Urgent Notification about TNAS being Attacked by Ransomware

Official announcements and forum rules.
Post Reply
User avatar
TMzethar
Customer Service
Posts: 284
Joined: 27 Oct 2020, 16:43

Urgent Notification about TNAS being Attacked by Ransomware

Post by TMzethar » 11 Jan 2022, 15:20

Recently, we have received reports that some TNAS devices have been attacked by ransomware. Based on the case study, we preliminarily concluded that this was an external attack targeting TNAS devices. To keep your data safe from attack, please take action immediately!

We suggest you take the following countermeasures:

1. Upgrade your TOS to the latest version;

2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;

3. Disable port forwarding on your router. After disabling this function, you will not be able to access TNAS through the TNAS device bound to the DDNS external network.

4. Disable the UPnP function on your TNAS. After disabling, your PC, multimedia box, TV and other devices may not be able to access TNAS through UPnP protocol, please use DLNA, NFS, SMB protocol to access TNAS instead.
Image

5. Disable RDP, SSH and Telnet when not in use;
Image
Image

6. Change the default port of FTP. When you use the FTP protocol to access, please pay attention to bring the port, such as ftp://192.168.0.1:1990.
Image

7. Set a high security level password for all users;

8. Disable the system default admin account, re-create a new admin account, and set an advanced password;
Note: For versions after TOS 4.2.09, you can set the administrator account without using the default admin username when installing the system. If it was upgraded from a version before TOS 4.2.09, you need to reset the system configuration, then you can customize the user name.

9. Enable firewall and only allow trusted IP addresses and ports to access your device;
a. Go to Control Panel > General Settings > Security > Firewall.
b. Create a firewall rule and choose the operation of allow or deny.
c. Fill in the IP range you allow or deny access to. If you fill in the network you want to deny access to, please fill in the subnet address correctly, otherwise it may cause your existing devices to be unable to access TNAS.
Image

10. Avoid using default port numbers 5443 for https and 8181 for http. After changing, please enter IP:Port in the browser address bar, such as 192.168.0.1:8186.

11. Enable automatic IP block in TOS Control Panel to block IP addresses with too many failed login attempts;
Image

12. Backing up data is the best way to deal with malicious attacks; always back up data, at least one backup to another device. It is strongly recommended to adopt a 3-2-1 backup strategy.


If your device has unfortunately been attacked by ransomware:

1. Rmove the LAN network cable from your TNAS device immediately;

2. Power off your TNAS; x.86 models: short press the power button; ARM models: long-press the power button 3 seconds;

3. Before restoring data, thoroughly remove the infection in the computer system and TNAS; You need to restore your TNAS to factory settings and re-install the latest version of TOS. How to re-install your TOS?
To contact our team, please send email to following addresses, remember to replace (at) with @:
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)

User avatar
yak983
Posts: 8
Joined: 07 Dec 2021, 18:24

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by yak983 » 11 Jan 2022, 20:22

any update?
https://www.terra-master.com/ is offline too ..

User avatar
fpsking
Posts: 5
Joined: 20 Mar 2021, 06:15

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by fpsking » 11 Jan 2022, 21:53

My TNAS was up to date and i still got attacked with a text document telling me to follow the instructions to unlock it so i have Just lost years of family photos all my personal documents and work files.

And your best answer for this is more or less unplug it from the internet restore it back to factory settings and format the drives unbelievable.

I also tested all the antivirus/protection you offer in your apps section and not one of the detect it.

How about you add 2 step authentication or something that works.

User avatar
REBELinBLUE
Posts: 17
Joined: 05 Dec 2021, 06:37

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by REBELinBLUE » 11 Jan 2022, 22:30

The TNAS software doesn't allow you to disable the default admin

User avatar
PenguinzOnQuack
Posts: 0
Joined: 11 Jan 2022, 23:22

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by PenguinzOnQuack » 11 Jan 2022, 23:28

I have also been a victim of this attack approximately 17 hours ago. 30TB of files lost.
Can I have some clarification on a few items as this is not my area of expertise;

Item 08) How do we disable the Admin account?
Item 09) How do we enable the fire wall and set up the trusted IP address. I use this has a Plex server, will this be affected?
Item 10) What port numbers should we use?

