0XXX Virus

Please help.

My Cloud all files have been encrypted by Ransomware.

All your files have been encrypted with 0XXX Virus.
Your unique id: -
You can buy decryption for 300$USD in Bitcoins.
To do this:

  1. Send your unique id - and max 3 files for test decryption to iosif.lancmann@mail.ru
  2. After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
  3. After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

Current Version 5.16.105
No, I don’t have backups =(

dswv42: Sorry but I don’t have IT knowledge only overall.
No ports open on the router.
I never shared my files with the public users and yes it is protected by a password.

The most interesting thing is that only files on mycloud.com infected with a virus.
My MacBook is clean

WD NAS users be on your guard because no one is safe from this attack !

My Ex2 NAS Public files has also been encrypted by 0xxx virus in July 2021.
WD did not assist me in identifying the source of such a serious security problem.
I have bkup of files and I just lost days of work to restore my files.
What is curious is that only files on the Public shared folder has been encrypted and not other folders. So, I deactivated the public sharing.
What is most troubling is the actual security of UltraEx2 NAS. As a security aware developer I don’t understand how the NAS has been infected. The NAS is firewall protected, the passwords are strong, there are no third parties applications, no other computers (Linux and OSX) has been infected on my home network. The virus encryption was made by the NAS processor as the files timestamps and the slow network it is installed on.
YES, this is very annoying not to know how it has been infected and it could be suspected that it was during a NAS firmware update, so WD responsibility.
MOREOVER, I have no idea if the virus has been deleted from the NAS OS and why it did only encrypt the Public folders.

Since then, I have installed the antivirus application and executes it every night but it has not detected any virus and I suppose it does not delete virus in the NAS OS but only in files.

Any advice to protect our NAS is very welcome !

2 Likes

Did you have a fix on this issue? I am facing the same issue last time but no response from anyone.

greatpeople

Hello, any updates on this issue? Only WD is impacted, since July, 17th. No issue on linked devices. This issue seems to comes from WD upgrades. Any way, known solution to restore encrypted files in 0xxx?

Same issue here.
I got hit by two ransomewares at the same time. so it’s quite hard to figure out what really happens to the data.

  • The Security Issue should be taken serious by WD. And as I see, the gate is still wide open. So what do you intend to do to fix it? And when will it be fixed?
  • There are so many out here who have been hit by this virus and all the data has been decrypted… don’t you thinkt there is a point where you should take care of your community to keep the strong name you have with wd?

My Backup has also been infected, so it’s kind a hard to solve this.

Here is Virus Number One:

All your files have been encrypted with 0XXX Virus.
Your unique id: {SOMEHASH}
You can buy decryption for 500$USD in Bitcoins.

To do this:

  1. Send your unique id {SOMEHASH} and max 3 files for test decryption to issak.nuton0071@mail.ru
  2. After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
  3. After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

Also after payment we will give you some tips to protect yourself from this in the future.

And Virus number two has encrypted half of the data with the following file endings and empty files:
.[carnovaleimpres@dnmx.org].wah9Ahko

I trusted in WD and thought all my data will be save.
My Password is long and complicated… so this cannot be the issue.

Can you please give us a sight if s.b. has solved it?
Or if there is a way to recover Data?

I was trying to Restore it by using Stellar, and payed Money for it. but still, it pretty much looks like that doesn’t really work the way everybody is telling the no-techs on the internet.

thanks for taking a look at this!

It is critical for the community to know if you are running OS/3 (the old stuff) firmware or the OS/5 firmware (the new stuff).

In terms of your specific problem. . .yeah. . .you have an issue. This is usually the point where I would start thinking about backup disks.

In my case I upgraded to My Cloud OS 5 long before being infected in July.

I have stoped using public directories and have not been re-infected. Only public repositories were infected not the others one. Has others experienced the same problem with only public reps?

I am still convinced that infection was transmitted by a WD regular update.

I have heard about issues with public shares before. . . . .

. . . I don’t know, but I suspect that part of the problem may be open ports on the NAS device itself.

i’ve got an wonderful solution i did it to get rid of this
STEP 1 : go to your server with SSH client
STEP 2 : go to the file directory
STEP 3 : tape bash the click enter
STEP 4 : copy in a txt file

Blockquote

for f in *.mkv.0xxx;
do
mv – “$f” “${f%.mkv.0xxx}.mkv”
done

Blockquote

change mkv with the file extention (in my case all i did it with my mkv films then jpg then jpeg then mp4) then past it the ssh client and press Enter

This will bring back all your files in the right format.

WARNING you should locate 3 or 4 files that you did not put in your server they got names like -3xrfghjf for exemple and remove them.

hope it will help

Sorry, I don’t understand the procedure exactly. Could you explain it in more details? What do you do with “somefilename.mkv.0xxx.mkv”? what do you mean by “past it the ssh client and press Enter”?
Thanks

Hello,
I got infected too by this mysterious ransomware, only my two public folders got encrypted.
I found one an .exe file on one of the two folders.
I switched both folders to ‘private’, your solution eak0fr doesn’t work for me, it just rename files to original names, they are still encrypted.
I have “my cloud gen2” with os 5, I’m behind two nat, even my cloud apps doesn’t work for me, so I really don’t understand how it is possible for the villain to get access to my public folders.

In my case it just changed files extension to .0xxx (file_name.jpg for example becomes file_name.jpg.0xxx) , so all I had to do is rename files by deleting .0xxx
The command that I put earlier can rename all files at the same time.
Try to rename manually a file by deleting.0xxx if it works then the code that I did write will works for u too.

Do you know how to access your server from the shell ?

I understood what your script do, but unfortunately even after renaming files to original’s names, it doesn’t work for me, files seems to be corrupted/encrypted

I think I understood how I got trapped. Totally my fault, I made a very big mistake, few days ago I putted my NAS on the DMZ to try to get access to files work from the internet (still doesn’t), and I forgot to remove it from the DMZ.

So thanks to smb, the two public folders were accessible from the internet without any password!!!, I was lucky my other folders are protected with passwords, it could have been worse.

Logs files /var/log/user.log show a lot of connections these last days, it’s probably this one that got me :
2022-04-11T11:50:23.888185+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54642] connected to [Public] as user [nobody].
2022-04-11T11:50:24.686739+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54642] connected to [Transmission] as user [nobody].
2022-04-11T16:48:47.008909+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54783] connected to [Transmission] as user [nobody].
2022-04-11T16:48:47.047853+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54783] connected to [Public] as user [nobody].