Thursday, October 13, 2022

Ransomware Attack!

One afternoon I was out for a walk when I got an email from my Synology NAS. It informed me that user Admin had tried to log in unsuccessfully multiple times from an IP address in Taiwan. An hour later it happened again, from a different IP address in a different part of the world. Maybe some bored kid was trying to break into my server looking for warez and pr0n. 

When I got home and checked the NAS logs, they showed that I'd been under some kind of automated hack attack all day, it continued as I watched the failed logins in real time. In the NAS logs the failed Admin logins went on for page after page, they'd been methodically at this for hours. Something was trying to log in as user Admin and guess the PW, around 7-10 attempts per a minute, each time from a different IP address supposedly in different parts of the world. I guess that the only reason that I got alerted at all was that their IP address randomizer wasn't random enough and my NAS spilled the beans when it noticed multiple failed logins from the same IP address. I shut the server down for an hour, when I fired it back up the attack began again immediately. Somebody, or more likely something on behalf of somebody, was trying to guess the password of the server administrator. 

This was a brute force ransom attack, after they guessed the Admin password and got in they'd encrypt all of my data on the NAS, present me with a login screen explaining what they'd done and demanding payment in Bitcoin to unencrypt my data. But what these crooks didn't know was that on the advice of the Synology I had disabled the Admin account and given admin rights to a different account 3 years ago. In order to get in and hold my data for ransom they'd have to guess that username and PW.  I know that I'm going to find it a pain in the ass but I also put that login on 2 step authentication. 

 I was still enraged, it was like watching a burglar try to jimmy open my front door and being unable to do or say anything. I eventually shut them down by denying all external requests at the firewall. The next morning when I opened the firewall to the outside world again he, they, it was gone.  But I expect that they, or someone else, will be back.