I posting this for some advise. I have a Pi 3 B board I've been using as a torrent box. Also have Tightvnc installed and ssh enabled. I am happy to say I don't care about the files on hard drive connected which were just a couple new Raspbain images and such, plus a few personal files. But checking that drive I found this file !NYTON_HELP.TXT containing the fallowing:
All your files have been encrypted with Nyton Virus.
Your unique id: CENSORED
As a private person you can buy decryption for 300$ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/
2) Open the CENSORED.onion web page in the Tor Browser and follow the instructions.
I Censored anything that might be personal to me. I happened to be rebuilding this box so Im not concerned with anything on this. No joke either, all the files on it a unopenable. MY question is how this could have happened. I use deluge over a vpn. I have tightvnc I use to vie the desktop and use ssh via putty for command line.
I do have a suspicious of tightvnc. I would frequently attempt to access it to an error saying too many failed login attempts, forcing me to restart it. I'm wondering if there has just been an ongoing brute force attack on that and they finally got in.
I consider my self a newb when it comes to linux, I have to research the most basic things. Any thoughts on this? I'm trying to figure out a way to make tightvnc only work locally(I thought I had to foward router ports to allow outside access). I know I can't find much help since we can't really know how I got compromised, but I'm hoping to make my new iteration secure.