New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This is what we got on hands.
At least he is directly honest not like GreencloudVPS
So Rack911 couldn't help. Every second file is encrypted.
Have to reinstall this node.
Already started securing and disabling all IPMI completely.
Excited for a round of ransomware-themed Black Friday deals from @Shakib!
yeah how they handled that incident killed any desire i had to use them
So one of my client wanted to pay for getting his VM decrypted.
Might be an option if the data is very important.
Better backup yourself. Data is yours and can't rely on provider.
Pay.. who? Because if junglesec iirc it's dead and no one gives a fuck and/or give you keys
Direct and straight forward communication and status update.
Respect @Shakib
Actually I am getting replies from the attacker. He wouldn't decrypt the whole hostnode for anything less than what mentioned but seems to be willing to decrypt one or two important VM for a few hundred bucks.
And obviously I am asking him for future assurances as well while also pulling off Ethernet cables from our IPMI ports.
It’d be interesting to know the BMC version that was used here. I ordered an ARR B650D4U to see if I could poke around and find anything. Were simple/default passwords used?
It’s not worth negotiating. It’s unlikely that they’ll actually decrypt your data and it’s most likely a scam.
BMC Firmware Version 4.10.00
BIOS Firmware Version 3.11
PSP Firmware Version 00.2B.00.4F
Microcode Version 0a601203
Let's see.
Do keep us posted. Maybe best to send in few bucks to get a file (<5mb) decrypted before proceed further.
It would be nice if mods could pin a post urging all providers to check if their IPMI is public and take action immediately.
@Shakib - did you notice any of your Windows "nodes" affected with this?
so, when do you offer flash sales of ultra cheap servers? i trust your service and looking for people jumping off the boat
I am with @Shakib for 3+ years and plan to continue.
No. Windows VMs aren't affected by ccrypto that was used to encrypt. (90% sure)
Also if anyone is interested, this is what the attacker told me,
You should still back your data up.
And we might have found a solution to keep our nodes up even during 300+ load average. A new code was implemented to most of our Ryzen nodes along with additional security features.
We couldn't find any vulnerabilities on our other nodes so far but I do suspect something. Will keep monitoring.
It seems one VM that was using netboot.xyz Debian OS might have survived the attack.
Only the client can confirm.
I think that was me?
How do I know if i survived the attack?
I remember A while ago I messed up somethin and the only way to load and os was using netboot. So I think I installed using that.
I'm running netboot installed Debian and got a ticket asking me to check my VPS. When I checked it out it was at an initramfs prompt with the filesystem needing to be fsck'd. I ran the fsck and let it fix up whatever it wanted (I don't have any data I care about). Unfortunately after the filesystem mounted I see the same junglesec files all over, so its toast.
@Shakib
I have a node on Ryzen 7000 but I don't think I am affected. Still able to login to KASM. Are there multiple Ryzen 7000 nodes?
True. May we know the VPS node name(s) that are affected so we can check in the panel on which one we are?
Haven't received any ticket and VM seems fine.
Same, I got the initial email, but nothing else since. I assume I'm fine?
Regards for being upfront about this terrible occurence, and not users finding the opposite like at other hosts.
If ipmi is on the public network you will be hacked at some point. Sm systems are the worst but many others who use the same are not very secure. I would suggest anyone with a public facing ipmi to take backups and ask to at the least whitelist a specific ip only to access it.
Ideally all providers should never give out a public ipmi address. Even for our single server and plenty of full rack colo customers we offer to have their systems on our private vpn.
I have a backup copy that I could restore on another node if you want to give it another shot.
Only Neptune node with 9 Linux VM was affected so far.
I suspect one more IPMI could be compromised. Just monitoring it for now.