My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Permissions, domain/LDAP, power, security, notification and more.
User avatar
sianderson
Posts: 145
Joined: 02 Aug 2020, 03:42

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by sianderson » 05 Jan 2021, 04:24

Did you not backup your data? E.g to USB?

Would you consider your data safe by storing it on a laptop? I bet you wouldn’t so wondering why you expect the data to be safe sat on a nas drive?

No matter what make of nas drive you choose, if you mapped a network drive to it on a computer it is susceptible to a ransomware attack

Did you open up port 8181 on your router? Do you know how someone from the internet actually managed to get access to the admin page of the nas drive in the first place?
F2-210

4.2.08-2101111540

User avatar
StanHK
Posts: 28
Joined: 25 Jul 2020, 16:22

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by StanHK » 05 Jan 2021, 15:54

sianderson wrote:
05 Jan 2021, 04:24
Did you not backup your data? E.g to USB?

Would you consider your data safe by storing it on a laptop? I bet you wouldn’t so wondering why you expect the data to be safe sat on a nas drive?

No matter what make of nas drive you choose, if you mapped a network drive to it on a computer it is susceptible to a ransomware attack

Did you open up port 8181 on your router? Do you know how someone from the internet actually managed to get access to the admin page of the nas drive in the first place?
I think the issue is that it was very preventable? TM aware on Nov 2 and patches on Dec 1 is waaaay too long. But not updating via the updater / download website and not informing customers about a security update is simply unforgivable.

I had backups. Still, this SHOULD have been prevented and COULD have been prevented

User avatar
ermurenz
Posts: 4
Joined: 29 Dec 2020, 10:58

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by ermurenz » 11 Jan 2021, 08:45

StanHK wrote:
05 Jan 2021, 15:54
sianderson wrote:
05 Jan 2021, 04:24
Did you not backup your data? E.g to USB?

Would you consider your data safe by storing it on a laptop? I bet you wouldn’t so wondering why you expect the data to be safe sat on a nas drive?

No matter what make of nas drive you choose, if you mapped a network drive to it on a computer it is susceptible to a ransomware attack

Did you open up port 8181 on your router? Do you know how someone from the internet actually managed to get access to the admin page of the nas drive in the first place?
I think the issue is that it was very preventable? TM aware on Nov 2 and patches on Dec 1 is waaaay too long. But not updating via the updater / download website and not informing customers about a security update is simply unforgivable.

I had backups. Still, this SHOULD have been prevented and COULD have been prevented
I have to agree with StanHK 100%

User avatar
dmach47
Posts: 2
Joined: 14 Jan 2021, 07:43

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by dmach47 » 14 Jan 2021, 08:40

I have an F4-210 and I was also hit on December 25 with the malware. Now what?

I've taken the F4-210 off the network and turned it off.

What I am most worried about is the malware infecting my other computers on the network (and which were linked to the NAS).

Are the drives that are in the F4-210 now worthless? I would like to reuse them, but I don't want to connect them to any of my other computers and risk them being infected with the malware.

I have other backups, so I won't lose any data, unless all my other computers also get infected.

I am no security or NAS expert. I just wanted a simple system to access all my music/photos/videos and have as a backup of all my data.

User avatar
sianderson
Posts: 145
Joined: 02 Aug 2020, 03:42

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by sianderson » 14 Jan 2021, 16:43

dmach47 wrote:
14 Jan 2021, 08:40
I have an F4-210 and I was also hit on December 25 with the malware. Now what?

I've taken the F4-210 off the network and turned it off.

What I am most worried about is the malware infecting my other computers on the network (and which were linked to the NAS).

Are the drives that are in the F4-210 now worthless? I would like to reuse them, but I don't want to connect them to any of my other computers and risk them being infected with the malware.

I have other backups, so I won't lose any data, unless all my other computers also get infected.

I am no security or NAS expert. I just wanted a simple system to access all my music/photos/videos and have as a backup of all my data.
just a thought here are you sure your nas drive was infected and it spread to computers, or could it have been a computer becoming infected which then spread to mapped network drives on the nas?

the drives you can just wipe and re-use there has been no damage to the drives its just data on them that is now encrypted
F2-210

4.2.08-2101111540

User avatar
dmach47
Posts: 2
Joined: 14 Jan 2021, 07:43

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by dmach47 » 14 Jan 2021, 22:23

sianderson wrote:
14 Jan 2021, 16:43

just a thought here are you sure your nas drive was infected and it spread to computers, or could it have been a computer becoming infected which then spread to mapped network drives on the nas?

the drives you can just wipe and re-use there has been no damage to the drives its just data on them that is now encrypted
Yes, I am 95% sure. None of my other computers show signs of ransomware, but I want to be overly cautious. As for the drives, I just want to be sure that there isn't a malware boot record or something on those drives. The F4-210 is now considered toast/boat anchor, but I'd like to be able to add those drives to my off-line backup set. Note, I didn't really lose any data (that I know of yet) because I also keep an off-line set of backups.

I just want to be sure the hack that compromised my NAS didn't use that security hole in the TerraMaster software to infect the rest of my computers. I don't want to continue backing up my computers if they are now infected.

User avatar
TMRyan
Customer Service
Posts: 119
Joined: 01 Dec 2020, 11:50

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by TMRyan » 15 Jan 2021, 10:45

{L_BUTTON_AT}dmach47
Hello,
You can find a professional hard disk processing company, and then tell them that the data in your hard disk is infected with a virus, and let them format the hard disk for you.
To contact our tech team, please email to support(at)terra-master.com, remember to replace (at) with @

User avatar
minerjoe
Posts: 4
Joined: 05 Jan 2021, 00:03

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by minerjoe » 19 Jan 2021, 19:27

I totally wiped mine and reformatted them.

Now I've blocked the NAS completely from the internet using the firewall with rules in both directions - I'd advise anyone else do the same. I'll also relegated it to a media server as I don't trust it with anything else. I'll use OneDrive/GDrive and an external hard drive for anything actually important.

User avatar
StanHK
Posts: 28
Joined: 25 Jul 2020, 16:22

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by StanHK » 20 Jan 2021, 10:35

minerjoe wrote:
19 Jan 2021, 19:27
I totally wiped mine and reformatted them.

Now I've blocked the NAS completely from the internet using the firewall with rules in both directions - I'd advise anyone else do the same. I'll also relegated it to a media server as I don't trust it with anything else. I'll use OneDrive/GDrive and an external hard drive for anything actually important.
Actually, this is a topic that Terramaster should advise us on and not just by saying "format the drive" but by actually informing us how the virus works, what it does, and if a full wipe is truly needed. But Terramaster has been avoiding any comments on this for weeks and it seems their policy is to 'let it pass'. My next step is leaving comment on the drives as I purchased from Amazon and I think everyone should be warned about this company before purchasing.

I think the whole approach by Terramaster is just sick to the bone. Update too late, warn too late, don't advise, no apologies, and for CA-PA (corrective action, preventive action) we may think they have done CA by issuing the TOS update, but for sure they don't show us they are doing the PA part, which arguably is the most important. Shame on Terramaster. Still waiting to get answers from them.

@TMRoy
1. How could this happen, when you were aware of the threat on November 2?
2. Is it absolutely needed to wipe the whole drive, or can files be secured for when decrypting becomes available?
3. Will Terramaster provide a tool for decryption on the drive when it is available (thinking of all those without a backup)?
4. What are your process changes from here onwards to avoid this can happen again?

Post Reply