Ransomware IceFire in TOS 4.2.43 Encrypts the user files and itself
Posted: 11 Sep 2023, 08:53
Recently, I followed an advice to improve security and update the TOS on my F2-210 NAS. I clicked on update and selected online update for speed. The NAS was updated to TOS4.2.43-, and few days later I discovered that all my files on this NAS were encrypted with IceFire ransomware.
I turned the box off instantly and checked if there is more damage on the rest of network. Hopefully, I did not found traces so far. But the NAS was bricked after power cycle and user files were gone.
I sent the message to technical support (as the reporting of iFire are locked on this forum) and received generic answer to follow good network practices and that the ransomware may spread on my network. No apologies that the ransomware is distributed by Terramaster.
In order to check that the ransomware is spread by the NAS, I rebuilt bricked box with USB flash image and online downloads of the TOS on isolated network. Surprise, the TOS image came with the IceFire pre-installed by Terramaster, and it encrypted some of its own files.
I have some screenshots from the newly installed TOS web interface Image, showing encrypted files everywhere and requesting to pay for recovery. Each Linux directory contains the text describing how to pay for recovery.
There are more pictures which can be accessed here: https://drive.google.com/drive/folders/ ... G94k4E7nvk
IceFire is a Linux ransomware which recently attacks linux servers. Since Terramaster running Linux, it likes it as the environment. But since my NAS is behind the NAT which prevents inbound accesses, it looks that the virus is either spread with TOS or pulled by outbound request from one of the standard TOS applications. I did not have such problem with TOS 4.2.41 which was installed before.
I am reposting it here to help other not be caught by IceFire ransomware. Do NOT upgrade your TOS online, manual download does not list version 4.2.43- and the other ones may be safe.
I turned the box off instantly and checked if there is more damage on the rest of network. Hopefully, I did not found traces so far. But the NAS was bricked after power cycle and user files were gone.
I sent the message to technical support (as the reporting of iFire are locked on this forum) and received generic answer to follow good network practices and that the ransomware may spread on my network. No apologies that the ransomware is distributed by Terramaster.
In order to check that the ransomware is spread by the NAS, I rebuilt bricked box with USB flash image and online downloads of the TOS on isolated network. Surprise, the TOS image came with the IceFire pre-installed by Terramaster, and it encrypted some of its own files.
I have some screenshots from the newly installed TOS web interface Image, showing encrypted files everywhere and requesting to pay for recovery. Each Linux directory contains the text describing how to pay for recovery.
There are more pictures which can be accessed here: https://drive.google.com/drive/folders/ ... G94k4E7nvk
IceFire is a Linux ransomware which recently attacks linux servers. Since Terramaster running Linux, it likes it as the environment. But since my NAS is behind the NAT which prevents inbound accesses, it looks that the virus is either spread with TOS or pulled by outbound request from one of the standard TOS applications. I did not have such problem with TOS 4.2.41 which was installed before.
I am reposting it here to help other not be caught by IceFire ransomware. Do NOT upgrade your TOS online, manual download does not list version 4.2.43- and the other ones may be safe.