Urgent Notification about TNAS being Attacked by Ransomware

[Charlie_Croker]

TimeKillr wrote:
> I was hit - it seems like the attack happened this morning (I woke up to my
> TNAS' fan being loud but I figured it was just doing some maintenance).
>
> From what I know, I had absolutely zero services enabled except Plex and
> SMB; I lost a ton of stuff, including a lot of work files.
>
> This is absurd - I'm not paying 0.03BTC to recover my files, and I kind of
> expect Terramaster to pay up this idiotic ransom, especially since even if
> I do pay, I have absolutely ZERO guarantees I won't be hit again.
>
> Deadbolt hit Terramaster earlier this month, and now they're hitting again;
> even if now I decide to say screw it and decrypt my NAS, what's to tell me
> that the vulnerability will be fixed? If Terramaster doesn't know what the
> vulnerability is, how can they be expected to patch it?
>
> I also don't know why I just learned of this - Terramaster has my
> registration information, and when the initial attack happened in January,
> why didn't they send a mass email to all their customers with steps to
> potentially secure themselves?
>
> My NAS is behind TWO routers, access to it is limited to my local network
> (I can't even log on to it externally!) and yet this happens.
>
> From what I see on this forum last time they said "It's your fault if
> it's not secure"; all the passwords I have on the device are randomly
> generated and secure, the attackers are providing a solution to Terramaster
> (it's a lot of money, granted!) but we're still being left in the dark?
>
> I'm really, REALLY disappointed.

1. When TM was hit in January it was by Echamonix (a different vulnerability, which TM patched).
2. When QNAP was hit in January by deadbolt, TM should have taken steps to check TM devices weren't vulnerable, they didnt, when Asustore was hit with deadbolt about 7 days ago, they should have again checked, seems they didnt.
3. I agree, TM should be actively warning users.
4. Why are you behind two routers? I'm confused as to the reasoning and why you would want to be "DoubleNATed"? Just because you can't log onto your NAS from outside the LAN, doesn't mean its not exposing ports.
5. If TM pay the ransom, the attacks will increase, as these criminal gangs will realise they are an easy target.
6. I have a QNAP (7 years) and a TM, ( 18 months) and a WD mycloud (A thousand years, or so it seems), I have never been hit by Ransomware (Well, not yet) , but I always change default ports and I have the best Router I can afford, definitely NOT the one provided by my ISP. (A router with Intrusion Protection System enabled, which monitors all traffic actively looking for attacks). I always make sure Upnp is OFF, as is FTP, SSH and Telnet.
7. I have to expose my NAS drives to the Net as I need access to them from where I work and they're in my home (3050 miles away) .
8. Its no consolation but QNAP keep getting hit, almost weekly or so it seems.
9. ALWAYS backup your data from the NAS, I use a 3-2-1 strategy. https://www.backblaze.com/blog/the-3-2- ... -strategy/

This guy posts some very good videos about securing your network https://www.youtube.com/c/NetworkChuck/videos

[TimeKillr]

Aah, I didn't know it was a different exploit that hit TM last month.

Also I'm behind two routers for a very good reason - I live in a duplex with family members; the internet is hooked up to my in-laws, they have their router, then we ran a network cable downstairs to my unit through my own router (the WiFi signal doesn't quite reach well and I need a wired connection for work). This way I have my own WiFi and I can secure my network behind my own router (I have a Netgear Nighthawk). UPNP is disabled on my router for security reasons, so I guess there's some extra ports open on the TNAS that shouldn't be open?

It's terrible. Do we even know what exploit deadbolt used? What exactly is vulnerable? My problem now is that even if I take the L (and lose a bunch of pictures of my parents who passed) how the hell am I guaranteed it won't happen again? We don't know what the attack vector is, if the vulnerability is patched in newer version of TNAS, etc.

I'm just super mad, really. I used my TNAS as my backup device, I was sure it wasn't exposed to the internet (yet it seems it still has a bunch of ports open), so it's super frustrating.

[giraf]

I just got out of the situation.
Closed NAS access to the Internet on the router.
Raised the VPN to my local network.

No updates yet. Something always doesn't work the way it should. I'll wait for a stable firmware, not patches.

