How to protect your TNAS from Deadbolt ransomware?

Official announcements and forum rules.
chourmovs
Posts: 13
Joined: 28 Mar 2020, 14:56

Re: How to protect your TNAS from Deadbolt ransomware?

Post by chourmovs » 15 Mar 2022, 14:42

[quote=paulgraz post_id=17328 time=1647302998 user_id=3192]
Has there been any update on this issue?
I got hit today, about 3 hours ago. I guess I wasn't keeping up as I had no idea what this was going on. I have a F2-220 with 2 3TB drives setup as Raid 1. t's been running that way since 2017 without any issues.
I powered the NAS off immediately when I saw some encrypted files with the extension .iLife The 2 HD activity lights were going nuts.
I do not have a recent backup. (Mistake #1), and I had not updated the firmware in years (mistake #2) I guess I'm going to have to rethink all of this.
I've also completely disabled uPnP on my router.
If I turn the NAS back on will it continue encrypting?
I'm considering pulling the 2 HDs and buying 2 new ones in the hope that a decrypting tool will eventually surface - I really cannot afford to pay the ransom right now.
[/quote]

Welcome onboard, sorry for you, I was in your situation last week :(
Yes if you power on it should continue to encrypt
You have to reinstall/update system to fix this

User avatar
NecNem
Posts: 0
Joined: 05 Mar 2022, 02:25

Re: How to protect your TNAS from Deadbolt ransomware?

Post by NecNem » 20 Mar 2022, 03:14

So after receiving a response from TM via email, I got the impression we are left on our own to just reformat; lose all files and update the system on the NAS, or pay up and hope the key works.

I've now updated the system and reformatted everything.

The guides on how to improve security have helped to a point, I have;
-Updated to the latest version (I downloaded the 4.1.32_2008031214 that was in the guide but the system says its version is 4.2.30-2203011629)
-Changed the default port from
-Added a rule to the firewall on the NAS to allow my own IP (can anyone please confirm if doing this rejects all other inbound requests that are not my IP or if not, how to do that)
-Disabled UPnP

However;
-TNAS does not allow me to remove or disable the default admin user.
I have added a new Admin user, given it a strong password and full access; then I have given the default Admin and guest ridiculous passwords and removed access rights to everything I can.
Is this sufficient? If not how do I delete the default user?

On the front page of the TOS webviewer it says Internet is Disconnected on the status box with the device details and resource/storage data. I assume this is a good sign that the device cannot access the web?

Is there anything further I need to do before I start bothering to put files on this again?

User avatar
TMRyan
Customer Service
Posts: 629
Joined: 01 Dec 2020, 11:50

Re: How to protect your TNAS from Deadbolt ransomware?

Post by TMRyan » 20 Mar 2022, 17:16

{L_BUTTON_AT}NecNem
You need to install 4.2.30 to customize the user on initialization. Download address: https://support.terra-master.com/download
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement)

User avatar
KHnats
Posts: 9
Joined: 06 Jul 2021, 23:04

Re: How to protect your TNAS from Deadbolt ransomware?

Post by KHnats » 26 Mar 2022, 12:56

NecNem wrote:
> Actually, I wrote all this before after I first got hacked on this forum, under username Stanhk. I got kicked off the forum for asking critical questions. I also posted this months ago on the TerraMaster Reddit.

I hear you, you wanted to know all this before getting hacked but I am sorry to say that the information is out there already.

User avatar
KHnats
Posts: 9
Joined: 06 Jul 2021, 23:04

Re: How to protect your TNAS from Deadbolt ransomware?

Post by KHnats » 26 Mar 2022, 13:13

deex wrote:
> @mbucayr
>
> See this thread
>
> viewtopic.php?f=6&t=2877
>
> @KHnats
>
> Did Snapshots in practice helped you to recover of it?

Yes, largely it did.

I have two TerraMaster. One is the main drive, the other is the backup. Backup is twice daily. They are on two different locations on different internet connected via VPN. The back-up machine also does incremental updates to online storage.

Only files we lost were the ones we were working on, unless the employee was still having the document open on their machine or made a local copy. Eventually the losses were limited.

One key message, keep your TerraMaster on intranet only and if you want remote access, use VPN to access your intranet.

Roccia7
Posts: 46
Joined: 05 Mar 2020, 05:02

Re: How to protect your TNAS from Deadbolt ransomware?

Post by Roccia7 » 27 Mar 2022, 17:43

It's probably a stupid question, but I try.
Could you insert a security function where if TOS detects a high cpu usage the nas restarts? I noticed that the ransomware makes the cpu work a lot, and rebooting could possibly prevent the files from being encrypted. It could be done?

User avatar
Miawhite
Posts: 0
Joined: 02 Apr 2022, 02:31

Re: How to protect your TNAS from Deadbolt ransomware?

Post by Miawhite » 22 Apr 2022, 00:07

thank for the steps and instructions on what to do

User avatar
renj86
Posts: 8
Joined: 08 Jan 2021, 18:16

Re: How to protect your TNAS from Deadbolt ransomware?

Post by renj86 » 11 May 2022, 00:32

For safety, where are the ransomware located? If I want to erase everything on the hard drives and start from clean, what shall I do to format the Raid 1 drives? I have F2-210.

Thanks.

User avatar
titanrx8
Posts: 169
Joined: 17 Jul 2020, 06:17

Re: How to protect your TNAS from Deadbolt ransomware?

Post by titanrx8 » 11 May 2022, 05:01

Roccia7 wrote:
> It's probably a stupid question, but I try.
> Could you insert a security function where if TOS detects a high cpu usage
> the nas restarts? I noticed that the ransomware makes the cpu work a lot,
> and rebooting could possibly prevent the files from being encrypted. It
> could be done?
There are other processes that spike CPU to 100% other than ransomware. For example, the file integrity check for RAID that runs on boot up spikes the CPU so you'd end up in a cycle of reboots every time you start the system.

User avatar
TM220user
Posts: 11
Joined: 01 Mar 2022, 23:08

Re: How to protect your TNAS from Deadbolt ransomware?

Post by TM220user » 21 Jun 2022, 19:43

chourmovs wrote:
>
>
> Yes if you power on it should continue to encrypt
> You have to reinstall/update system to fix this


Well, it looks like I just tripped the activation of mine starting to encrypt (was doing a reboot to add a SSD).
After the reboot, I no longer had access to any of my user accounts (including my 'admin' account that was setup under the new "protection" supposedly offered by the 4.2.30+ OS 'improvements' LMAO. What a farce.

I was running 4.2.32-2203011626 according to the screenshot I took literally before rebooting. (it was up for 36 days before this morning, so whatever happened, happened RECENTLY, and on the current TOS.)

I had NO access allowed to anything publicly. I only access it LOCALLY. (And most of those options were supposed to be disabled [by me]: for example: UPnP, SMB, FTP, WebDAV, RSync, etc)
So I *thought* I had everything locked down pretty well... The only way I can see it being accessible is via whatever backdoor TerraMaster themselves built in (for things like phoning home to check for software updates, or for them to access our machine to 'assist' in whatever problem arises via their support team we see so often mentioned; "contact our support team so they can have a look...")

Anyways, the reason I'm writing is to say that even the current TOS 'os' is NOT SECURED YET against getting locked out of your system and having files encrypted.

I've about had my fill of this "OS".

Post Reply