ROON ARC ransomware

I’ve been wondering about the network safety with Roon Arc until this happened:
A ransomware made all the WAV files on my SSDs on the Oladra invisible! All the WAV albums and tracks had been affected. they all had a suffix and there was a text file attached to each album asking for a bitcoin payment to get rid of the bug.
So I tried to remove the suffix on some tracks which made them “visible” again, but it would have taken month or even years to solve the problem by this way. Fortunately I had a complete backup, so I decided to erase the whole SSDs an reload the music files from the external HD.
None other computer or handheld in my home network was affected and the FLAC files as well, that brought me to the conclusion, that the malware must have been uploaded through the forwarded port… has anyone else in the community made a similar experience?
keep safe and enjoy your music

remarks: to avoid any further complications I deactivated the port forwarding and rejected ARC from my other devices

1 Like

Where did the WAV files come from?
Ripped, or downloaded.

Hello Mark, hope you’ve had a good start into the new year. The files have been a mix of ripped and downloaded files through the last years. The issue came up couple of days after I - finally- managed to activate ARC. I used to listen through ARC on the MMI of my Audi…

There wasn’t any new WAV download during the last few weeks…

Understand, where are they being downloaded from?
Are these purchased WAV downloads from known vendors such as HDTracks

I only make my purchases on the official website of Qobuz, no third party websites. Furthermore I used to download them in WAV but since more than half a year I decided to go for FLAC. The others have been ripped with the P1 during the last years starting with the CX followed by the K50 and now the OLADRA. The latest ripp was about 10 months ago.
Some DSD files are there as well all downloaded from Native DSD- they also haven’t been affected like the FLACs

Well that is enough for me to disable ARC. Didn’t use it anyway.
Thanks for the heads up @Trijan

Very sorry to hear that. Are you certain though that it was Roon ARC that was exploited? Have you read reports of other Roon users impacted in the same way?

This answer is from Danny Dulai:

Roon authenticates your user credentials and uses an encrypted transport. No unintended users can access your Roon.

If Roon is not running, then no one listens on the port that is forwarded, so nothing external can access anything inside your network. It’s like a phone number that never answers.

If somehow you already had rogue/malicious software on your network, it could access your network freely and it doesn’t need to open ports at all. It can tunnel traffic from the outside to the inside freely. UPnP or not, it’s game over if you have malicious software inside the network.

Those claiming that the UPnP setting make your network insecure are clearly not familiar with how malicious software works. If some rogue software could configure your router to open ports, it can also do that by opening an outbound tunnel. In fact, it’s probably more reliable to open the tunnel than it is to mess around with the router variations and UPnP/NATPMP/PCP support. But forget about tunnels or ports, it can just do the nefarious actions itself. At that point, its all up to local OS security.

post 22 in this thread:

roon security thread from 2022

3 Likes

Yep, this, thanks for posting

That’s terrible. Never would have thought that ransomware would attach itself to a music server.

Not sure if this directly applies but my modem security, it’s rogers for myself, blocks attacks on my dx3 constantly. They say they successfully stopped X number of attacks, they suggest pausing or turning off dx3 on the network.
I’m no tech guy but it’s like they are loooking for vulnerability and keep going to dx3. Well so far no issues, but it’s a relentless world of scamming going on…
This has nothing to do with arc, I don’t use it. This is attacks through Ethernet. Besides rogers built in modem and carrier security I have Norton 360, so firewalled up, as well as Mac security.

Regarding backups: if i buy a second ssd for my oladra can i just make a manual copy of my disc to have a backup? Or will the oladra try to use it for storage? Or only when the first disc is full

Hey Tommy
The SSDs are automatically integrated into the system, for the backup you can use an USB drive or another storage in your system like a NAS

1 Like

Thank you so much for the technical explanation. This means than my assumption about ARC as the reason for the malware was wrong. In this case I need to get sure, that guests- family members - do not access to our network directly… do you have any idea, can a router have a configuration with an extra firewall for guests?

thanks you as well Mark. Is there anything to be done with the OLADRA to avoid further complications like an extra firewall? I’m asking because the OLADRS was the only device in our Network that had been affected.

hi Kenny, I did post the same topics on roonlabs community. there hasn’t been a similar case yet. meanwhile I’ve came to the conclusion that the malware must have found its way through one of our guest during the holidays… so ARC doesn’t seem to have been the problem.

I am in no way implying I have any clue about internet security; I don’t :slightly_smiling_face:

And I haven’t read that entire thread yet either, but did catch one post from a fellow who seems to know quite a bit about security as software engineer, and he explained Roon was doing everything as well as possible, from a security standpoint. Others clearly point out there are issues with open ports- I don’t know who is a better hacker, so I don’t know the answer.

So in your case I am guessing the virus/malware came from somewhere else and it just happened to attach to the easiest prey, the audio files in your drive, so to speak? You don’t recall opening a questionable email attachment? And perhaps this malware is somewhere else as well, and you don’t know this yet? edit: just read the above, yes perhaps your guest downloaded an infected file or opened one on your network.

I would do a malwarebytes scan- use the free version, I have found things in years past with this that others antivirus scans missed, but currently I don’t use any antivirus as I read (from alleged experts) they are a waste of money as long as someone is on recent computers- as long as mac is updated and someone is on windows 10 at least, and knock on wood I have had no issues in many years. Of course all the anti-virus companies scare people and want their money.

Recently upgraded my gateway through my provider to wifi6: here is what they say regarding security:

Wi-Fi 6 uses WPA3, the latest security standard for Wi-Fi, which offers more robust authentication and stronger encryption. WPA3 is mandatory for Wi-Fi 6 devices operating in the 6 GHz band, but optional for devices in the 2.4 GHz and 5 GHz bands.

So if you are on WPA2 etc. consider upgrading that.

Every time we go online we assume some risk, same as getting on a plane, or driving a car on the highway. I suppose if we desire no risk in life we could non-conform, go offline, and live in the bush like one of those sovereign citizen freaks, but karma most likely will prevail and we would get hit by lightning or eaten by a bear. Think I’ll just keep Roon going and be thankful I just have first world problems.

1 Like

Yes, many routers have the capability to enable a guest network. This ensures that guests remain walled off from the home network.

It’s not impossible that ARC got exploited but it’s unlikely especially if others hadn’t reported this.

Most certainly a guest can introduce malware into your network.