Urgent Notification about TNAS being Attacked by Ransomware

[RobJVM]

Just restarted my TNAS device and the encryption screen shows this, good luck everyone. They're coming for EVERYONE.
____________________________________________________________

⚠️ Important Message for TERRAMASTER ⚠️
All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:

1) Make a bitcoin payment of 5 BTC to bc1qhkeecsgmzf2965fg57ll3enqyj7y094lxl5nzm:

You will receive all details about this zero-day vulnerability so it can be patched. A detailed report will be sent to support@terra-master.com.

2) Make a bitcoin payment of 15 BTC to bc1qhkeecsgmzf2965fg57ll3enqyj7y094lxl5nzm:

You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to support@terra-master.com.

Upon receipt of payment for either option, all information will be sent to you in a timely fashion.

There is no way to contact us.
These are our only offers.
Thanks for your consideration.

Greetings,
DEADBOLT team.

[Ashley.S.]

Not entirely happy that I've got hit as well, and when I got home to check what was up, I got greeted with the message above. It must have happened in the last 24 hours or so as it was fine at around 8pm yesterday. For now I've completely disconnected the system and will not connect it again until I hear otherwise. I'll be seeing if I can survey the damage once I can get the drives into my PC or laptop, which I hope won't be able to trigger the ransomware again, so I hope Terramaster can find some good news soon and issue some further guidance out to those affected.

On another note I've been struggling to register to use the forum, I'm having to use FireFox or Google Chrome. Microsoft Edge Chromium doesn't appear to want to work.

[Charlie_Croker]

Asustor posted this which might give a clue how the attack happens: Which in their case seems to via the EZconnect service.


https://forum.asustor.com/viewtopic.php?f=4&t=12639

[Ashley.S.]

Charlie_Croker wrote:
>
Thanks for the info. If I'd have known sooner, I might have taken more action to prevent this. I consider myself tech savvy, but not that tech savvy regarding ports and stuff. I will wait, hope and see if Terramaster have a patch or something or have some further advice to give so I can get my TNAS back online with a backup or something that I have from an old external harddrive :)

[RobJVM]

Ashley.S. wrote:
> Not entirely happy that I've got hit as well, and when I got home to check
> what was up, I got greeted with the message above. It must have happened in
> the last 24 hours or so as it was fine at around 8pm yesterday. For now
> I've completely disconnected the system and will not connect it again until
> I hear otherwise. I'll be seeing if I can survey the damage once I can get
> the drives into my PC or laptop, which I hope won't be able to trigger the
> ransomware again, so I hope Terramaster can find some good news soon and
> issue some further guidance out to those affected.
>
> On another note I've been struggling to register to use the forum, I'm
> having to use FireFox or Google Chrome. Microsoft Edge Chromium doesn't
> appear to want to work.

I really doubt Terramaster is going to pay the $215K in bitcoin so we can at LEAST get our files back.

[Bellcorp]

My nas has been attacked today, for now I can not access it normally, through the mobile I entered and saw my files, which have affected the photos, music and some movies, I need a solution from terramaster since he security breach failure was clearly theirs, i need to be able to get into my nas and retrieve my files

[Ashley.S.]

As soon as I realised I had been attacked, I disconnected it from the internet and turned it off, meaning I couldn't use my PC via network drives to survey the damage. To be honest, I'm not overly concerned about the files that I may have lost but I will need to know exactly how much has been lost so I can guage how far back backup wise I will need to go, assuming I might still have a backup somewhere.

All in all, I just want to know how safe it might be to reconnect my device again and what I may need to do to get it operational to secure. I am not expecting anyone to pay the ransom as that would be a stupid idea, no matter how desperate you are. This does however, seem to suggest there is a vunerability somewhere and Ideally I would like assurances that something like this might be better protected in the future...

[Charlie_Croker]

If you have been infected, please advise others about what services, ports and router you use, this might help to isolate how the attackers are getting access.

For example:

Ports = Default

Port forwarding = 32117 both

TNAS.online = On

NAS Firewall Rules = None

Services: ftp = on , ssh=off, telnet=off

Router = ASUS AC68U

[TimeKillr]

I was hit - it seems like the attack happened this morning (I woke up to my TNAS' fan being loud but I figured it was just doing some maintenance).

From what I know, I had absolutely zero services enabled except Plex and SMB; I lost a ton of stuff, including a lot of work files.

This is absurd - I'm not paying 0.03BTC to recover my files, and I kind of expect Terramaster to pay up this idiotic ransom, especially since even if I do pay, I have absolutely ZERO guarantees I won't be hit again.

Deadbolt hit Terramaster earlier this month, and now they're hitting again; even if now I decide to say screw it and decrypt my NAS, what's to tell me that the vulnerability will be fixed? If Terramaster doesn't know what the vulnerability is, how can they be expected to patch it?

I also don't know why I just learned of this - Terramaster has my registration information, and when the initial attack happened in January, why didn't they send a mass email to all their customers with steps to potentially secure themselves?

My NAS is behind TWO routers, access to it is limited to my local network (I can't even log on to it externally!) and yet this happens.

From what I see on this forum last time they said "It's your fault if it's not secure"; all the passwords I have on the device are randomly generated and secure, the attackers are providing a solution to Terramaster (it's a lot of money, granted!) but we're still being left in the dark?

I'm really, REALLY disappointed.

[deex]

>> From what I see on this forum last time they said "It's your fault if it's not secure"; all the passwords I have on the device are randomly generated and secure, the attackers are providing a solution to Terramaster (it's a lot of money, granted!) but we're still being left in the dark<<

This is exact what i feel especally with posts of charlie crooker, not able to explain the correct format of IP Table inputs but blaming users for a security whole that is not made by them. If your company data is on the NAS you can't just testing arround with IP Formats, it might possible that you cut of all connections and are not gaining access again. I work a long time with Linux server and trust me you could do a lot of bad things with wrong ip table formats especially if you have no recovery access as backup .


First of all to my previous statement.

1) I have two firewalls, in my cisqo switch and in the router, the nas was not exposed to the internet from the firewalls i also checked it with external requests to my public ip.. but well seems that it WAS possible

2) To the rude questions why i did not change the port.
Because I DIDNT KNOW about the risk of the issue, i got NO Mail, No forced Firmware Upgrades, no info at all and i have work to do i havent the time to check every day the forums here (think about i would to this all my hardware)

The only thing that brought me the issue to the attention was strong blinking NAS LEDs and i was on the way to check my nas whats going on

A bit luck for me

I installed the drives to my Windows PC, Installed KALI Linux via VMWARE,- Converted and mounted the RAID and finally found my backup Data intact. Whats not so good is that i needed to buy some Hardrives to merge my untouched data with my backup files.

So as i rember right all that i had open was SAMBA.


I had a real bad day.. but what makes me more sad is not what the hacker do... it is sad that all NAS Systems have these extreme bad security status. It is a shame..