Post

My Raspberry Pi Music Server Has Been Infected By A Ransomware Want Tocry

Posted
By Usman Masood Ashraf
views 8 min read

My Raspberry Pi Music Server Has Been Infected By A Ransomware Want Tocry: A DevOps Post-Mortem

Introduction

When your Raspberry Pi music server displays a “Want Tocry” ransomware message, it’s not just a personal disaster - it’s a wake-up call for every DevOps engineer and homelab enthusiast. This incident highlights critical security gaps in self-hosted infrastructure that many professionals overlook in small-scale deployments.

The rise of IoT devices and single-board computers in homelabs has created a perfect storm for threat actors. Our always-on music servers, NAS devices, and automation hubs represent low-hanging fruit when not properly secured. What makes this ransomware attack particularly instructive is that it targeted a Navidrome music server - a popular open-source media solution frequently deployed on Raspberry Pi devices by technically competent users.

In this comprehensive guide, we’ll dissect:

  • How ransomware breaches occur in supposedly secure environments
  • Critical vulnerabilities in common Raspberry Pi server setups
  • Enterprise-grade security practices adapted for homelabs
  • Recovery strategies when prevention fails
  • Hardening techniques for Dockerized applications

Whether you’re managing Kubernetes clusters professionally or self-hosting services as a hobby, these lessons apply directly to your infrastructure security posture. Let’s turn this breach into a masterclass in defensive DevOps.

Understanding Ransomware in Homelab Environments

Anatomy of a Raspberry Pi Ransomware Attack

The “Want Tocry” variant (a clear reference to the infamous WannaCry ransomware) demonstrates how attackers have adapted their tactics for IoT and ARM-based devices. Unlike traditional Windows-targeting malware, these Linux-focused threats exploit:

  1. Exposed Services: Music servers typically require port forwarding for remote access
  2. Container Vulnerabilities: Misconfigured Docker deployments with privileged access
  3. Weak Credentials: Default or reused passwords across services
  4. Unpatched Systems: Delayed security updates on “set-and-forget” devices

Why Navidrome Servers Are Vulnerable

Navidrome’s architecture as a Go-based music server introduces specific attack vectors:

Vulnerability PointRisk FactorCommon Exploitation Method
Web UI AuthenticationMediumBrute force attacks on /auth endpoints
Metadata ScrapersHighMalicious tags triggering RCE vulnerabilities
File System AccessCriticalDirectory traversal via malformed API requests
Subsonic APIHighLegacy protocol vulnerabilities

The DevOps Reality Check

Most alarming in the original Reddit report was the user’s stated security consciousness (password manager usage, browser hygiene). This mirrors enterprise environments where teams focus on credential security while neglecting:

  • Network segmentation
  • Principle of least privilege
  • Intrusion detection systems
  • Regular vulnerability scanning

Prerequisites for Secure Self-Hosting

Before rebuilding your music server, establish these security fundamentals:

Hardware Requirements with Security Enhancements

Minimum Raspberry Pi 5 Configuration:

  • 4GB RAM model (8GB recommended)
  • Official power supply with UPS backup
  • Read-only microSD card (for OS) + USB SSD (for data)
  • Dedicated VLAN with firewall rules

Software Stack Hardening

  • OS: Raspberry Pi OS Lite (64-bit) with automatic security updates:
    1
2

    sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
  • Network: Strict ufw firewall configuration:
    1
2
3

    sudo ufw default deny incoming
sudo ufw allow from 192.168.1.0/24 to any port 22 # SSH from local network
sudo ufw enable
  • Containers: Rootless Docker installation:
    1

    curl -fsSL https://get.docker.com/rootless | sh

Security Pre-Checklist

Before installing any services:

  1. Change default pi user password
  2. Install SSH keys and disable password authentication
  3. Configure fail2ban for SSH and web services
  4. Set up encrypted backups to external storage
  5. Create separate user accounts for each service

Installation & Secure Configuration

Step 1: Hardened Docker Deployment

Avoid catastrophic ransomware encryption by implementing rootless containers with restricted privileges:

