[tor-relays] Tor Node infected with ransomware

[skankhunt42 via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>]

Hello there,


today I woke up to an execution error of the relayor playbook.
I then tried to look into the affected node (tor-nl1.skankhunt42.pw; 
nickname skankhunt42nl1) and couldn't SSH into it. So I went to the 
hosters VNC console and found a ransomware notice:

Your files are encrypted, requires payment for decrypting
Contact us: Telegram: @cloudcone_raidbot

UUID: bfaa20d9-7b11-417d-a702-cfa95d6c203c

I then tried to boot into recovery and look at the disk but as expected, 
partition table and ext4 superblocks were gone.

hexdump head of the disk was just the ransomware note shown above.
I was running Ubuntu 24.04 Minimal with ESM enabled and 
unattended-upgrades, everything else managed by relayor. I obviously 
checked the other nodes for unsual SSH logins (as they had the same SSH 
key) and didn't found anything.

I am rotating the keys for now and shut down the VPS at HostSlick. Not 
sure if there is something to further investigate maybe. What's odd is 
that I couldn't find anything about "cloudcone_raidbot", doesn't even 
exist on telegram.



I really want to understand what I did wrong.
Maybe someone with more experience may take a look at it?

Best,

skankhunt42

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx