My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

[CarlosMtnez]

Hello, some days ago, my TerraMaster F2-210 has been attacked by Ransomware eCh0raix / QNAPCrypt

My System version was 4.1.31
I had opened in my router port 8181 for web interface because I want access from outside my network if needed. Im using a secure password and Im sure attackers does not knows.

Now, all documents and photos are encrypted with extension .encrypt and a txt message saying I have to go to .onion link to pay a rescue.

Following information is added by TerraMaster customer service
Official notice about eCh0raix(QNAPCrypt)

[Jamgot]

My F4-210 I just bought also got attacked by the same ransomware and I have no idea how to remove it without a full server format. ClamAV doesn't detect any viruses or ransomware.

[Spaniard]

I am curious...
Was it only the port 8181 open in your router?
Have you checked for any clue about the attack in the logs?

[TMroy]

I am sorry to hear that your data has been infected by ransomware.
We have some advices here viewtopic.php?f=75&t=1291&p=6581#p6581

Please check if this could be help: https://www.bugsfighter.com/remove-ech0 ... ypt-files/

[CarlosMtnez]

I'm pretty sure attacker entered through web portal.

In the system logs there was some Events "Web Logout Succesful!" from weird ip address. About 3 or 4 logs like that in the past 2 days. Only that, No other messages from that ips.

I left open web admin port (8181) because I want to access from outside to access my data tree and or download individual files.

I DO NOT had opened telnet nor SSH port. Also is checked only local connections.

I think its a vulnerability from Web admin interface.

Hope TerraMaster investigate this and make a Patch.

[crpanada]

Good evening, I have also discovered, despite myself, that my NAs Terramaster has also been infected.
Do you have any ideas on how to solve the problem?
At the moment I have 1 tb of blocked data and a lot of work to do.
Please help us to resolve.
I have no intention of paying 1300€ to get my data back.
Many thanks.
Cristiano

[Spaniard]

Searching for 'terramaster vulnerabilities' I found several pages with bad news... the code is prone to security holes

The most recent one confirmed is
https://packetstormsecurity.com/files/1 ... ution.html
I guess 4.2.07 is also affected.

I have taken mine offline. Looks like the first thing to do with these NASes is changing all the ports to something very unusual if you truly need them on Internet.

[armandomr81]

I just find out the same thing happen to my T-NAS also on Dec 25 th. I have not used the NAS since Dec 20 th so I think the attac was similar to the other posted.

Is there a way to recover the .ENCRYPTED files? After this I would leave mine offline but there is very sensible information in my drive, such as taxes, goverment payments from my house and cars and thousands of family pictures.

Please help. Someone from Terramaster? At least point me in the rigth direction to contact someone can recover my files.

Armando Martinez.
F2-210 user

[TMroy]

{L_BUTTON_AT}Spaniard

Please be well noted that the Vulnerability mentioned by packetstormsecurity in the article about "include/makecvs.php" has been resolved in 4.2.07 viewtopic.php?f=28&t=1136

[TMSupport]

It couldn't be updated automatically. If the folders are encrypted already, please go to TOS Control panel- update&recovery- restore to factory default to see whether it's ok.