guy30000
Posts: 9
Joined: Mon Mar 28, 2016 5:45 pm

Nyton Virus

Wed Nov 20, 2019 6:59 pm

I posting this for some advise. I have a Pi 3 B board I've been using as a torrent box. Also have Tightvnc installed and ssh enabled. I am happy to say I don't care about the files on hard drive connected which were just a couple new Raspbain images and such, plus a few personal files. But checking that drive I found this file !NYTON_HELP.TXT containing the fallowing:
"
All your files have been encrypted with Nyton Virus.
Your unique id: CENSORED

As a private person you can buy decryption for 300$ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.

To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/ )
2) Open the CENSORED.onion web page in the Tor Browser and follow the instructions.
"
I Censored anything that might be personal to me. I happened to be rebuilding this box so Im not concerned with anything on this. No joke either, all the files on it a unopenable. MY question is how this could have happened. I use deluge over a vpn. I have tightvnc I use to vie the desktop and use ssh via putty for command line.
I do have a suspicious of tightvnc. I would frequently attempt to access it to an error saying too many failed login attempts, forcing me to restart it. I'm wondering if there has just been an ongoing brute force attack on that and they finally got in.
I consider my self a newb when it comes to linux, I have to research the most basic things. Any thoughts on this? I'm trying to figure out a way to make tightvnc only work locally(I thought I had to foward router ports to allow outside access). I know I can't find much help since we can't really know how I got compromised, but I'm hoping to make my new iteration secure.

fruitoftheloom
Posts: 21998
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Nyton Virus

Wed Nov 20, 2019 7:44 pm

guy30000 wrote:
Wed Nov 20, 2019 6:59 pm
I posting this for some advise. I have a Pi 3 B board I've been using as a torrent box. Also have Tightvnc installed and ssh enabled. I am happy to say I don't care about the files on hard drive connected which were just a couple new Raspbain images and such, plus a few personal files. But checking that drive I found this file !NYTON_HELP.TXT containing the fallowing:
"
All your files have been encrypted with Nyton Virus.
Your unique id: CENSORED

As a private person you can buy decryption for 300$ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.

To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/ )
2) Open the CENSORED.onion web page in the Tor Browser and follow the instructions.
"
I Censored anything that might be personal to me. I happened to be rebuilding this box so Im not concerned with anything on this. No joke either, all the files on it a unopenable. MY question is how this could have happened. I use deluge over a vpn. I have tightvnc I use to vie the desktop and use ssh via putty for command line.
I do have a suspicious of tightvnc. I would frequently attempt to access it to an error saying too many failed login attempts, forcing me to restart it. I'm wondering if there has just been an ongoing brute force attack on that and they finally got in.
I consider my self a newb when it comes to linux, I have to research the most basic things. Any thoughts on this? I'm trying to figure out a way to make tightvnc only work locally(I thought I had to foward router ports to allow outside access). I know I can't find much help since we can't really know how I got compromised, but I'm hoping to make my new iteration secure.



Nyton Virus is Windows Ransomeware so not much related to Linux ??


There is no ARM Port of Tor Browser.


RealVNC Connect is included with Raspbian Operating System:

https://www.realvnc.com/en/raspberrypi/

RealVNC is fully supported by the developers running in Raspbian.
Last edited by fruitoftheloom on Mon Nov 25, 2019 5:40 pm, edited 1 time in total.
Retired disgracefully.....
......to an uncomplicated life !

Rather than negativity think outside the box !

jeanfred
Posts: 1
Joined: Thu Nov 21, 2019 9:16 pm

Re: Nyton Virus

Thu Nov 21, 2019 9:26 pm

Hey

fruitoftheloom, I respect you since I see you're a lot active here.

But, you did not look at the virus name, it's NYTON.
And to pay the Ransom, you need to log on the TOR network using a TOR Browser. You DONT need to do it FROM Raspberry Pi.

Also, I've got this virus on november 18th, around 3-4 PM eastern time.

It affected my LibreElec and encrypted the partition that is "read/write" (/storage) After reboot, my libreelec was "new", I saw the configuration menu that we use on the first boot.
It also encrypted all my Media I had on this media server. (Video, Music, PIcture).

