown or hot kill any working process :
Doing so could result to a break and make not possible the recovery of one or multiples files.
/* WARNING */
I) What happen to my data ?
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will most likely corrupt
it and made the recovery process not possible anymore, meaning your file(s) will be lost for good.
II) How can I retrieve them ?
To known the process, you must first send 0.037 bitcoin to the following address : 12SGy4N4f18KA9oSMSMgSSkPwWu8Fj3Wvq
Once the payment made, send your email address to [email protected], do not forget to mention the IP of server/computer
III) Will you send the process recovery once payment is made ?
We have zero interest to not send you the recovery process if payment is made.
We can if requested, decrypt one file to prove that the recovery process is working. The file must not exceed 5MB
Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hours,
IV) Will you leak any data on internet ?
V) Can you tell us how this hack happened ?
No supplementary bitcoin is required (this is only available if you have paid the ransom).
VI) What can I expect afterwards ?
VII) Where can I contact you ?
At [email protected]
Alternatively at [email protected]
By Jungle_Sec
This is why you "ZFS everything" + snapshots.
Are the IPMIs that vulnerable? Providers like @fiberstate have IPMI public iirc. Check every 2nd IP in a few of their ranges and its an asrock rack IPMI.
Far from ideal that IPMI was public to begin with BUT I applaud you for your transparency, accountability and coming up with a plan to fix the problem (putting IPMI behind VPN). Hopefully you will take care of the customers that were affected as well since this was your fault, not their's. Life is crazy, shit happens but how you handle the curve balls thrown at you is a good indicator of one's character. Happy to see that not all LowEnd providers try to sweep stuff like this under the rug.
That's honestly insane to provision new systems with public IPMI in 2024, glad I don't use anything on their network.
Waste of effort.
Customer is responsible for backups.
Give 6-month service extension and wash your hand.
I am paying Rack911 just to look into it. Will have an update soon.
You should contact the FBI‘s cyber defense derparment, sometimes they are able to provide you with valid decryption keys pretty fast
And a source if you are wondering why:
https://www.itbrew.com/stories/2024/06/20/victims-of-lockbit-can-request-help-decryption-keys-from-the-fbi
I'd suggest killing ipmi immediately on any systems that are still open to the world.
If you can log in and set an ACL, do that. If you can't, you can set ipmi to a non routable address using ipmitool from the host. Then when you have the ability to hook it up to a private network do that.
Doing backups while actively under attack is too risky.
I have been told that some of those 9 VMs are empty/nothing important on those, some of my client has backups and probably 3 doesn't have backup, has important data those.
We are trying to recover one of those at the moment.
At least learn to use knockd
Maybe you can get more help/details from https://www.nomoreransom.org/
Honestly, kinda wish i was affected
I have backups, its just minor inconvinence for linux vps (windows is another story)
Free extension, probably can cry a little and get free upgrade
Plus provider handles it like a champ
Also https://id-ransomware.malwarehunterteam.com/ from Michael Gillespie @ malware hunter team can point out if there are any decryption tools available. Some of these ransomware use broken crypto or use insufficient key sizes and are occasionally decryptable.