Urgent Notification about TNAS being Attacked by Ransomware

[peter.horsley]

peter.horsley wrote:
> Short version: I see the word "ransomwar" (no e) in the HDMI
> console of a fresh install of TOS, downloaded from the official website. I
> took a photo of it which you can see via the below line. Can anyone
> explain this?
>
> https://www.dropbox.com/s/vp31acfsneabs ... r.jpg?dl=0
>
> Long version:
> I noticed there was kinsing miner evidence on my NAS, and then started
> seeing files getting created including a readme.txt stating "All files
> are gone" with my email address, so it looks like a ransomware attach
> was in progress. I was shocked to find out about UPNP default settings
> that mean the NAS is accessible to the public internet. I have now
> disabled UPNP on my router. Then I took out all HDDs, put them in another
> computer and deleted all partitions. Then I tried to boot TNAS again but
> it failed to get an IP address. So I plugged in HDMI and noticed it was
> stuck trying to boot of the internal USB. So I found the instructions on
> how to re-image the USB drive after after several unsuccessful attempts, I
> found the dropbox link to the bzImage archive which did work (after
> changing grub-install to grub2-install in make_install). Once booted, I
> went to initialize, inserted HDDs, but it failed to install the latest TOS
> image 4.2.28 at 55%. I tried the 2nd latest image 4.1.27 and it succeeded.
> All this time I had the HDMI plugged to monitor progress. I noticed the
> word "ransomwar" appear as shown in the above photo on boot of
> 4.1.27 which is highly concerning considering this is a freshly image USB
> and freshly initialized TOS downloaded today with blank HDDs inserted.
> After upgrading to 4.2.28, I don't see that message on boot in the console
> anymore. It makes me wonder whether the official 4.1.27 contains
> ransomware!!
>
> Can support please explain what is shown in the photo please?

UPDATE:
Please ignore, I believe what happened is that my USB keyboard was plugged into the TNAS and I probably was searching these forums and typed "ransomwar" on the wrong keyboard, which echos on the TNAS terminal. Sorry for the confusion.

[titanrx8]

New vulnerability discovered in Samba. Will this be addressed by TM?

https://kb.cert.org/vuls/id/119678

[TMroy]

Thank you for your information. we will check it and apply the new update.

[KHnats]

This being investigated/addressed? I tried the new updated software but it didn't fix BackBlaze. Kindly provide a status update @TMROY

reply from @TMroy
***i think this issue has not been verified on our side, please create a new post so that it can be better followed up***

[REBELinBLUE]

You should probably post it as a separate thread or contact them directly, not post it in a thread about a completely unrelated issue

[Kapral38]

Please tell me. Does the ransomware virus encrypt files only on the NAS device or also on the computer to which it is connected?

[firedrakes]

on that(not relating the terramaster)
yes ransomeware can do that.

[ChinChillaH]

Hello Terramaster Support,

this morning, i want to look on my NAS F4-210. TOS is up to date. When i try to login on my Web GUI
i get this: WARNING! YOUR FILES HAVE BEEN LOCKED BY DEADBOLT

So, i turned off the nas. I've have checked the access with SMB and SSH. It works.

I can see and access all of my files. It seems my files wasn't encrypted? SSH login works fine too.

How can i Reset my nas? Actual Backup is ready.

I've never find a anti-virus or anti-malware Software in den applicationshop on my nas. How can i install, in the future, a AV-software on my nas?

please help!
thank you

[Charlie_Croker]

Deadbolt affected QNAPs and Asustor and looks like a new Attack vector on Terramaster! Secure your NAS people

https://www.youtube.com/watch?v=KWGUW9w4FPo
https://nascompares.com/2022/02/21/asus ... ansomware/

[Charlie_Croker]

Asustor advised owners to do this if you discover your NAS has been attacked and also some preventative stuff, (Its really worth changing from default ports on any NAS as it means port scans aren't very productive for hackers)

In response to Deadbolt ransomware attacks affecting ASUSTOR devices, ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to will be disabled as the issue is investigated. For your protection, we recommend the following measures:

Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
Disable EZ Connect.
Make an immediate backup.
Turn off Terminal/SSH and SFTP services.

For more detailed security measures, please refer to the following link below:
https://www.asustor.com/en-gb/online/Co ... ?topic=353

If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.

https://docs.google.com/forms/d/e/1FAIp ... A/viewform

"