KUPIDON Ransomeware

My Mycloud has been infected with a ransomware programme (the PC i use hasnt been affected) how do i remove the infection and hopefully recover the encrypted files?

ive looked at some revovery tools but they dont see the NAS

Are you sure your mycloud is infected and not just has data copied from an infected PC ? Is it an infected file or do you see files with .kupidon ?

KUPIDON Ransomeware is nasty. I would disconnect all devices to the mycloud and figure out the origin.

If it is the Linux OS on mycloud then do the 40 sec full system and data reset. NOTE YOU LOOSE ALL DATA. Not clear if KUPIDON Ransomeware has a linux version

I think it is much more likely you have an infected PC that synced the KUPIDON files to your mycloud

Similar problem here. All files on my cloud device encrypted and .kupidon extension appended to filenames. No local computers show any sign of infection. Connected to my cloud via ssh and could not find any sign of ransomware running - wiped disks and restored a few files - no sign of reinfection after 3 days. Any thoughts?

i use my nas to store photos music and some films, the infection was a direct attack as none of my laptops or pc are infected, ive run numerous virus and malware checks on all of them.

sadly my backup files were on the nas and they are infected too

Did you run or were you running a Safepoint / Backup from the My Cloud Dashboard which would backup the My Cloud to a USB hard drive attached to the USB port on the back of the My Cloud?

Often, unless there is a specific method for unlocking ransomware encrypted files one is typically out of luck if they don’t have an unaffected backup of the ransomware encrypted files/data.

Chances are the My Cloud was affected because the ransomware program was downloaded and run on a local network PC. Once on that PC it may hide itself so malware/security/antivirus programs will not find it. Often one has to scan the PC using a emergency boot disc/usb flash drive that some security or malware or antivirus software companies provide (some may do so for free).

The problem is, as always, once infected there is no way to know for sure if you have totally eradicated the ransomware (offending software) using various antivirus/malware/security software. Best option, while not optimal, is to completely wipe the hard drive and restore the data to it from clean backup media or backup locations. Not having a backup of the backup presents problems.

1 Like

looking at the kupidon files they were modified on Saturday just gone, there wasnt a programme run or downloaded on the network on Saturday.

I am resigned to having lost the data, to be honest the only thing im sad to lose is the photos but then again they havent been accessed since they were installed on the nas so in reality no real biggie.

Regarding the running of antivirus and malware software, this has been done with different programmes all within safe mode and come up blank each time.

I will in future use a USB stick to backup the backups but if the NAS was affected wouldnt the USB be affected to in all liklihood?

my NAS is used at home and connected to my router and isnt directly attached to a pc/laptop. its why i think its been a direct attack as i dont think the protection on the router is as good as whats on the pc’s/laptops.

Safe Mode may still load the malware/ransomware. The key is to boot the computer using a USB flash drive or disc that has an OS and cleaning programs on it. That way one is typically bypassing the OS and disc that contain the infected files. I ran into one malware program that modified all antivirus and malware programs on the computer so it would bypass scanning the malware/ransomware file. Only caught it and cleaned it by using a separate boot/flash drive that didn’t run the OS on the PC.

Generally in a business environment one would just wipe all affected drives and reload from clean backups. It’s why good backup programs will create multiple sets of backups so if the latest backup is infected one can roll back to an earlier backup. Yes one will loose data but usually not all of the data. Often those backup programs run every single night so at most one may loose one or two days worth of data.

1 Like

I would look at this as an opportunity to upgrade.

Besides this ransomeware; there is likely other malware or program bloat on your PC. I second the motion for a clean O/S install.

In the Windows world, you can download a “clean” installation image directly from Microsoft. Booting from USB key; you can completely start over with the drive. IIRC; you may have an option to preserve data on the drive. ( I would wipe the drive).

I am one of those people that have more money than sense. Me personally - - - I would shell out the bucks for a fresh HDD and load the fresh windows image onto that drive. One advantage of this method is that you still have a working HDD with an O/S in case something goes wrong.

Last few times I “started over”, (I have multiple systems in my house) I looked for and found online versions (fully updated) for all my key software. This includes several legacy programs that are obsolete (i.e. Acrobat X; Lightroom 6) . I now have installation copies available on my NAS.

As another note: None of my data lives on my PC’s. everything is on the MyClouds and external drives. Makes it easier when a PC crashes. . . :slight_smile: Also; makes it easier to switch between systems.

1 Like

hola yo tengo el mismo problema.
Lo has podido solucionar?

Hijacking an English forum thread with a foreign language is rude. Please use English so others are not forced to use Google translator. There are German Spanish Italian and French links at the top right of this forum.

no helpio problema uslessio im Anglisch

Hi,

Same problem here on MyCloud EX2 Ultra.

In my case, it may only have been a direct attack to the NAS, since it was the only device connected to the network for more than a week.

The only port I had opened was 32400 for the Plex Media Server, with forward on the router.

I found all the files in the Public folder encrypted with a .kupid extension, and in each folder a .txt file that informed me of the attack and asked for a ransom of $ 300 via Bitcoin at a link to be opened with the Tor browser.

Since these were files of which I had scattered backup copies, I decided to format the NAS hard disks and factory reset, but I am afraid that the event may happen again.

Carlo

WD My Cloud EX Ultra
FW ver. 2.31.204

I have experienced the same. Only files in the Public folder. Do you think that means my other folders outside of Public are safe (they look not infected).

And does anyone have experience with recovering the infected files? I have a lot that only exists on there unfortunately :worried:

I have the same problem. In one day, couple of minutes, during nighttime my public, remote accessable, share was encrypted.

Fortunately not the original files and also not the share which is not public.

To me it looks like WD is being hacked or targeted.

I will replace the files and shut down the remote acces. I am aware that I use an “old” Mybook Live, but I believe this should not be possible.

I have two drives: only the one with a public share and remote access is infected.

Me with the same problem.

Only infected the WD, not my computer and only the Public folfers.

What a big â– â– â– â–  protection of WD.

I am so angry.

Sorry but I doubt you or many viewing this thread will like what I typed below.

It is very naive and arrogant to assume just because the NAS device has encrypted files from randsomware that any of the PC(s) used to connected to the NAS are not infected if the PCs don’t have infected local files. Some randsomware targeting is specifically designed as rouge on PCs so the randsomeware can spread to other NAS devices without quick detection!!

WD is certainly to blame for allowing Public Internet access for any storage in my opinion. I personally don’t use Public for ANYTHING and remove the Public directory. I use different complex user names and during password creation use a very long randomly generated string for my password. I also block port access to my NAS at my router so it not accessible by anything unless of course my router is first compromised.

Anyway below is article from a year ago where a randsomeware was deployed specifically to WD’s competitor. Specifically home NAS devices are targeted by ransomeware designers because they are used to store critical data and backups – but despite this, the devices don’t tend to be equipped with security software.“Publicly exposed systems and devices expand overall attack surfaces and increase the potential for vulnerabilities to be exposed and exploited”

Note the article below is one year old.

1 Like

Yes the Public Share issue has long been a complaint by users in this subforum. Many have complained about the inability to set it to Private. Instead one is forced to use SSH to try and disable it by modifying the firmware. Many years ago WD patched the Dashboard coding bug that allowed one to actually set that Public Share to Private in early firmware versions. Just a few past threads…