Page 4 of 5
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 20 Mar 2022, 03:14
by NecNem
So after receiving a response from TM via email, I got the impression we are left on our own to just reformat; lose all files and update the system on the NAS, or pay up and hope the key works.
I've now updated the system and reformatted everything.
The guides on how to improve security have helped to a point, I have;
-Updated to the latest version (I downloaded the 4.1.32_2008031214 that was in the guide but the system says its version is 4.2.30-2203011629)
-Changed the default port from
-Added a rule to the firewall on the NAS to allow my own IP (can anyone please confirm if doing this rejects all other inbound requests that are not my IP or if not, how to do that)
-Disabled UPnP
However;
-TNAS does not allow me to remove or disable the default admin user.
I have added a new Admin user, given it a strong password and full access; then I have given the default Admin and guest ridiculous passwords and removed access rights to everything I can.
Is this sufficient? If not how do I delete the default user?
On the front page of the TOS webviewer it says Internet is Disconnected on the status box with the device details and resource/storage data. I assume this is a good sign that the device cannot access the web?
Is there anything further I need to do before I start bothering to put files on this again?
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 20 Mar 2022, 17:16
by RyanYang
You need to install 4.2.30 to customize the user on initialization.
Download address:
https://support.terra-master.com/download
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 26 Mar 2022, 12:56
by KHnats
NecNem wrote:
> Actually, I wrote all this before after I first got hacked on this forum, under username Stanhk. I got kicked off the forum for asking critical questions. I also posted this months ago on the TerraMaster Reddit.
I hear you, you wanted to know all this before getting hacked but I am sorry to say that the information is out there already.
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 26 Mar 2022, 13:13
by KHnats
deex wrote:
> @mbucayr
>
> See this thread
>
>
viewtopic.php?f=6&t=2877
>
> @KHnats
>
> Did Snapshots in practice helped you to recover of it?
Yes, largely it did.
I have two TerraMaster. One is the main drive, the other is the backup. Backup is twice daily. They are on two different locations on different internet connected via VPN. The back-up machine also does incremental updates to online storage.
Only files we lost were the ones we were working on, unless the employee was still having the document open on their machine or made a local copy. Eventually the losses were limited.
One key message, keep your TerraMaster on intranet only and if you want remote access, use VPN to access your intranet.
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 27 Mar 2022, 17:43
by Roccia7
It's probably a stupid question, but I try.
Could you insert a security function where if TOS detects a high cpu usage the nas restarts? I noticed that the ransomware makes the cpu work a lot, and rebooting could possibly prevent the files from being encrypted. It could be done?
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 22 Apr 2022, 00:07
by Miawhite
thank for the steps and instructions on what to do
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 11 May 2022, 00:32
by renj86
For safety, where are the ransomware located? If I want to erase everything on the hard drives and start from clean, what shall I do to format the Raid 1 drives? I have F2-210.
Thanks.
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 11 May 2022, 05:01
by titanrx8
Roccia7 wrote:
> It's probably a stupid question, but I try.
> Could you insert a security function where if TOS detects a high cpu usage
> the nas restarts? I noticed that the ransomware makes the cpu work a lot,
> and rebooting could possibly prevent the files from being encrypted. It
> could be done?
There are other processes that spike CPU to 100% other than ransomware. For example, the file integrity check for RAID that runs on boot up spikes the CPU so you'd end up in a cycle of reboots every time you start the system.
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 21 Jun 2022, 19:43
by TM220user
chourmovs wrote:
>
>
> Yes if you power on it should continue to encrypt
> You have to reinstall/update system to fix this
Well, it looks like I just tripped the activation of mine starting to encrypt (was doing a reboot to add a SSD).
After the reboot, I no longer had access to any of my user accounts (including my 'admin' account that was setup under the new "protection" supposedly offered by the 4.2.30+ OS 'improvements' LMAO. What a farce.
I was running 4.2.32-2203011626 according to the screenshot I took literally before rebooting. (it was up for 36 days before this morning, so whatever happened, happened RECENTLY, and on the current TOS.)
I had NO access allowed to anything publicly. I only access it LOCALLY. (And most of those options were supposed to be disabled [by me]: for example: UPnP, SMB, FTP, WebDAV, RSync, etc)
So I *thought* I had everything locked down pretty well... The only way I can see it being accessible is via whatever backdoor TerraMaster themselves built in (for things like phoning home to check for software updates, or for them to access our machine to 'assist' in whatever problem arises via their support team we see so often mentioned; "contact our support team so they can have a look...")
Anyways, the reason I'm writing is to say that even the current TOS 'os' is NOT SECURED YET against getting locked out of your system and having files encrypted.
I've about had my fill of this "OS".
Re: How to protect your TNAS from Deadbolt ransomware?
Posted: 22 Jul 2022, 06:59
by titanrx8
TM220user wrote: ↑21 Jun 2022, 19:43
chourmovs wrote:
>
>
> Yes if you power on it should continue to encrypt
> You have to reinstall/update system to fix this
Well, it looks like I just tripped the activation of mine starting to encrypt (was doing a reboot to add a SSD).
After the reboot, I no longer had access to any of my user accounts (including my 'admin' account that was setup under the new "protection" supposedly offered by the 4.2.30+ OS 'improvements' LMAO. What a farce.
I was running 4.2.32-2203011626 according to the screenshot I took literally before rebooting. (it was up for 36 days before this morning, so whatever happened, happened RECENTLY, and on the current TOS.)
I had NO access allowed to anything publicly. I only access it LOCALLY. (And most of those options were supposed to be disabled [by me]: for example: UPnP, SMB, FTP, WebDAV, RSync, etc)
So I *thought* I had everything locked down pretty well... The only way I can see it being accessible is via whatever backdoor TerraMaster themselves built in (for things like phoning home to check for software updates, or for them to access our machine to 'assist' in whatever problem arises via their support team we see so often mentioned; "contact our support team so they can have a look...")
Anyways, the reason I'm writing is to say that even the current TOS 'os' is NOT SECURED YET against getting locked out of your system and having files encrypted.
I've about had my fill of this "OS".
Sorry to hear this. If you were running btrfs with snapshots you might be able to roll back to a time period prior to crypto. Others have reported this to work.
Initially, when these cryptos were attacking other NAS brands I bought and installed a standalone firewall. I had previously written rules for the TNAS Firewall that prevented all remote access but noticed that it took several minutes after bootup before the firewall rules were activated. This seemed too risky to me so added the external firewall. This way, all remote traffic has to hit the firewall first. Using the TOS firewall rules, the attacking packets are already on your network and it's up to TOS to reject them.
Your suspicion about phone home possibilities are correct. My Firewall blocks numerous outbound flows from my TOS servers everyday. My Firewall blocks everything to or from the TOS machines that isn't local.