I've been hit by ransomware

Installed octoprint onto a Pi and added it to my network and was using VPN to connect but now my server has been hit with ransomware.
How to I confirm that the raspberry pi wasn't the culprit.
I didn't set it up for remote access as I was using VPN and changed the user name and password for the web interface but I did leave the default rasbian raspberry and pi login. I only had two plug-in installed psu control and temperature shutdown. How to I go about confirming that the pi was or wasn't the cause. I'm not sure I want to even try and connect to the web interface from another computer and risk infecting it.

Hi @Ricoghardforth,

Firstly, sorry to hear that this happened to you. I hope you have backups!

The most likely culprit in such a situation is an email attachment, clicking a sketchy link, downloading files from sketchy websites, just to name a few. If you didn't have your OctoPrint publicly facing, it is extremely unlikely that it's been compromised, and is even less likely to have anything to do with your current situation. Usually, ransomware (and other malware) target windows computers far more than linux. That isn't to say that there isn't malware for linux as well, there is, but it takes a great deal of effort for it to be installed than is the case on a windows box.

1 Like

By this, do you mean the OctoPi instance (or the Raspbian OS which you added OctoPrint to)? Or do you mean a different server and if so, what is its operating system?

VPN: What VPN are you using, is it hardware-based or software-based?

Router: You might mention what network router you're using.

If you're worried about the Pi, connect a keyboard/monitor/mouse to it and investigate it. Feel free to disconnect it from your network as you do so.

Thanks. I've brought the pi back home and used my own PC running a virtual (just in case) to logon to the web interface and everything looks normal to me. Only other plugin installed I didn't mention was Fullscreen by Paul de Vries and it was TemperatureFailsafe by Uriah Welcome and PSU Control by Shawn Bruce. So I don't think the pi was the source of the ransomware getting on the network. Problem is this has happened over the weekend when no one was logged in and only a few days after connecting the pi to the network so every thinks this is the probable cause.

I can assure you none of those plugins or octoprint itself was the culprit here.If anything I would agree with @jubaleth and this came in from an email link or bad embedded code in a compromised website.

I meant another server on the network which has managed to get the ransom ware on (Windows Small Buisness Server 2012). I downloaded the image (OctoPrint image 2019-09-26-octopi-buster-lite-0.17.0.img) directly from OctoPrint.org - Download & Setup OctoPrint and used win32diskimager to burn it to an sd card. I enabled access control within the web interface with a new user and password and used the default options for nearly everything. Then I installed the three plugins mentioned before from within the web interface. The only thing I didn't do was change the pi default raspberry password as I thought it would be ok as we were only going to access it either from the local network or via our software VPN (L2TP). I enabled automatic updates so assume Octoprint was going out onto the internet to check for updates is there any chance this connection was hijacked.

Not unless your whole network was already compromised and vulnerable to a MitM attack. Any communication between OctoPrint and the update servers (aka Github) is secured via TLS.

Frankly, I'd look at other attack vectors, as already pointed out by others. The plugins you mentioned are quite popular and if one of those was the attack vector I'm pretty sure I'd have heard about it by now from other people too. As you didn't port forward/publicly expose your instance on the net, I don't really see how it could be the point of entry here. Just because it was recently added doesn't mean that it was the source of your ransomware, especially not as - as already mentioned - that usually gets injected via different and way more widespread ways. I don't know who "we" is here, but it sounds like this might be a corporate setting? I suggest a proper post mortem with special attention to missed updates on the server in question, and link handling & surfing behaviour of users on the network, instead of pointing fingers at a 3d print server.

1 Like

Thank you you've managed to reassured me the 3d print server wasn't the cause of the hijack.

The newest thing on your network isn't always the soft point, especially a more hardened OS like Raspbian. It's had years of "Debian" for ARM development. Start with the "known weakest" point, (any Windows machine) and start digging there. Good luck, monsters are hard (sometimes) to find.