[Bellcorp]

I am also very disappointed, if terramaster does not fix this problem I guess we would have to sue them for lack of information and inactivity on this issue, once they knew what was happening, their obligation was to inform us by mail with the problem and the possible solutions , I have a lot of information compromised and impossible to restore or recover, I do not plan to sit idly by

the solution that they have given me for now is to turn off the nas and restart the installation of the operating system, but by doing that the hijacked files would be lost forever, they don't even know what to do with this

[juanmel]

Goodmorning,

Yesterday I found this web site: https://www.nomoreransom.org it is a project of various police, antivirus companies and brands to stop ransomware. On the page there are tools for some infections but there is still no solution for ours . Maybe in coming days, weeks... We are still waiting for some explanation and solution from Terramaster. Please TM do you know something already?

[Odrec]

My F5-221 got affected, too.
I was away from home when it started but noticed the btc payment screen once I arrived home and turned the nas off.
As most of the files stored aren't really important I decided to give it a try to see if I can recover the important ones.

First of all, I'm not too tech savvy. I read all the posts here and noticed that as I never used Linux before I wouldn't be able to follow some guides posted on this thread,

TNASPC couldn't find the NAS and I had ftp disabled so I wouldn't be able to see how many files got encrypted and backup the ones that are ok.
So here is what I did in case it helps anyone in the same situation as me.

I took all the disks out and inserted an old HD I had lying around. Then I installed the TOS exactly as I did when I bought the NAS and activated the FTP.
After that I inserted one of the affected disks and restarted the NAS. I was able to see the disk on the TOS screen but I could not see the volume.
Restarted the NAS again after taking out the HD where I just installed the TOS and now I was able to access all the files stored there thorugh the TOS screen but not through
the FTP so I edited the shared folder and activated WebDAV and right now I'm backing up all the unaffected files through FTP.


As some users said, it doesn't seem to continue encrypting more files but once I finish backing up the files I'm not going to use the NAS until Terramaster confirms having patched the vulnerability because I don't want to repeat all this process in case of being affected by the deadbolt again.

[oscar]

I cant' believe you dared write this

"If you expose your device to the internet but don't want to do anything, you may be one of the victims."

TNAS has a ridiculous security handling. I already had all the security suggestions implemented (I only had the exposure over the internet, because, hey, I got the TNAS to use it).

I think I am going to install Ubuntu server.

[Charlie_Croker]

Bellcorp wrote:
> I am also very disappointed, if terramaster does not fix this problem I
> guess we would have to sue them for lack of information and inactivity on
> this issue, once they knew what was happening, their obligation was to
> inform us by mail with the problem and the possible solutions , I have a
> lot of information compromised and impossible to restore or recover, I do
> not plan to sit idly by
>
> the solution that they have given me for now is to turn off the nas and
> restart the installation of the operating system, but by doing that the
> hijacked files would be lost forever, they don't even know what to do with
> this

Suing the hardware manufacturer has been discussed every time this happens (and its happened a lot) over on the QNAP forums, its discussed here https://forum.qnap.com/viewtopic.php?f=45&t=164797. It's never got anywhere, however there's a video on YouTube of a guy who did sue QNAP, unfortunately he lost, so be careful https://www.youtube.com/watch?v=ELJcjn-OcZ4

[Charlie_Croker]

TimeKillr wrote:
> Aah, I didn't know it was a different exploit that hit TM last month.
>
> Also I'm behind two routers for a very good reason - I live in a duplex
> with family members; the internet is hooked up to my in-laws, they have
> their router, then we ran a network cable downstairs to my unit through my
> own router (the WiFi signal doesn't quite reach well and I need a wired
> connection for work). This way I have my own WiFi and I can secure my
> network behind my own router (I have a Netgear Nighthawk). UPNP is disabled
> on my router for security reasons, so I guess there's some extra ports open
> on the TNAS that shouldn't be open?
>
> It's terrible. Do we even know what exploit deadbolt used? What exactly is
> vulnerable? My problem now is that even if I take the L (and lose a bunch
> of pictures of my parents who passed) how the hell am I guaranteed it won't
> happen again? We don't know what the attack vector is, if the vulnerability
> is patched in newer version of TNAS, etc.
>
> I'm just super mad, really. I used my TNAS as my backup device, I was sure
> it wasn't exposed to the internet (yet it seems it still has a bunch of
> ports open), so it's super frustrating.


Is there a reason why you don't use one Router and two VLANs? That would have segmented the network into two LANS behind one router.

You can test what ports are open and whether Upnp is on, by going here and selecting the various options. https://www.grc.com/x/ne.dll?rh1dkyd2

[iano]

I just got hit by this.

Pretty appalling to realise that Terramaster knew about this and hadn't pushed messages to me via the nas or attempted direct update to TNAS or attempted to contact me directly in any way.

Sickening.

So if I can get the files backs somehow(maybe), how can I ever trust Terramaster to not protect my files again in future?