When Your Music Server Becomes a Cautionary Tale

There’s a particular kind of frustration that comes with finding your carefully curated music collection locked behind ransomware encryption. It’s not the sort of thing you expect to happen to a Raspberry Pi running a music server in your home network. Yet here we are, and someone in the self-hosting community just lived through exactly that scenario with want_to_cry, a relatively unknown ransomware variant that targets vulnerable SAMBA configurations.

What struck me reading through the thread wasn’t just the incident itself, but the follow-up discussion—and more importantly, how the person who got hit took ownership of their mistakes and shared them publicly. That takes guts, especially when admitting you didn’t fully understand what DMZ mode actually does on your home router.

The Perfect Storm of Good Intentions

Let me break down what happened, because it’s a masterclass in how security vulnerabilities aren’t usually about one catastrophic failure—they’re about multiple small oversights compounding. This person enabled DMZ mode on their router without fully grasping what it meant. For those unfamiliar (and I’ll admit I had to think through this myself), DMZ basically opens all ports on a device directly to the internet, essentially removing your router’s protective firewall for that device. It’s like leaving all your doors unlocked because you wanted one guest to have easy access.

Then, on top of that DMZ exposure, they’d accidentally enabled SAMBA folder sharing through CasaOS—the web UI made it so simple they didn’t realise what they were actually doing. Weak passwords completed the picture. Within a week of enabling DMZ, the automated scanning bots that constantly probe the internet had found their Raspberry Pi, discovered the open SAMBA port, and deployed ransomware.

Here’s what gets me: this wasn’t an elite hacker or a sophisticated targeted attack. This was a automated bot doing what bots do—scanning IPv4 address space methodically, looking for easy targets. It’s like leaving your car running with the doors open in a parking lot and hoping no one notices.

The Community Response Matters

What I found genuinely encouraging was how the community responded. Rather than gatekeeping or dismissing the person for not being “security-savvy enough,” people jumped in with practical advice. Someone pointed out that security guides for beginners were getting pushed down in the community as “gatekeeping,” which is frankly infuriating. If we’re discouraging people from learning security fundamentals, we’re just ensuring more people end up like this—learning the hard way when their files get encrypted.

The suggestions kept coming: SSH keys instead of password authentication, fail2ban for SSH brute-force protection, Tailscale for secure remote access without exposing services directly, UFW for firewall rules. Some people debated the relative merits of different approaches—cert-based SSH versus key-based, whether VPNs are overkill compared to hardened SSH, the nuances of two-factor authentication—but underneath it all was genuine helpfulness.

One person mentioned using port knocking and read-only boot systems, another suggested containerising everything in VMs to contain the blast radius if something does get compromised. These aren’t theoretical discussions; they’re practical hardening techniques that actually work.

What Really Worries Me

What bothers me isn’t so much this specific incident—frustrating as it is—but the pattern it represents. We’re living in an era where if you expose anything directly to the internet without proper hardening, you’re not asking “if” you’ll get targeted, just “when” and “by what.”

The scary part is that most of us aren’t sophisticated targets. We’re not being specifically hunted. We’re being caught in automated sweeps, often by botnets looking for anything that can be repurposed for cryptocurrency mining or further attacks. It’s indiscriminate. It’s constant. And it never sleeps.

What makes this worse is the knowledge gap. There’s a real divide between “I want to self-host my own services” and “I understand the security implications of self-hosting.” The former is increasingly accessible thanks to tools like Docker, CasaOS, and straightforward deployment options. The latter requires study, research, and frankly, learning from mistakes—either your own or others'.

The Silver Lining, If There Is One

The person who got hit had backups. Their music files are encrypted, yes, but they have the data backed up elsewhere. They learned what DMZ actually does. They now understand SAMBA security implications. And most importantly, they shared that learning publicly so others don’t have to experience the same pain.

If you’re self-hosting anything—and I know plenty of people who are, especially here in Melbourne with our tech-savvy crowd—take this as a gentle nudge to audit your setup. Check what ports you’re actually exposing. Verify that services you enabled “just to test” are actually configured securely or disabled. Look into Tailscale or a proper VPN setup if you need remote access. Use SSH keys, not passwords. Keep things updated.

The internet isn’t going to get safer. The scanning bots aren’t going to stop. But you can control what you expose and how well you protect it. That’s entirely in your hands.

• Self-Hosting
• Cybersecurity
• Homelab
• Learning-From-Mistakes