User avatar
Jac de Lad
Posts: 53
Joined: 04 Aug 2020, 01:40

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Jac de Lad » 11 Jan 2022, 23:40

In addition to the asked questions: where can I see the list with the blocked IPs? Also, a bit more information how the attack works would be nice.

User avatar
PenguinzOnQuack
Posts: 0
Joined: 11 Jan 2022, 23:22

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by PenguinzOnQuack » 11 Jan 2022, 23:41

I actually need more help than I realised.

4. Disable the UPnP function on your TNAS.
How?

5. Disable RDP, SSH and Telnet when not in use;
How?

6. Change the default port of FTP.
To what?

8. Disable the system default admin account, re-create a new admin account, and set an advanced password;
How?

9. Enable firewall and only allow trusted IP addresses and ports to access your device;
How do we enable the fire wall and set up the trusted IP address. I use this has a Plex server, will this be affected?

10. Avoid using default port numbers 5443 for https and 8181 for http;
To what?

A step by step guide would be very useful

User avatar
Lausi
Posts: 1
Joined: 15 Oct 2021, 02:16

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Lausi » 12 Jan 2022, 00:29

Thank You for providing the warning. It would be helpful to have a more detailed guidance for the countermeasures to be taken. Further, I would appreciate to receive some mor details about the attack itself to identify additional potential weaknesses in my network.

User avatar
fpsking
Posts: 5
Joined: 20 Mar 2021, 06:15

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by fpsking » 12 Jan 2022, 00:30

Really disappointed in terramaster with this i have lost so much stuff & memories due to this attack and not even an apology what a joke, the attack is clearly not a user issue its a security issue on your end but we pay for it.

1.Install good anti-virus software (The ones you have on the app store dont detect it or help in anyway)

3. Disable port forwarding on your router. (If i do this then my TNAS is just a glorified paper weight)

7. Set a high security level password for all users. (I don't believe they got in using my password but if they did then there must have been a security breach on your side and if so can you let us know if our passwords have been leaked)

9. Enable firewall and only allow trusted IP addresses and ports to access your device ( Again this would make my TNAS into a paperweight as i use it for business as well as personal and access it at different locations where ips change heck even my own ip changes every few weeks.

11. Enable automatic IP block in TOS Control Panel to block IP addresses with too many failed login attempts ( Already had this on and was set low 4 attempts and locks the user out.

12. Backing up data is the best way to deal with malicious attacks ( i was stupid to use terramaster as i had my backups on a different drive that was also locked due to ransomware sorry due to terramasters security breach.

User avatar
TMroy
Customer Service
Posts: 2015
Joined: 10 Mar 2020, 14:04

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by TMroy » 12 Jan 2022, 01:24

First of all, it is very sad that this happened to all the victims.

Terramaster has been working hard to strengthen the security of TNAS devices. Various security tools are integrated in TOS, and we also provide you with various possible countermeasures. However, once your device is exposed to the Internet, there is a risk of being attacked. Because you are dealing with very professional hackers, hackers will do anything to gain profits. Only one method is not enough to avoid attacks. In order to improve the security level, multiple security measures must be adopted. Even so, there is still no guarantee that your device is completely secure. A large number of devices are attacked by ransomware every day, including Terramaster, QNAP, Synology, and even the servers of some large enterprises or government agencies.
https://unit42.paloaltonetworks.com/ech ... ware-soho/

If you expose your device to the internet but don't want to do anything, you may be one of the victims.

After studying the cases of individual victims, we found that the hackers continued to attack the victim's device through the ftp service for more than dozens of hours. If you use the system default port, low security level account and password, you are very likely to become a victim. However, ftp is definitely not the only way to attack, please act immediately and follow our countermeasures one by one to reduce the risk of being attacked.

We will continue to study how the ransomware invaded TNAS devices and will release updates in a timely manner.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Technical team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)

Post Reply