Urgent Notification about TNAS being Attacked by Ransomware

[Charlie_Croker]

crisisacting wrote:
>

The privacy policy is probably the one to look at https://www.terra-master.com/us/privacy/

[billbo2020]

so where do we stand with this now ???? is it time to just pull the drives and start again ?? and if i do will this happen again ??

[Bellcorp]

for now it would be convenient to wait a bit to see if an application comes out that can rescue the information, I will remove the affected disks, which in my case are 2 and I will try to restart the nas installing everything from 0, but we must see how to proceed to avoid this again, I no longer trust this nas so I will get the most important information from it, period, I will even consider getting rid of the nas and making a server with linux or something similar

[Charlie_Croker]

billbo2020 wrote:
> so where do we stand with this now ???? is it time to just pull the drives
> and start again ?? and if i do will this happen again ??

If you have capacity, backup the encrypted files elsewhere in the hope they can one day be decrypted.
Then wipe the drives thoroughly, (not just a quick format).
Then reinstall TOS .
Change default port settings on NAS
Remove admin account
Set a complex password for your new account.
Set firewall rules on the NAS for connections from devices on your local network only.
Make sure your router's firmware is up to date (and make sure its a good router, not the cheap ones that come from ISPs).
Switch off UPnP on Router and NAS
Remove any port forwarding rules in router .
Now go here and check that UPnP is off, and that your ports are in Stealth mode
Now sit back knowing you have done all you can to protect your network.
Will this work? I have had NAS devices since 2014 and not once have I ever had a Ransomware attack. (One of my NAS is a QNAP and they have been hit with lots of attacks). Good luck

[mapawluk]

So it seems like we are out of options. Lets assume that one was to pay the ransom. Would the following steps then be; 1) Start decryption sequence, 2) Pull all decrypted filed from the NAS, 3) 3x format the drives and install latest TOS, 4) follow the recommendations by Terramaster. I am peeved to no end, and my use on the NAS was limited to Plex, TNAS mobile app, EMBY and Transmission, but I can not hope and pray that some kind soul will be able to decrpyt this nonsense. My photos are irreplaceable.

[hgvandy]

I feel like I am in the same boat as by mapawluk. I used it much the same, and backed up photos and other files I will need to get. This will cause me to do things very differently and an expensive and painful lesson. I may need to pay for the decryption, but what guarantees are there that the files will be decrypted? I am done with Terramaster. Very disappointed I didn't receive a heads up of some kind weeks ago.

[LaMosca]

Hello. I would like you to review. What have I done. Perhaps it will be interesting for everyone who has a TNAS.

currently my TNAS has access via web.

I cordially invite you to scan it. You will see that my TNAS is not reachable from many proxy or vpn. it is also not accessible from many ips in china. Russia and other places.

I created a script that automatically detects and blocks any TNAS attack attempts.

if you want you can try it for yourself.

obviously I prepared it in Spanish first.

I invite you to try to enter the TNAS in different ways. You will see how your IP address is automatically blocked after the attempt.
only allowing access to the available pages or links. any other attempt to access another page will block the IP address.

we finished the Anti Scan web test satisfactorily Anti Scan Web Soon Available to everyone. No Proxy OR VPN accepted

if you can see this link you are not blocked.
http://larry.serveftp.com/404/

scan me now so you can be blocked quickly.
larry.serveftp.com

you can also get a list of IP addresses blocked by the script. and you can also implement in your TNAS.
Note: these ip addresses have been blocked by TNAS. for some attempt

http://larry.serveftp.com/ayuda/

Cuenta ( account )

How can I access my panel

For now you can access the general account Account.

[Charlie_Croker]

hgvandy wrote:
> I feel like I am in the same boat as by mapawluk. I used it much the same,
> and backed up photos and other files I will need to get. This will cause me
> to do things very differently and an expensive and painful lesson. I may
> need to pay for the decryption, but what guarantees are there that the
> files will be decrypted? I am done with Terramaster. Very disappointed I
> didn't receive a heads up of some kind weeks ago.

The deadbolt attack started a couple of days ago (on Terramaster) so why do you think you should have been warned weeks ago?
This thread was started due to a previous ransomware attack (Called Echamonix) back in January.
Be aware that paying for the decryption fee does not guarantee you will get a decryption key that works. Although someone has developed a decryption tool that seems to work (after you have paid the ransom). Software here https://www.emsisoft.com/ransomware-dec ... s/deadbolt QNAP forum re deadbolt is here https://forum.qnap.com/viewtopic.php?f= ... &start=735 for more
Backing up to a single device is not the best strategy, the 3-2-1 rule is the best way to backup data. https://www.networkworld.com/article/35 ... right.html

What I do find unforgivable is that when Deadbolt hit QNAP TM’s software team should have checked the attack vector to see if TOS was vulnerable, they also dont seem to have reacted when Asustore NAS were also hit a few days before Terramaster.

[mapawluk]

Charlie_Croker wrote:

> Be aware that paying for the decryption fee does not guarantee you will get a
> decryption key that works. Although someone has developed a decryption tool that
> seems to work (after you have paid the ransom). Software here
> https://www.emsisoft.com/ransomware-dec ... s/deadbolt QNAP forum re deadbolt
> is here
> https://forum.qnap.com/viewtopic.php?f= ... &start=735
> for more
> Backing up to a single device is not the best strategy, the 3-2-1 rule is the best
> way to backup data.
> https://www.networkworld.com/article/35 ... right.html

Charlie, I understand the risk associated with paying the ransom. The value of my children's happiest memories is worth the risk. As I understand the emisoft software, it ONLY works on the files once QNAP auto-updated the software, which removed the ransom screen. If you remove the ransom screen, you lose the option to enter the decrypt key, and thus get your files back. There are numerous examples on the QNAP forums of individuals retrieving their data; I aspire to join their ranks tonight.

I will update this thread on my success or failure in retrieving a decrypt key later tonight. My hope is that I will be successful, since any ransom threat is useless if a return of my files is not guaranteed. Once word gets out that files are gone for good, the hackers will not get paid. For this, I will be willing to take one for this team.

Can anyone confirm which BTC address they were given on their splash screen? My address is as below;
bc1q8wfud570k9rwymc3915x17pawygx6wyxhucxwp

My understanding is that this is a unique BTC address that is tied to some hardware signatures on each device.

I also have router logs from Sunday night thru Monday morning (GMT-6) that I can share. Perhaps the attack vector is buried in there somewhere. I'm just a dumb construction manager; perhaps there is information in my logs that can help the cause.

[Charlie_Croker]

LaMosca wrote:
>

What are we supposed to see? I can see a login page with Guest and password boxes, or if I change url, I can see a script error , I dont get blocked though?