Greencloud Ransomware
I have a Greencloud vm in San Jose that went offline on 21st October 2024.
I opened a ticket, they replied with OS issue and asked to backup using rescue mode.
GC notified customers about Raid Failure. After several update from GC about Raid, mdadm was unable to scan and assemble the drive. They took the vm offline.
I was able to connect using rescue mode and found out it has been encrypted by junglesec before they deleted the vm.
Some customers have the same issue, based on a thread on LET. GC denied any breached.
After 3 days, my service is still offline.
Tagged:
Comments
This happens a lot if the virtualization technology is ESxi.
What virtualization are they using?
ExtraVM
SolusVM
Solus but in the email they offered also to place you on a Virtfusion node if you wanted. Honestly It wouldn't affect us the end-user that much but having been on both sides of the software i'd prefer virtfusion.
I mean KVM or container virtualization.
ExtraVM
KVM
Thanks for sharing this.
Now I know why green-cloud claimed raid failure. I think most raid failures are recoverable, isn't it?
MicroLXC is lovable. Uptime of C1V
There was an article about this group somewhere. I believe they mount every VM disk on the node and encrypt it, so it impacts files within VMs as well.
I am a representative of Advin Servers
https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/
Thanks. Crazy.
ExtraVM
In high end scenario - yes. Low end providers have no competency to reliably fix RAID issues, nor do they have time for that. Easier is just delete -> recreate -> send "oopsie".
junglesec!
I lost data too.
Which node you on?
Could someone post an update how this was resolved/handled?
No official statement released.
My VPS on EPYCSJC3 hasn't seen any recent downtime. No (obvious) evidence of any ransomware or corruption. Perhaps they only accessed one host node?
SJC2