1
2
3
4
5
6
7
8
9
10
11
12

# Install rootless Docker
dockerd-rootless-setuptool.sh install

# Create dedicated music server user
sudo useradd -m -s /bin/bash navidrome
sudo passwd -l navidrome # Disable password login

# Switch context
su - navidrome

# Create restricted Docker volume
docker volume create --opt type=tmpfs --opt device=tmpfs --opt o=size=100m,noexec,nosuid music-metadata

Step 2: Navidrome Configuration with Security Constraints

navidrome.env configuration:

1
2
3
4
5
6
7
8
9
10
11
12

# Authentication security
ND_ENABLETRANSCODINGCONFIG=false
ND_SESSIONTIMEOUT=1h
ND_ENABLEUPDATES=false # Critical - prevents compromised update channels

# Network restrictions
ND_BINDADDRESS=127.0.0.1 # Only accessible via reverse proxy
ND_HTTPPORT=4533

# File system protections
ND_MUSICFOLDER=/var/lib/navidrome/music:ro
ND_DATAFOLDER=/var/lib/navidrome/data:noexec

Step 3: Docker Compose with Security Profiles

docker-compose.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

version: '3.8'

services:
  navidrome:
    image: deluan/navidrome:latest
    user: "1000:1000" # Non-root user
    security_opt:
      - no-new-privileges:true
      - apparmor:docker-navidrome
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp:exec,size=64M
    volumes:
      - music-data:/data:ro
      - music-metadata:/metadata:ro
    env_file:
      - navidrome.env

volumes:
  music-data:
    driver_opts:
      type: none
      device: /mnt/encrypted-music
      o: bind,ro
  music-metadata:
    external: true

Step 4: Reverse Proxy with Web Application Firewall

Configure Nginx with ModSecurity rules:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

server {
    listen 443 ssl;
    server_name music.yourdomain.com;

    # TLS hardening
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

    location / {
        # WAF rules
        ModSecurityEnabled on;
        ModSecurityConfig modsec_includes.conf;

        proxy_pass http://localhost:4533;
        proxy_set_header Host $host;
        
        # Session timeout
        proxy_read_timeout 1h;
    }
}

Verification Steps

Confirm security restrictions are active:

1
2
3
4
5
6
7
8

# Check container privileges
docker inspect $CONTAINER_ID --format '  '

# Verify filesystem mounts
docker exec $CONTAINER_ID touch /data/test.txt # Should fail on read-only FS

# Test network exposure
nmap -p 4533 192.168.1.100 # Port should be closed externally

Configuration & Optimization for Security

Mandatory Security Settings

  1. JWT Secret Rotation:
    1
2

    # Generate new secret monthly
openssl rand -base64 32 | docker secret create navidrome_jwt_secret -
  2. API Rate Limiting:
    1

    limit_req_zone $binary_remote_addr zone=navidrome_limit:10m rate=5r/s;
  3. Two-Factor Authentication: ```yaml

    In docker-compose.yaml

    environment:

    • ND_AUTHREQUESTHEADER=X-Forwarded-User ``` Integrate with Authelia or Authentik for SSO.

Performance vs Security Tradeoffs

SettingPerformance ImpactSecurity BenefitRecommendation
Read-Only FSMedium (no caching)Critical (blocks ransomware)Always enable
Memory LimitsLowPrevents resource exhaustionSet to 512MB
CPU PinningNoneContains crypto-mining malwareUse on multi-core Pis
Network NamespacesMediumIsolates breach impactEssential for exposed services

Monitoring & Intrusion Detection

Implement these essential security tools:

  1. Auditd Rules for Music Directory:
    1

    sudo auditctl -w /mnt/encrypted-music -p war -k music_files
  2. Falco Runtime Protection: ```yaml

    falco_rules.local.yaml

    • rule: Unauthorized Music File Modification desc: Detect mass file changes in music directory condition: > container.image contains “navidrome” and (fd.name startswith “/music” and (open_write or modify)) output: “Mass file modification in music dir (user=%user.name command=%proc.cmdline)” priority: CRITICAL ```
  3. Canary Files:
    1
2
3

