The risk of malware infection remains on a constant rise with new infections rapidly spreading. Recently, it has been learned that some TerraMaster users’ TNAS devices have been attacked by ransomware Ech0raix (QNAPCrypt), causing their precious data to be encrypted and demanded for ransom. We express our regret for this and strongly condemn the attackers! This is a despicable act of harming the interests of others to obtain illegal income for oneself, this is a crime!
The ransomware Ech0raix (QNAPCrypt) was first reported in June 2020. It initially targeted QNAP's NAS devices. In 2020, more than 1,000 users were attacked in the United States alone. Now this ransomware is back and targets QNAP NAS devices agains, unfortunately targets TerraMaster TNAS devices too.
The following are research articles about Ech0raix (QNAPCrypt)
https://www.anomali.com/blog/the-ech0raix-ransomware
https://securityaffairs.co/wordpress/10 ... -qnap.html
https://howtofix.guide/ech0raix-ransomw ... -qnap-nas/
https://www.bugsfighter.com/remove-ech0 ... ypt-files/
For vulnerabilities that may be exploited, TerraMaster has released new TOS updates to reduce the possibility of being attacked. TerraMaster will continue to find all possible vulnerabilities and maintain timely TOS updates.
Is there any way to prevent a ransomware attack from happening? Well, yes and no. There are certainly some precautions you should take to minimize the chances of malware infection, but nothing can guarantee you won’t be targeted, any device exposed on the Internet with vulnerabilities or weak password is at risk of being attacked.
You need to take immediate actions to avoid threats to your important data
1. Update your computer operating system to the latest version;
2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;
3. Be cautious when opening email attachments or clicking on files from unknown sources. Beware of suspicious files with hidden file extensions, such as ".pdf.exe"
4. Malware usually targets computers that use RDP (Remote Desktop Protocol). Please disable RDP on your computer, and disable SSH and Telnet on your TNAS when not using remote access;
5. Set a high security level password for all users;
6. Disable the system default administrator account, re-create a new administrator account, and set an advanced password;
7. Enable the firewall and only allow trusted IP addresses and ports to access your device, and avoid using default port numbers 5443(HTTPS) and 8181(HTTP), and modify to any other port between 5001-65535.
8. Enable automatic IP block on your TOS control panel to block IP addresses with too many failed login attempts;
9. Backing up data is the best way to deal with malicious attacks; always back up data, at least one backup to another device. It is strongly recommended to adopt a 3-2-1 backup strategy;
If unfortunately you have found that your data is infected by ransomware
1. Disconnect your computer and TNAS device from the Internet immediately;
2. Before restoring data, thoroughly remove the infection in the computer system and TNAS;You need to restore your TNAS to factory settings and completely format all your hard drives;
3. Or you might try solutions here https://www.bugsfighter.com/remove-ech0 ... ypt-files/
More information about ransomware
https://enterprise.comodo.com/blog/how- ... ks-happen/
https://demotix.com/ransomware-attack/
How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?
How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
- sianderson
- Posts: 293
- Joined: 02 Aug 2020, 03:42
Re: How to protect yourself against encryption-based ransomware?
this is also why my USB backup drive is on a smart switch, therefore, it is actually turned off for most of the day so if there was a ransomware attack it could not reach the backup drive, and only turns on in time for the backup and turn off not long after it would have completed
Re: How to protect yourself against encryption-based ransomware?
@ TMroy, Thank you for the guidance.
RDP - I cannot find anything in Settings for this. Please advise how to disable RDP in TOS.
I disabled Telnet. I did allow SSH access with password. One of my ToDo items with my TNAS is to change the SSH security from password to keys. Given the reports of ransomware attack on TNAS's I'm going to do this ASAP.
Many owners of TNAS will appreciate a guide for setting up SSH access with keys (instead of password, which is less secure).
Firewall - Enabling the firewall will involve balancing convenience and security. It would be good to have some guide on how to enable the firewall in TOS while still allowing interaction between TNAS and other devices (mobile phone, laptop, etc.). Maybe do this for common scenario - for example "Enable TOS Firewall without Breaking Plex Media Server on TNAS". I don't know if this scenario exists in reality, just an example.
RDP - I cannot find anything in Settings for this. Please advise how to disable RDP in TOS.
I disabled Telnet. I did allow SSH access with password. One of my ToDo items with my TNAS is to change the SSH security from password to keys. Given the reports of ransomware attack on TNAS's I'm going to do this ASAP.
Many owners of TNAS will appreciate a guide for setting up SSH access with keys (instead of password, which is less secure).
Firewall - Enabling the firewall will involve balancing convenience and security. It would be good to have some guide on how to enable the firewall in TOS while still allowing interaction between TNAS and other devices (mobile phone, laptop, etc.). Maybe do this for common scenario - for example "Enable TOS Firewall without Breaking Plex Media Server on TNAS". I don't know if this scenario exists in reality, just an example.
Re: How to protect yourself against encryption-based ransomware?
yerc1 wrote:
> @ TMroy, Thank you for the guidance.
>
> RDP - I cannot find anything in Settings for this. Please advise how to
> disable RDP in TOS.
>
> I disabled Telnet. I did allow SSH access with password. One of my ToDo
> items with my TNAS is to change the SSH security from password to keys.
> Given the reports of ransomware attack on TNAS's I'm going to do this ASAP.
>
> Many owners of TNAS will appreciate a guide for setting up SSH access with
> keys (instead of password, which is less secure).
