Page 6 of 34
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 11:23
by Saijin_Naib
TMSupport wrote:
> Yes, if you set a "Allow" rule, then the IP that does not match this rule will be reject.
Is it possible to also set up "Drop" like OpenWRT? From what I understand, this is more secure as the device never actually acknowledges the attempted connections.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 14:24
by demetry14
I am curious to know if the attacks on TM devices are fueled by the TM unchecked, but requested third party app developments? But since TM refused requests to check and certify apps over a year ago, I guess we would never know.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 15:49
by TMSupport
PenguinzOnQuack wrote: ↑11 Jan 2022, 23:41
I actually need more help than I realised.
4. Disable the UPnP function on your TNAS.
How?
5. Disable RDP, SSH and Telnet when not in use;
How?
6. Change the default port of FTP.
To what?
8. Disable the system default admin account, re-create a new admin account, and set an advanced password;
How?
9. Enable firewall and only allow trusted IP addresses and ports to access your device;
How do we enable the fire wall and set up the trusted IP address. I use this has a Plex server, will this be affected?
10. Avoid using default port numbers 5443 for https and 8181 for http;
To what?
A step by step guide would be very useful
Hi! You can refer to the detailed description of the
notification.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 16:03
by Jac de Lad
Point 8. Come on, you can't expect us all to reinstall the system just to be able to throw out the default administrator?!
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 17:04
by Charlie_Croker
Jac de Lad wrote:
> Point 8. Come on, you can't expect us all to reinstall the system just to
> be able to throw out the default administrator?!
I'm shocked that this appears to be the solution.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 17:13
by Charlie_Croker
This is my work around to the admin account issue. Its the best I can come up with at this time.
1. Ensure you have another working account with admin privileges setup.
2. Give the default "admin" account a very strong password (use a password manager if needed to suggest one).
3. Control Panel/ User/Permission (Default admin account) , tick the boxes Deny for all shares.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 17:26
by Jac de Lad
I already have done that...but it's still present, so it's an unnecessary thread.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 17:45
by TMSupport
Hi! Taking a variety of preventive measures can reduce the risk of being attacked, but still cannot guarantee that your device is completely secure. A large number of devices are attacked by ransomware every day, including Terramaster, QNAP, Synology, and even the servers of some large enterprises or government agencies. We will continue to study how ransomware penetrates TNAS devices and will release updates in a timely manner.
https://unit42.paloaltonetworks.com/ech ... ware-soho/
https://www.bankinfosecurity.com/qnap-t ... re-a-18277
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 17:50
by TMSupport
This attack is an organized attack on TNAS, a variant of the eCh0raix virus, which usually uses weak passwords or vulnerabilities to attack victims. This time, Synology and QNAP NAS devices were also attacked.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Posted: 13 Jan 2022, 18:53
by TMSupport
NavinKanus wrote: ↑13 Jan 2022, 11:04
Can someone explain the steps to wipe and re-initialize my tnas device?
I know I lost my most valuable memories and documents but I want to get back to my work.
Hi! Since the ransomware creates a random sequence as the AES Key, and then encrypts the previously generated AES Key with the locally generated RSA public key, and uses the AES CFB algorithm to encrypt the files in the infected device, each encrypted device uses a different key. Likewise, once files are encrypted by ransomware, there is usually no way to decrypt them. If your data is so important that you need to get it back, paying the ransom might be the only way. It's worth reminding that even paying the ransom is not a 100% guarantee that your data will be rescued.
If you are not willing to pay the ransom, intend to give up the encrypted data. You can go to Control Panel > Storage, delete volumes and storage pools, and restore the system to factory settings.