Urgent: Data Ransom Situation - Need Immediate Help

nector · March 26, 2025, 5:01am

Hey everyone,
I have installed the Frappe and ERP Next into my Linux system and attached it with my Database, all the data is reflecting inside my CRM but suddenly at morning everything wiped out,
when i checked and added the below command into my Linux Terminal
SELECT * FROM RECOVER_YOUR_DATA LIMIT 10;

i have received the below Ransom Message.

| All your data is backed up. You must pay 0.0097 BTC to bc1qfnu6j2n54k58uduufzuthhy7qn3sx7zalyuytz In 48 hours, your data will be publicly disclosed and deleted. (more information: go to paste.sh · encrypted pastebin) |
| After payment send mail to us: rambler+25i73@onionmail.org and we will provide a link for you to download your data. Your DBCODE is: 25I73

I’m seeking advice on how to proceed without making any rash decisions in this panic situation. Any help or guidance would be greatly appreciated!

avc · March 26, 2025, 6:10am

Hi @nector

Check your backups first. Should keep backups on
sites/yoursite/private/backups

(Any offsite backups?)

Only mariadb database has gone?

Probably you have mariadb port (3306 by default) exposed to internet? This is dangerous.

Hope this helps.

Adeel_Siddiqui · March 26, 2025, 7:53am

This blog post might help you

shashank_shirke · March 26, 2025, 6:14pm

Is this your local system or have you deployed it with some cloud provider like AWS, Azure, etc.?

max_morais_dmm · March 26, 2025, 9:20pm

I don’t know how you did your deployment, but sounds you had your deployment using bench start for an application in production!

Years ago, I got contacted by someone with a similar situation as you!

Tracing down the root cause, his deployment was using bench start instead of the ERPNext production mode deployment!

When we run ERPNext or Frappe Apps with bench start and expose it to the internet, there’s an really well known security issue inside werkzeug documented here Hacking the Debugging Pin of a Flask Application | by Akash Poudel | Medium

Regarding the payment in BTC, my recommendation is don’t do!

Create a fresh installation using your existing backups, and destroy that one, because is really hard to predict how compromised this instance is right now!

Also ensure your new instance is deployed in production mode!

If possible, use docker deployments as they are more reliable and don’t expose your root server!

Also Frappe and ERPNext have security hardened!

Finally, going to Frappe Cloud, will guarantee you never will have to deal with those issues for a fair price!

nector · March 27, 2025, 4:33am

i had deployed using hostinger vps server

yogeshvachhani · March 28, 2025, 7:34am

Technically Frappe automatically takes backup of the database every few hours.

Check your backup on your server and restore using one of the backups.