Junglesec Ransomware - 9 Linux VMs are affected (Backup your data) - Ryzen 7000

Shakib · November 2024

@zGato said:

@shajeeafzal said:
@Shakib

I have a node on Ryzen 7000 but I don't think I am affected. Still able to login to KASM. Are there multiple Ryzen 7000 nodes?

True. May we know the VPS node name(s) that are affected so we can check in the panel on which one we are?
Haven't received any ticket and VM seems fine.

ceres, jupiter, saturn, neptune, eris, mercury

neptune was affected.

shajeeafzal · November 2024

I am on Ceres....phew....

or is the "one more node", Ceres

icelandman · November 2024

@JabJab said: Pay.. who? Because if junglesec iirc it's dead and no one gives a fuck and/or give you keys

Junglesec replied to my email

Neoon · November 2024

@Shakib said:

@shajeeafzal said:
@Shakib

I have a node on Ryzen 7000 but I don't think I am affected. Still able to login to KASM. Are there multiple Ryzen 7000 nodes?

Only Neptune node with 9 Linux VM was affected so far.

I suspect one more IPMI could be compromised. Just monitoring it for now.

Why don't you disconnect the IPMI?!
So you risk it that this machine also gets compromised?!

PsyHost · November 2024

@HackedServer said:
Unfortunately after the filesystem mounted I see the same junglesec files all over, so its toast.

Name checks out.

Sorry, had to.

Shakib · November 2024

@Neoon said:

@Shakib said:

@shajeeafzal said:
@Shakib

I have a node on Ryzen 7000 but I don't think I am affected. Still able to login to KASM. Are there multiple Ryzen 7000 nodes?

Only Neptune node with 9 Linux VM was affected so far.

I suspect one more IPMI could be compromised. Just monitoring it for now.

Why don't you disconnect the IPMI?!
So you risk it that this machine also gets compromised?!

We have already pulled all other IPMI Ethernet cables. Only neptune IPMI is online as we will reinstall this soon.

We have managed to decrypt one client's VM data. The VPS is unusable after decrypting but www and mysql is intact. So that's something.

Edit: It can boot now but most of the apps aren't running as expected. Probably can be fixed but we will just take data and rebuild.

xvps · November 2024

@Shakib said:
────────────────────────────────────────────────────────────────

mmm m m mm m mmm m mmmmmm mmmm mmmmmm mmm
# # # #"m # m" " # # #" " # m" "
# # # # #m # # mm # #mmmmm "#mmm #mmmmm #
# # # # # # # # # # "# # #
"mmm" "mmmm" # ## "mmm" #mmmmm #mmmmm "mmm#" #mmmmm "mmm"
            [email protected]
─────────────────────────────────────────────────────────────────

/* WARNING */ :

If you do not want to lose the single data, do not attempt to reboot, shutdown or hot kill any working process :

Doing so could result to a break and make not possible the recovery of one or multiples files.

/* WARNING */

I) What happen to my data ?

Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will most likely corrupt
it and made the recovery process not possible anymore, meaning your file(s) will be lost for good.

II) How can I retrieve them ?

To known the process, you must first send 0.037 bitcoin to the following address : 12SGy4N4f18KA9oSMSMgSSkPwWu8Fj3Wvq

Once the payment made, send your email address to [email protected], do not forget to mention the IP of server/computer

III) Will you send the process recovery once payment is made ?

We have zero interest to not send you the recovery process if payment is made.

We can if requested, decrypt one file to prove that the recovery process is working. The file must not exceed 5MB

Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hours,

IV) Will you leak any data on internet ?

If payment is made, your data will not be leaked, as this never happened. Otherwise your data(s) could be leak, sell or exploited.

V) Can you tell us how this hack happened ?

In case you are in the dark on how this security problem did happen, you may ask for details, we will provide you the step by step what we did.
No supplementary bitcoin is required (this is only available if you have paid the ransom).

VI) What can I expect afterwards ?

If you have been ransom and payment was made, you won't get another pwn by us. All the communication between us and all data regarding this security breach will be removed, as this never happened

VII) Where can I contact you ?

At [email protected]

Alternatively at [email protected]

By Jungle_Sec

0.037 bitcoin = 25,000 Chinese Yuan.

Shakib · November 2024

And the attacker told me that he will not attack HostCram servers anymore.

Neoon · November 2024

@Shakib said:

@Neoon said:

@Shakib said:

@shajeeafzal said:
@Shakib

I have a node on Ryzen 7000 but I don't think I am affected. Still able to login to KASM. Are there multiple Ryzen 7000 nodes?

Only Neptune node with 9 Linux VM was affected so far.

I suspect one more IPMI could be compromised. Just monitoring it for now.

Why don't you disconnect the IPMI?!
So you risk it that this machine also gets compromised?!

We have already pulled all other IPMI Ethernet cables. Only neptune IPMI is online as we will reinstall this soon.

We have managed to decrypt one client's VM data. The VPS is unusable after decrypting but www and mysql is intact. So that's something.

Edit: It can boot now but most of the apps aren't running as expected. Probably can be fixed but we will just take data and rebuild.

Okay, I take back what I said then before.
I thought by you words, your IPMI would be still at risk and connected.

ailice · November 2024

@Shakib said:
And the attacker told me that he will not attack HostCram servers anymore.

The first "bulletproof" junglesec ransomware provider

Mumbly · November 2024

As if they know what belongs to whom unless they get IP subnets from the host to whitelist them.

Shakib · November 2024

@Mumbly said:
As if they know what belongs to whom unless they get IP subnets from the host to whitelist them.

That's right. Already checked our subnet against his logs.

suyadi92 · November 2024

@Shakib said:
And the attacker told me that he will not attack HostCram servers anymore.

What about the other group? I mean are they the only one doing this?

jaimedelano · November 2024

One of my servers at TempestHosting, which doesn't have public access to IPMI, has been hacked, so I'm not sure if the issue is really an IPMI flaw that's being exploited.

Mumbly · November 2024

@jaimedelano said: I'm not sure if the issue is really an IPMI flaw that's being exploited.

It is not. In your case. Obviously.

Shakib · November 2024

We have assigned everyone affected a new VPS with 6 months free service as compensation.

Also helping with restoring their data on their new VPS.

adiegoweb · November 2024

Hello, im in one of the unnafected nodes, but I cant access my server, and its not showing on the panel.

Shakib · November 2024

@adiegoweb said:
Hello, im in one of the unnafected nodes, but I cant access my server, and its not showing on the panel.

Is that ceres? We did a complete sweep, added some new codes and secured it properly.

Reboots are necessary. Should be up in a few minutes.

adiegoweb · November 2024

Now is all working.

Thanks Shakib, sorry this happened to you, I think you have been the best provider, the few times I needed support is always on point.

Shakib · November 2024

@adiegoweb said:

Now is all working.

Thanks Shakib, sorry this happened to you, I think you have been the best provider, the few times I needed support is always on point.

Howdy, Stranger!

Categories

In this Discussion

Junglesec Ransomware - 9 Linux VMs are affected (Backup your data) - Ryzen 7000

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

Junglesec Ransomware - 9 Linux VMs are affected (Backup your data) - Ryzen 7000

Comments