None of my Windows Box was infected.

I'm using SSH and I changed the default password.
I'm using a docker extension and I run a MySQL Database inside that docker.
That box share the external hard drive using samba3 to my Windowsbox (so I can put new content on it)

My router is not forwarding port to that box.

On another Raspbery Pi Runing Raspbian, I have a PI VPN that is listening on a specific port. I think it might be THAT box that infected my libreelec. But, I havent opened this box again yet. Since the attack, it's closed. I will try to find the virus offline.

If I find something, I will let you know.

lorus77
Posts: 4
Joined: Sat Nov 23, 2019 12:42 pm

Re: Nyton Virus

Sat Nov 23, 2019 12:50 pm

I can tell you exactly how it happened: you installed a Kodi add-on from an "unofficial" repository. Whatever read-write data sources were set up on Kodi at that time, this program was able to access and encrypt your files in that folder.

Either connect NAS as read-only to Kodi, or dont install things from untrusted sources.

guy30000
Posts: 9
Joined: Mon Mar 28, 2016 5:45 pm

Re: Nyton Virus

Mon Nov 25, 2019 5:17 pm

lorus77 wrote:
Sat Nov 23, 2019 12:50 pm
I can tell you exactly how it happened: you installed a Kodi add-on from an "unofficial" repository. Whatever read-write data sources were set up on Kodi at that time, this program was able to access and encrypt your files in that folder.

Either connect NAS as read-only to Kodi, or dont install things from untrusted sources.
I did not install Kodi on this.

dustnbone
Posts: 189
Joined: Tue Nov 05, 2019 2:49 am

Re: Nyton Virus

Mon Nov 25, 2019 7:35 pm

If this drive was shared with write access on a network with Windows boxes, that's how it got encrypted. You need to check any and all Windows boxes on that network immediately. Ideally disconnect them from each other, disable file sharing on them and individually disinfect them.

The Pi isn't likely the one that's infected with ransomware. I've never heard of any Linux machine being infected like that, not saying it's impossible it's just not what generally happens.

User avatar
Imperf3kt
Posts: 3375
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Nyton Virus

Mon Nov 25, 2019 7:46 pm

What are the 'personal files' you were torrenting?
Maybe one of them gave you the virus?
55:55:44:44:4C
52:4C:52:42:41

lorus77
Posts: 4
Joined: Sat Nov 23, 2019 12:42 pm

Re: Nyton Virus

Tue Nov 26, 2019 1:45 pm

guy30000 wrote:
Mon Nov 25, 2019 5:17 pm
lorus77 wrote:
Sat Nov 23, 2019 12:50 pm
I can tell you exactly how it happened: you installed a Kodi add-on from an "unofficial" repository. Whatever read-write data sources were set up on Kodi at that time, this program was able to access and encrypt your files in that folder.

Either connect NAS as read-only to Kodi, or dont install things from untrusted sources.
I did not install Kodi on this.
Let me try to explain: Kodi was installed on computer A. Kodi on computer A had a read-write data source (SMB, SFTP) pointing to computer B that was actually running NAS. Still not clear on the mechanism of the attack though. Judging by the timestamp of the affected directories, the Attack took place on Nov 18 around 1 PM ET. But based on what I see, 100% sure that it used the information from the KOD data source information.

Is Kodi vulnerable if web remote control is enabled?

lorus77
Posts: 4
Joined: Sat Nov 23, 2019 12:42 pm

Re: Nyton Virus

Tue Nov 26, 2019 1:46 pm

Imperf3kt wrote:
Mon Nov 25, 2019 7:46 pm
What are the 'personal files' you were torrenting?
Maybe one of them gave you the virus?
That would only work if the downloaded file was executed. Is this a vulnerability in deluge?

lorus77
Posts: 4
Joined: Sat Nov 23, 2019 12:42 pm

Re: Nyton Virus

Tue Dec 31, 2019 4:04 am

An update. I more or less pieces together what happened. See my post here: https://www.bleepingcomputer.com/forums ... ?p=4927992

Return to “Troubleshooting”