After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.
dswv42: Sorry but I donāt have IT knowledge only overall.
No ports open on the router.
I never shared my files with the public users and yes it is protected by a password.
WD NAS users be on your guard because no one is safe from this attack !
My Ex2 NAS Public files has also been encrypted by 0xxx virus in July 2021.
WD did not assist me in identifying the source of such a serious security problem.
I have bkup of files and I just lost days of work to restore my files.
What is curious is that only files on the Public shared folder has been encrypted and not other folders. So, I deactivated the public sharing.
What is most troubling is the actual security of UltraEx2 NAS. As a security aware developer I donāt understand how the NAS has been infected. The NAS is firewall protected, the passwords are strong, there are no third parties applications, no other computers (Linux and OSX) has been infected on my home network. The virus encryption was made by the NAS processor as the files timestamps and the slow network it is installed on.
YES, this is very annoying not to know how it has been infected and it could be suspected that it was during a NAS firmware update, so WD responsibility.
MOREOVER, I have no idea if the virus has been deleted from the NAS OS and why it did only encrypt the Public folders.
Since then, I have installed the antivirus application and executes it every night but it has not detected any virus and I suppose it does not delete virus in the NAS OS but only in files.
Hello, any updates on this issue? Only WD is impacted, since July, 17th. No issue on linked devices. This issue seems to comes from WD upgrades. Any way, known solution to restore encrypted files in 0xxx?
Same issue here.
I got hit by two ransomewares at the same time. so itās quite hard to figure out what really happens to the data.
The Security Issue should be taken serious by WD. And as I see, the gate is still wide open. So what do you intend to do to fix it? And when will it be fixed?
There are so many out here who have been hit by this virus and all the data has been decryptedā¦ donāt you thinkt there is a point where you should take care of your community to keep the strong name you have with wd?
My Backup has also been infected, so itās kind a hard to solve this.
Here is Virus Number One:
All your files have been encrypted with 0XXX Virus.
Your unique id: {SOMEHASH}
You can buy decryption for 500$USD in Bitcoins.
To do this:
Send your unique id {SOMEHASH} and max 3 files for test decryption to issak.nuton0071@mail.ru
After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.
Also after payment we will give you some tips to protect yourself from this in the future.
And Virus number two has encrypted half of the data with the following file endings and empty files:
.[carnovaleimpres@dnmx.org].wah9Ahko
I trusted in WD and thought all my data will be save.
My Password is long and complicatedā¦ so this cannot be the issue.
Can you please give us a sight if s.b. has solved it?
Or if there is a way to recover Data?
I was trying to Restore it by using Stellar, and payed Money for it. but still, it pretty much looks like that doesnāt really work the way everybody is telling the no-techs on the internet.
In my case I upgraded to My Cloud OS 5 long before being infected in July.
I have stoped using public directories and have not been re-infected. Only public repositories were infected not the others one. Has others experienced the same problem with only public reps?
I am still convinced that infection was transmitted by a WD regular update.
iāve got an wonderful solution i did it to get rid of this
STEP 1 : go to your server with SSH client
STEP 2 : go to the file directory
STEP 3 : tape bash the click enter
STEP 4 : copy in a txt file
Blockquote
for f in *.mkv.0xxx;
do
mv ā ā$fā ā${f%.mkv.0xxx}.mkvā
done
Blockquote
change mkv with the file extention (in my case all i did it with my mkv films then jpg then jpeg then mp4) then past it the ssh client and press Enter
This will bring back all your files in the right format.
WARNING you should locate 3 or 4 files that you did not put in your server they got names like -3xrfghjf for exemple and remove them.
Sorry, I donāt understand the procedure exactly. Could you explain it in more details? What do you do with āsomefilename.mkv.0xxx.mkvā? what do you mean by āpast it the ssh client and press Enterā?
Thanks
Hello,
I got infected too by this mysterious ransomware, only my two public folders got encrypted.
I found one an .exe file on one of the two folders.
I switched both folders to āprivateā, your solution eak0fr doesnāt work for me, it just rename files to original names, they are still encrypted.
I have āmy cloud gen2ā with os 5, Iām behind two nat, even my cloud apps doesnāt work for me, so I really donāt understand how it is possible for the villain to get access to my public folders.
In my case it just changed files extension to .0xxx (file_name.jpg for example becomes file_name.jpg.0xxx) , so all I had to do is rename files by deleting .0xxx
The command that I put earlier can rename all files at the same time.
Try to rename manually a file by deleting.0xxx if it works then the code that I did write will works for u too.
I understood what your script do, but unfortunately even after renaming files to originalās names, it doesnāt work for me, files seems to be corrupted/encrypted
I think I understood how I got trapped. Totally my fault, I made a very big mistake, few days ago I putted my NAS on the DMZ to try to get access to files work from the internet (still doesnāt), and I forgot to remove it from the DMZ.
So thanks to smb, the two public folders were accessible from the internet without any password!!!, I was lucky my other folders are protected with passwords, it could have been worse.
Logs files /var/log/user.log show a lot of connections these last days, itās probably this one that got me :
2022-04-11T11:50:23.888185+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54642] connected to [Public] as user [nobody].
2022-04-11T11:50:24.686739+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54642] connected to [Transmission] as user [nobody].
2022-04-11T16:48:47.008909+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54783] connected to [Transmission] as user [nobody].
2022-04-11T16:48:47.047853+02:00 di=muE66CV61R 6 WDMyCloud SAMBA: CIFS: [ipv4:5.44.40.215:54783] connected to [Public] as user [nobody].
Hi.
I think the suffix only works for none-office files. They encrypt all office based files (.docx, .pptx, etc), then change the suffix to other type of files.
Thatās why it does not work in some cases.
Frank
I think so. All my āPublicā share are infected, others are not. I changed to not be āPublicā anymore, and erased one of my disk. Hope this will help.
To be honest, I hated the idea of āPublicā share, and I cannot even remove this stupid share.
I also disabled auto-update. Hope this will workā¦
