My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Permissions, domain/LDAP, power, security, notification and more.
User avatar
ermurenz
Posts: 4
Joined: 29 Dec 2020, 10:58

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by ermurenz »

{L_BUTTON_AT}StanHK
if you want a ssh access to your nas, you must first enable the ssh service. You can do it from: control panel -> Telnet & SNMP -> Telnet / SSH -> flag on "Allow SSH access" and on "allow only within local network". Default port is 9222.You can change it if you want. After this, you need to access the nas via any ssh client.I usually use WinSCP with Putty. This guide is perfect: http://www1.udel.edu/it/help/connecting ... inSCP.html On connection tab you must remember to use: File protocol: SFTP Host name: nas ip address (like 192.168.X.X) Port number: 9222 User name: root (or admin) Password: Your admin password in this way you obtain a graphical and a terminal access to your Tos. For terminal one you have to be a little bit familiar with basic Linux commands. As I said in the previous post, in my case the files the attacker used to encrypt the disks were in / usr / www / I hope this information will be useful to you.
Attachments
winscp
winscp
User avatar
StanHK
Posts: 13
Joined: 25 Jul 2020, 16:22

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by StanHK »

Thanks.

I am on MacOS so I'll be using terminal. Appreciated and will try to find and get rid of those files
User avatar
sianderson
Posts: 293
Joined: 02 Aug 2020, 03:42
Great Britain

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by sianderson »

has it been established exactly how people have been infected?

if you don't port forward from a router were you susceptible to being infected or not? on the assumption, no other system was compromised on the internal network which then gave them access to the admin page
F2-210

4.2.43
User avatar
StanHK
Posts: 13
Joined: 25 Jul 2020, 16:22

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by StanHK »

Dragonpme wrote: 03 Jan 2021, 23:02 Today I find my self with a HUGE data loss
I am truly sorry to hear. The grapes are even more sour as TM could have prevented it and should have prevented it. Although backups are highly recommended, obviously this is not an excuse for not timely patching the software.

Although data loss at my end was kept at a minimum, the costs for my team being less effective and the costs for me restoring backups and safety are not little.

Here is some advise for those looking to improve their security:
1. Get a firewalla (firewalla.com)
2. Setup VPN on the firewalla, which will allow you to tunnel into your home network
3. Setup port forwarding on your router for the firewalla VPN
4. Use the firewalla in advanced/DHCP mode (firewalla will assign internal IP addresses to your devices)
5. Fix the internal IP address for your TNAS in firewalla by reserving the assigned IP for TNAS (e.g. 172.1.1.2)
6. Take your TNAS offline by using the firewalla built-in disconnect from internet button
7. Whitelist your VPN subnet and local subnet in the rules section for TNAS device
8. If you use any remote/cloud backup, find the IP CIDR blocks and whitelist those for your TNAS device in firewalla Rules

*** now your TNAS should be only accessible from internal IP addresses and by VPN ***

9. Check if there are any port forwarding rules (except for your firewalla VPN) on your router, e.g. 8181, and remove those (be sure to keep your VPN port forwarding!!!)
10. Go to your network settings on your TNAS, and change the standard HTTP and HTTPS ports (e.g. 8181 --> 3131). Note, to connect to the TNAS web interface on example IP: 172.1.1.2:8181 you need to use the new port, e.g. 172.1.1.2:3131
User avatar
minerjoe
Posts: 4
Joined: 05 Jan 2021, 00:03

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by minerjoe »

I have also been hit with this as I just checked my NAS.

I only got the NAS a couple of months ago as a home back up system for files. I am now left in Limbo as what to do. No point of wiping and plugging the thing back in, as it'll just be back to being vulnerable and also all of the files I backed up are now encrypted.

I should have just got a hard drive as a backup instead of this shoddy system
Dragonpme
Posts: 2
Joined: 27 Dec 2019, 17:52

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by Dragonpme »

minerjoe wrote: 05 Jan 2021, 00:07 I have also been hit with this as I just checked my NAS.

POOR show TerraMaster. I only got the NAS a couple of months ago as a home back up system for files. I am now left in Limbo as what to do. No point of wiping and plugging the thing back in, as it'll just be back to being vulnerable and also all of the files I backed up are now encrypted.

I should have just got a hard drive as a backup instead of this shoddy system
I feel the exact same. Trust in the company is down the pan allong side my money. Ive resorted to a reputable online backup solution instead of hosting my own.
User avatar
minerjoe
Posts: 4
Joined: 05 Jan 2021, 00:03

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by minerjoe »

No way will I trust this thing and Terramaster with my data. At best this will be a media centre file server from now on.

I'll buy something external from someone more reputable in terms of security
User avatar
sianderson
Posts: 293
Joined: 02 Aug 2020, 03:42
Great Britain

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by sianderson »

Did you not backup your data? E.g to USB?

Would you consider your data safe by storing it on a laptop? I bet you wouldn’t so wondering why you expect the data to be safe sat on a nas drive?

No matter what make of nas drive you choose, if you mapped a network drive to it on a computer it is susceptible to a ransomware attack

Did you open up port 8181 on your router? Do you know how someone from the internet actually managed to get access to the admin page of the nas drive in the first place?
F2-210

4.2.43
User avatar
ermurenz
Posts: 4
Joined: 29 Dec 2020, 10:58

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by ermurenz »

StanHK wrote: 05 Jan 2021, 15:54
sianderson wrote: 05 Jan 2021, 04:24 Did you not backup your data? E.g to USB?

Would you consider your data safe by storing it on a laptop? I bet you wouldn’t so wondering why you expect the data to be safe sat on a nas drive?

No matter what make of nas drive you choose, if you mapped a network drive to it on a computer it is susceptible to a ransomware attack

Did you open up port 8181 on your router? Do you know how someone from the internet actually managed to get access to the admin page of the nas drive in the first place?
I think the issue is that it was very preventable? TM aware on Nov 2 and patches on Dec 1 is waaaay too long. But not updating via the updater / download website and not informing customers about a security update is simply unforgivable.

I had backups. Still, this SHOULD have been prevented and COULD have been prevented
I have to agree with StanHK 100%
User avatar
dmach47
Posts: 2
Joined: 14 Jan 2021, 07:43

Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

Post by dmach47 »

I have an F4-210 and I was also hit on December 25 with the malware. Now what?

I've taken the F4-210 off the network and turned it off.

What I am most worried about is the malware infecting my other computers on the network (and which were linked to the NAS).

Are the drives that are in the F4-210 now worthless? I would like to reuse them, but I don't want to connect them to any of my other computers and risk them being infected with the malware.

I have other backups, so I won't lose any data, unless all my other computers also get infected.

I am no security or NAS expert. I just wanted a simple system to access all my music/photos/videos and have as a backup of all my data.
Locked