My company also keeps virtually all long term archives on WD drives. Even though they’re non-Live version, they’re now afraid to access archives, on the off chance that something else is compromised. Some people who had the time to react and unplug - what reassurance can they have that this type of thing won’t happen again? Who would buy another WD Live drive after this? Also, as it turns out, it is not possible to deactivate Live account, without writing to technical support. Meaning, that if their repository contained any log data, IP information etc, then you can’t even erase yourself from their servers without explicit permission. I’ve lost 2TB today of non-essential and easily recoverable material, but I guarantee, majority is not that fortunate. I know many families who keep their photo albums on their devices, family videos, important documents. Luckiest are those who didn’t trust them anything more than their music collections, but I know, even that can be devastating. I’m surprised this isn’t headline news everywhere. I hear in corporate communications that many businesses are affected. This is not ransomware, but in a sense, is even worse. And it targets everyone indiscriminately. I haven’t seen an attack of such scale since CIH in 1999.
I just created an account on this form to tell you what I’m currently trying, if anyone might want to try this as well. I had my WD MBL seemingly wiped today as well, but I saw someone mention that the partition table was just changed, not all the data. I am attempting to use a tool called DiskInternals Linux Recovery on windows to see if it can redetect any files. I’m not entirely sure if it can work because (from what I remember from OS class) the Linux filesystem keeps a record of files in multiple blocks, including location and size, and it might be that the records would have to be reconstructed for any of the data to make sense. However, Linux also uses multiple records in different blocks on the filesystem, so it’s possible only the root record got erased. Here’s the software if you want to try it: https://www.diskinternals.com/linux-recovery/. To get the MBL onto my computer I disassembled my WD MBL and connected the disk to my Windows PC with an external disk reader (I actually upgraded the original disk to a WD blue). A note on the software, it might be a trial version, so it might limit or prevent retrieving the files if you don’t pay (but it should be able to show which files it sees for free). If I see anything important on my disk I might actually buy the software to get the data back (usually data recovery software isn’t free anyways but if you know of any then I’d like to know)
Had no luck with Software like Disk Genius or recuva.
I’m down to testdisk/photorec. I’m hopeful that I’ll get my dearly missed files and not just the ■■■■ I didn’t miss. But it works. Very low level but it works
Did they email you directly, did it look like this?
My emails have been removed
I am pretty sure this is spam relating to the incident? Look at the email address, and the link doesnt appear to go to a valid WD site.
Is this real or part of the compromise?
I have a WD My Cloud, also pretty old. Should I be worried that it might share the same vulnerability? I’ve disconnected the device for now just to be sure.
Edit: ah, having said that, when I first created a support account I got a confirmation e-mail from firstname.lastname@example.org
I don’t think I actually clicked on any of the links in that mail though; I just logged on via the website.
Apparently it was real and a support ticket was made for me. They called me “valued customer” in my support profile thats why it says Dear Valued. I would recommend everyone if they do get an email, to not click the links and go to the support page in their browser though just in case.
The suppprt ticket basically asks for my logs, serial number of device and telling me to unplug the device (around 24 hours after it wiped my data so a bit late)
I will be instigating something. once I’ve picked myself up, focused on any potential recovery, the next thing I will be doing is seeking compensation for all the puking I’ve done in the last 24 hours, make no mistake about it I will certainly be seeking some legal action.
My mybooklive is also wiped lucky I think I’ve backups of most of my stuff, really feeling for those who have lost their data.
Are there any thoughts about longer term options for making use of the MBL (assuming WB won’t update the firmware). Would installing openwrt prevent a reoccurrence of this issue?
Just spoke to customer services. Absolutely nothing more to add other than ‘our engineering teams are actively investigating this issue’.
I would disconnect and backup up Ur data before connecting it all back up again.
Keep us all posted please.
Is this problem also related to other NAS in WD’s product line? I have just ordered a WD My Cloud EX2…
Right now I wouldn’t trust any WD NAS until there is verification that it is safe.
One thing I need to find out is if these drives send telemetry to WD in the background. I’m betting that they do. If that’s the case then I would look very sharply at the idea that this could have originated from compromised WD servers.
I’m just struggling to figure out how all these specific drives were being injected with SSL scripts worldwide and it all happening very rapidly, within a space of a few hours. That leads me to suspect that whatever the source was of this attack, it must have already had existing access to these drives since the IP addresses were needed to execute that script.
I find it very concerning to read that some users are reporting that they were hit by this while they had remote features disabled. Although I have a different device, I’m keeping it fully disconnected until we know more
Yep same here. In Australia. Happened exactly at 7.10am on Thursday morning Western Australia Time. I was actually watching it go from blue to yellow led. Was odd so logged in and found it reset.
No idea why but too to a mates and all that he had was rphoto. All the data is there but no file or folder names so that was hard to use given there’s 1000`s of files
Have taken to a pro who’s looking at it now with R studio and he said he’s found superblocks…
Then I saw this just now I’m not the only one! I thought it was me.
I did see logs on my virus firewall showing an increase in attacks in the last few days on that device but didn’t do anything. Was going to disconnect remote access but then this happened before I got the chance.
Pissed but my bad with only backups of partial docs and photos items but lost all my iTunes library and video library.
Feel stupid but definitely expect more from WD.
Is it even worth opening a support ticket？ the unit is 9 years old
■■■■: EX2Ultra - and also all data gone!
Just had a look at my firewall logs. Nothing since the 1st of April until the early hours of this morning. Since then it has blocked dozens of remote administration attempts. Not sure if this is in any way related but it’s a bit of a worrying coincidence.