Recently, I followed an advice to improve security and update the TOS on my F2-210 NAS. I clicked on update and selected online update for speed. The NAS was updated to TOS4.2.43-, and few days later I discovered that all my files on this NAS were encrypted with IceFire ransomware.
I turned the box off instantly and checked if there is more damage on the rest of network. Hopefully, I did not found traces so far. But the NAS was bricked after power cycle and user files were gone.
I sent the message to technical support (as the reporting of iFire are locked on this forum) and received generic answer to follow good network practices and that the ransomware may spread on my network. No apologies that the ransomware is distributed by Terramaster.
In order to check that the ransomware is spread by the NAS, I rebuilt bricked box with USB flash image and online downloads of the TOS on isolated network. Surprise, the TOS image came with the IceFire pre-installed by Terramaster, and it encrypted some of its own files.
I have some screenshots from the newly installed TOS web interface Image, showing encrypted files everywhere and requesting to pay for recovery. Each Linux directory contains the text describing how to pay for recovery.
There are more pictures which can be accessed here: https://drive.google.com/drive/folders/ ... G94k4E7nvk
IceFire is a Linux ransomware which recently attacks linux servers. Since Terramaster running Linux, it likes it as the environment. But since my NAS is behind the NAT which prevents inbound accesses, it looks that the virus is either spread with TOS or pulled by outbound request from one of the standard TOS applications. I did not have such problem with TOS 4.2.41 which was installed before.
I am reposting it here to help other not be caught by IceFire ransomware. Do NOT upgrade your TOS online, manual download does not list version 4.2.43- and the other ones may be safe.
Ransomware IceFire in TOS 4.2.43 Encrypts the user files and itself
Re: Ransomware IceFire in TOS 4.2.43 Encrypts the user files and itself
If you have some basic background experience, you should know that the source code of the software is cross-compiled and stored in the database, and it is unlikely to be invaded by viruses. It is very likely that your TNAS has been hacked before the update, and the virus was activated after the system update.
Please refer to the guidance to improve your protective measures.
viewtopic.php?f=7&t=3031
Please refer to the guidance to improve your protective measures.
viewtopic.php?f=7&t=3031
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)