Tnas F4-210 got hit with Ransomware by *** By LVT LOCKER ***

[Qwok]

Title says it all. Got Ransomware with 0.01 btc ransom.*** By LVT LOCKER ***
No portforwarding only tnas online.

Any recommendations?

[TMroy]

What is your TOS version?
and please refer to the following guide: viewtopic.php?f=7&t=2877&hilit=ransomeware

[dizzastaffy]

This just happened to me overnight.

I updated my firmware last night, it then seemed to enable these weak security settings again, by morning all my files are encrypted with .lvt extensions.

Does anyone have the decrypter app? They want approx $500 USD for this

spoke to Terramaster support and they said

"So sorry for everything you've been through."

"We have been working hard to strengthen the security of TNAS devices.
To improve the security level, multiple security measures must be adopted. Even so, there is still no guarantee that your device is completely secure. A large number of devices are attacked by ransomware every day."

[ldingo]

Same here on a F5-220. I was hit yesterday (25 Feb 2024).

All movies, pictures and music "lost" (i.e. encrypted).

I was running TNAS software 4.2.08 (moved to 4.2.40 after the fact).
The TNAS was running a PLEX server.
While I limited access only to internal network in the configuration I discovered later on that UPnP enabled forwarding port 5443, 8181, 9091 and 8800 in the router (why this?), so the TNAS was indeed exposed even though protected by strong passwords.
No trace of any attack/strange connections from the router logs.
Hope that TOS 5 will be better protected (any info?).

If somebody has any clues on way to decrypt I am ready to try before nuking it and restart from scratch.

[Qwok]

I reinstalled the newest TOS 4 for the F4-210 (Looks like no TOS 5 for that nas), i think i kicked them out. Tried to email the Hackers but no answers.
Now i completely cut the access to the internet for the nas, only possible to connect via wireguard vpn. I searched the internet, looks like it is quite a new Ransomware.

My guess they were able to connect to it via tnas online.

It's crazy you can bruteforce TNAS online ids on the website. Just by guessing some common words/passwords you can connect to them (e.g. banana, 123456789, homecloud etc.). I didn't find any slowdowns for testing ids.
The website even gives information to the possible hacker if the ID is online,offline or doesn't exist.

THE NAS DON'T HAVE TO HAVE THE LATEST FIRMWARE

That is a huge security flaw.

Terramaster should at least only allow tnas-online on the latest Firmware.

[Qwok]

Edit some more info:

Had zero portforwarding enabled, only way someone could have connected is from tnas online!

[Qwok]

{L_BUTTON_AT}TMroy

Looks like im not the only one, and people with the latest firmware get this ransomware.

[dizzastaffy]

Its prob worth people hit with the LVT Locker to check the public key left (personal key). It is likely they used unique ones for each victim, but if they used the same one it means if someone got the decrypter and private key, it would work for everyone to decrypt.

First 8 digits of my key: 8d25aaaf
Last 8 digits of my key: 3b76d868

This will be inside the file called: README_lvt_PersonalKey.txt

[dizzastaffy]

This appears to be the source code on a chinease site

https://cert.360.cn/report/detail?id=65 ... 5b91b17dc4

It’s lists 3x CVE which are the security vulnerabilities with the terra master firmware which allows remote code execution on the NAS by the attacker, which then runs the code.

Terra master are playing this down as a user config issue when not. The vulnerabilities go back to 2020-2022 with the firmware versions

All three of these issues are listed in the source code.

https://nvd.nist.gov/vuln/detail/CVE-2020-28188

https://nvd.nist.gov/vuln/detail/CVE-2022-24989

https://nvd.nist.gov/vuln/detail/CVE-2022-24990

[dizzastaffy]

Translated page to English about the ransomware

https://cert-360-cn.translate.goog/repo ... r_pto=wapp