    # Create decoy files that trigger alerts when accessed
echo "RANSOMWARE_CANARY" > /mnt/encrypted-music/.canary.txt
chattr +i /mnt/encrypted-music/.canary.txt

Operational Security Procedures

Daily Maintenance Checklist

  1. Container Hygiene:
    1
2
3
4
5
6

    # Scan for vulnerabilities
docker scan $CONTAINER_IMAGE
    
# Update containers with rollback plan
docker compose pull && docker compose up -d --force-recreate
docker rollback $CONTAINER_ID  # Pre-configured alias
  2. Log Auditing:
    1
2

    # Monitor for brute force attempts
journalctl -u docker.service | grep -E '(401|403)'

Backup Strategy That Defeats Ransomware

Implement the 3-2-1 rule with ransomware protection:

  1. Local Snapshots:
    1
2

    # Btrfs hourly snapshots
sudo btrfs subvolume snapshot /mnt/encrypted-music /mnt/snapshots/music-$(date +%s)
  2. Immutable Cloud Backups:
    1
2
3

    # Use rclone with object lock
rclone copy --s3-storage-class GLACIER_IR --s3-object-lock GOVERNANCE \
  /mnt/encrypted-music s3://your-bucket
  3. Air-Gapped Copies: Monthly SD card rotation with offline storage

Incident Response Playbook

When detecting suspicious activity:

  1. Containment:
    1
2

    docker network disconnect $NETWORK_ID $CONTAINER_ID
iptables -A INPUT -s $ATTACKER_IP -j DROP
  2. Forensics:
    1
2

    docker export $CONTAINER_ID > compromised_container.tar
volatility -f compromised_container.tar linux_pslist
  3. Recovery:
    1
2
3

    # Restore from immutable backup
btrfs subvolume delete /mnt/encrypted-music
btrfs subvolume snapshot /mnt/snapshots/music-1678932100 /mnt/encrypted-music

Troubleshooting Secure Configurations

Common Issues and Solutions

Problem: Navidroke fails to start with read-only filesystem
Fix: Identify required write locations with:

1

docker run --rm -it --security-opt "seccomp=unconfined" strace navidrome

Problem: Performance degradation with security layers
Optimize: Use eBPF filters instead of auditd:

1

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat /comm == "navidrome"/ { printf("%s %s\n", comm, str(args->filename)); }'

Problem: False positives in WAF
Tuning: Create custom ModSecurity rules:

1

SecRuleUpdateTargetById 942410 "!REQUEST_HEADERS:User-Agent"

Security Validation Tools

  1. Docker Bench Security:
    1
2
3

    docker run --rm --net host --pid host --userns host --cap-add audit_control \
  -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security
  2. Lynis Auditing:
    1

    sudo lynis audit system --pentest
  3. CIS-CAT Pro: Commercial tool for Raspberry Pi OS hardening

Conclusion

The “Want Tocry” ransomware incident teaches us that security in homelabs requires the same rigor as enterprise environments. By implementing:

  • Rootless Docker containers
  • Read-only filesystems with strict mount options
  • Network namespaces and reverse proxies with WAF
  • Immutable backups with object locking
  • Runtime security monitoring

We transform our Raspberry Pi music servers from vulnerable targets into hardened infrastructure. Remember that security isn’t a one-time configuration but an ongoing process of:

  1. Prevention: Strict access controls and vulnerability management
  2. Detection: Runtime monitoring and canary files
  3. Response: Documented playbooks and immutable backups

For further learning, consult these essential resources:

Your homelab isn’t just a playground - it’s the proving ground for enterprise-grade security practices. Treat every device as critical infrastructure, because to ransomware gangs, that’s exactly what they are.

Open Source, Reddit Guides, Kubernetes
homelab sysadmin how-to tools kubernetes k8s docker containers
This post is licensed under CC BY 4.0 by the author.