Tor Node infected with ransomware
Hello there, today I woke up to an execution error of the relayor playbook. I then tried to look into the affected node (tor-nl1.skankhunt42.pw; nickname skankhunt42nl1) and couldn't SSH into it. So I went to the hosters VNC console and found a ransomware notice: Your files are encrypted, requires payment for decrypting Contact us: Telegram: @cloudcone_raidbot UUID: bfaa20d9-7b11-417d-a702-cfa95d6c203c I then tried to boot into recovery and look at the disk but as expected, partition table and ext4 superblocks were gone. hexdump head of the disk was just the ransomware note shown above. I was running Ubuntu 24.04 Minimal with ESM enabled and unattended-upgrades, everything else managed by relayor. I obviously checked the other nodes for unsual SSH logins (as they had the same SSH key) and didn't found anything. I am rotating the keys for now and shut down the VPS at HostSlick. Not sure if there is something to further investigate maybe. What's odd is that I couldn't find anything about "cloudcone_raidbot", doesn't even exist on telegram. I really want to understand what I did wrong. Maybe someone with more experience may take a look at it? Best, skankhunt42
Am 31.01.2026 um 10:29:12 Uhr schrieb skankhunt42 via tor-relays:
I really want to understand what I did wrong. Maybe someone with more experience may take a look at it?
As the attacker managed to break in, it could habe manipulated the OS and removed the security hole and manipulated logs. Although, that doesn't happen in all cases. Which network services did the machine run and do they have logs (especially centralized ones are interesting, if the attacker can't manipulate them. Do you have full backups of the machine? -- Gruß Marco Send unsolicited bulk mail to 1769851752muell@cartoonies.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. I was wondering when the Tor mailing list would catch wind of this. skankhunt42 wrote:
I really want to understand what I did wrong. Maybe someone with more experience may take a look at it?
You did nothing wrong. Several cheap providers have been attacked by a script kiddie recently. They merely encrypted the first 512 MiB of the block device. Note that they do not restore your data even if you pay. Please see: https://lowendtalk.com/discussion/214073/what-happened-to-cloudcone-was-it-h... https://lowendtalk.com/discussion/214080/ransomware-via-virtualizor-exploit/... Regards, forest -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQtr8ZXhq/o01Qf/pow+TRLM+X4xgUCaYBbsQAKCRAw+TRLM+X4 xrmiAQCHZKCpqZWQkyLYcDKsDeMBwub4xuDElqaWnc2xm5V6dgEA/Pf73cveCFMK KwnexFLghfNqTPTNz8rdGNU2W+6v1gg= =Op9n -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Oh, and the attack was against the hypervisor node, not your VPS itself. All VPSes on that node were affected, and there is effectively nothing you could have done to prevent this, so don't worry about having done anything wrong. Regards, forest -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQtr8ZXhq/o01Qf/pow+TRLM+X4xgUCaYBckgAKCRAw+TRLM+X4 xsD3AQDElXTNoYFVOOF4KIL/EL+1UfI5vUXhqVFSXHSMNscUrwEA21JBrU3JkVWO CqIXBAOi8G1U6GZi1NXGKprvqOUspgA= =ayql -----END PGP SIGNATURE-----
For information, this was made possible because of the crappy control panel known as "Virtualizor" that many little hosting companies use. Whenever your start a Virtual Machine, you may notice that it takes quite a while before it shows as started up, this is because Virtualizor effectively attempts to read the disks and check for partitions, if partitions are found, it will mount them then search for certain files and overwrite them, such as network configuration files. This cannot be disabled even by the administrator of the hypervisor! So after compromising Virtualizor, the attacker simply altered the disk analysis scripts. It is however possible to prevent Virtualizor from running the disk analysis scripts by preventing it from mounting your partitions, one way to do this is by encrypting everything. But in general, you should always avoid renting a VM from a service that rely on "Virtualizor".
participants (4)
-
forest-relay-contact@cryptolab.net -
Marco Moock -
Mzungu -
skankhunt42