>
> Firewall - Enabling the firewall will involve balancing convenience and
> security. It would be good to have some guide on how to enable the
> firewall in TOS while still allowing interaction between TNAS and other
> devices (mobile phone, laptop, etc.). Maybe do this for common scenario -
> for example "Enable TOS Firewall without Breaking Plex Media Server on
> TNAS". I don't know if this scenario exists in reality, just an
> example.
I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
> @ TMroy, Thank you for the guidance.
>
> RDP - I cannot find anything in Settings for this. Please advise how to
> disable RDP in TOS.
>
> I disabled Telnet. I did allow SSH access with password. One of my ToDo
> items with my TNAS is to change the SSH security from password to keys.
> Given the reports of ransomware attack on TNAS's I'm going to do this ASAP.
>
> Many owners of TNAS will appreciate a guide for setting up SSH access with
> keys (instead of password, which is less secure).
>
> Firewall - Enabling the firewall will involve balancing convenience and
> security. It would be good to have some guide on how to enable the
> firewall in TOS while still allowing interaction between TNAS and other
> devices (mobile phone, laptop, etc.). Maybe do this for common scenario -
> for example "Enable TOS Firewall without Breaking Plex Media Server on
> TNAS". I don't know if this scenario exists in reality, just an
> example.
I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
- sianderson
- Posts: 293
- Joined: 02 Aug 2020, 03:42
Re: How to protect yourself against encryption-based ransomware?
thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive
so its more so about the bigger picture and not just the nas drive itself
so its more so about the bigger picture and not just the nas drive itself
Re: How to protect yourself against encryption-based ransomware?
[quote=joeh post_id=6601 time=1609115762 user_id=2728]
I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
[/quote]
[quote=sianderson post_id=6619 time=1609146265 user_id=2074]
thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive
[/quote]
I had a feeling that was the case.
The use of RDP, SSH and Telenet in one sentence (" Please disable RDP, SSH and Telnet when not using remote access") and in the current context is a bit vague - the question has to be asked.
I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
[/quote]
[quote=sianderson post_id=6619 time=1609146265 user_id=2074]
thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive
[/quote]
I had a feeling that was the case.
The use of RDP, SSH and Telenet in one sentence (" Please disable RDP, SSH and Telnet when not using remote access") and in the current context is a bit vague - the question has to be asked.
Re: How to protect yourself against encryption-based ransomware?
Sorry for confusing, we have modified it to be clearer!yerc1 wrote: ↑29 Dec 2020, 07:48I had a feeling that was the case.sianderson wrote: ↑28 Dec 2020, 17:04 thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive
The use of RDP, SSH and Telenet in one sentence (" Please disable RDP, SSH and Telnet when not using remote access") and in the current context is a bit vague - the question has to be asked.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Re: How to protect yourself against encryption-based ransomware?
Hello
TMroy wrote:
> [b]How to protect yourself against encryption-based
> 6. Disable the system default administrator account, re-create a new
> administrator account, and set an advanced password;
Please, can you provide us with furthering information about how to do that in TOS?
the "admin" account cannot be disabled as it is linked with the root account. Is there any trick to achieve that using the CLI?
Thanks
TMroy wrote:
> [b]How to protect yourself against encryption-based
> 6. Disable the system default administrator account, re-create a new
> administrator account, and set an advanced password;
Please, can you provide us with furthering information about how to do that in TOS?
the "admin" account cannot be disabled as it is linked with the root account. Is there any trick to achieve that using the CLI?
Thanks
Re: How to protect yourself against encryption-based ransomware?
Spaniard wrote:
> Hello
>
> TMroy wrote:
> > [b]How to protect yourself against encryption-based
> > 6. Disable the system default administrator account, re-create a new
> > administrator account, and set an advanced password;
>
> Please, can you provide us with furthering information about how to do that in TOS?
> the "admin" account cannot be disabled as it is linked with the root
> account. Is there any trick to achieve that using the CLI?
>
> Thanks
That is correct. I didn't see a way to disable the admin account either. My F2-422 NAS is on firmware 4.2.07. The "Disable this user account" option is grayed out for the admin account. I am able to disable the guest account, which I did. All I did for the admin account is deny access to the folders I created.
> Hello
>
> TMroy wrote:
> > [b]How to protect yourself against encryption-based
> > 6. Disable the system default administrator account, re-create a new
> > administrator account, and set an advanced password;
>
> Please, can you provide us with furthering information about how to do that in TOS?
> the "admin" account cannot be disabled as it is linked with the root
> account. Is there any trick to achieve that using the CLI?
>
> Thanks
That is correct. I didn't see a way to disable the admin account either. My F2-422 NAS is on firmware 4.2.07. The "Disable this user account" option is grayed out for the admin account. I am able to disable the guest account, which I did. All I did for the admin account is deny access to the folders I created.
Re: How to protect yourself against encryption-based ransomware?
joeh wrote:
> That is correct. I didn't see a way to disable the admin account either. My F2-422
> NAS is on firmware 4.2.07. The "Disable this user account" option is grayed
> out for the admin account. I am able to disable the guest account, which I did. All I
> did for the admin account is deny access to the folders I created.
As long as the root user and the Admin share the same password and pfp-fm is run by the root, there's not too much to do against these kind of exploits.
TMRoy is there any way of disabling http in the NAS and enforce https connection?
> That is correct. I didn't see a way to disable the admin account either. My F2-422
> NAS is on firmware 4.2.07. The "Disable this user account" option is grayed
> out for the admin account. I am able to disable the guest account, which I did. All I
> did for the admin account is deny access to the folders I created.
As long as the root user and the Admin share the same password and pfp-fm is run by the root, there's not too much to do against these kind of exploits.
TMRoy is there any way of disabling http in the NAS and enforce https connection?