KUPIDON Ransomeware

Did you run or were you running a Safepoint / Backup from the My Cloud Dashboard which would backup the My Cloud to a USB hard drive attached to the USB port on the back of the My Cloud?

Often, unless there is a specific method for unlocking ransomware encrypted files one is typically out of luck if they don’t have an unaffected backup of the ransomware encrypted files/data.

Chances are the My Cloud was affected because the ransomware program was downloaded and run on a local network PC. Once on that PC it may hide itself so malware/security/antivirus programs will not find it. Often one has to scan the PC using a emergency boot disc/usb flash drive that some security or malware or antivirus software companies provide (some may do so for free).

The problem is, as always, once infected there is no way to know for sure if you have totally eradicated the ransomware (offending software) using various antivirus/malware/security software. Best option, while not optimal, is to completely wipe the hard drive and restore the data to it from clean backup media or backup locations. Not having a backup of the backup presents problems.

1 Like

looking at the kupidon files they were modified on Saturday just gone, there wasnt a programme run or downloaded on the network on Saturday.

I am resigned to having lost the data, to be honest the only thing im sad to lose is the photos but then again they havent been accessed since they were installed on the nas so in reality no real biggie.

Regarding the running of antivirus and malware software, this has been done with different programmes all within safe mode and come up blank each time.

I will in future use a USB stick to backup the backups but if the NAS was affected wouldnt the USB be affected to in all liklihood?

my NAS is used at home and connected to my router and isnt directly attached to a pc/laptop. its why i think its been a direct attack as i dont think the protection on the router is as good as whats on the pc’s/laptops.

Safe Mode may still load the malware/ransomware. The key is to boot the computer using a USB flash drive or disc that has an OS and cleaning programs on it. That way one is typically bypassing the OS and disc that contain the infected files. I ran into one malware program that modified all antivirus and malware programs on the computer so it would bypass scanning the malware/ransomware file. Only caught it and cleaned it by using a separate boot/flash drive that didn’t run the OS on the PC.

Generally in a business environment one would just wipe all affected drives and reload from clean backups. It’s why good backup programs will create multiple sets of backups so if the latest backup is infected one can roll back to an earlier backup. Yes one will loose data but usually not all of the data. Often those backup programs run every single night so at most one may loose one or two days worth of data.

1 Like

I would look at this as an opportunity to upgrade.

Besides this ransomeware; there is likely other malware or program bloat on your PC. I second the motion for a clean O/S install.

In the Windows world, you can download a “clean” installation image directly from Microsoft. Booting from USB key; you can completely start over with the drive. IIRC; you may have an option to preserve data on the drive. ( I would wipe the drive).

I am one of those people that have more money than sense. Me personally - - - I would shell out the bucks for a fresh HDD and load the fresh windows image onto that drive. One advantage of this method is that you still have a working HDD with an O/S in case something goes wrong.

Last few times I “started over”, (I have multiple systems in my house) I looked for and found online versions (fully updated) for all my key software. This includes several legacy programs that are obsolete (i.e. Acrobat X; Lightroom 6) . I now have installation copies available on my NAS.

As another note: None of my data lives on my PC’s. everything is on the MyClouds and external drives. Makes it easier when a PC crashes. . . :slight_smile: Also; makes it easier to switch between systems.

1 Like

hola yo tengo el mismo problema.
Lo has podido solucionar?

Hijacking an English forum thread with a foreign language is rude. Please use English so others are not forced to use Google translator. There are German Spanish Italian and French links at the top right of this forum.

no helpio problema uslessio im Anglisch


Same problem here on MyCloud EX2 Ultra.

In my case, it may only have been a direct attack to the NAS, since it was the only device connected to the network for more than a week.

The only port I had opened was 32400 for the Plex Media Server, with forward on the router.

I found all the files in the Public folder encrypted with a .kupid extension, and in each folder a .txt file that informed me of the attack and asked for a ransom of $ 300 via Bitcoin at a link to be opened with the Tor browser.

Since these were files of which I had scattered backup copies, I decided to format the NAS hard disks and factory reset, but I am afraid that the event may happen again.


WD My Cloud EX Ultra
FW ver. 2.31.204

I have experienced the same. Only files in the Public folder. Do you think that means my other folders outside of Public are safe (they look not infected).

And does anyone have experience with recovering the infected files? I have a lot that only exists on there unfortunately :worried:

I have the same problem. In one day, couple of minutes, during nighttime my public, remote accessable, share was encrypted.

Fortunately not the original files and also not the share which is not public.

To me it looks like WD is being hacked or targeted.

I will replace the files and shut down the remote acces. I am aware that I use an “old” Mybook Live, but I believe this should not be possible.

I have two drives: only the one with a public share and remote access is infected.

Me with the same problem.

Only infected the WD, not my computer and only the Public folfers.

What a big ■■■■ protection of WD.

I am so angry.

Sorry but I doubt you or many viewing this thread will like what I typed below.

It is very naive and arrogant to assume just because the NAS device has encrypted files from randsomware that any of the PC(s) used to connected to the NAS are not infected if the PCs don’t have infected local files. Some randsomware targeting is specifically designed as rouge on PCs so the randsomeware can spread to other NAS devices without quick detection!!

WD is certainly to blame for allowing Public Internet access for any storage in my opinion. I personally don’t use Public for ANYTHING and remove the Public directory. I use different complex user names and during password creation use a very long randomly generated string for my password. I also block port access to my NAS at my router so it not accessible by anything unless of course my router is first compromised.

Anyway below is article from a year ago where a randsomeware was deployed specifically to WD’s competitor. Specifically home NAS devices are targeted by ransomeware designers because they are used to store critical data and backups – but despite this, the devices don’t tend to be equipped with security software.“Publicly exposed systems and devices expand overall attack surfaces and increase the potential for vulnerabilities to be exposed and exploited”

Note the article below is one year old.

1 Like

Yes the Public Share issue has long been a complaint by users in this subforum. Many have complained about the inability to set it to Private. Instead one is forced to use SSH to try and disable it by modifying the firmware. Many years ago WD patched the Dashboard coding bug that allowed one to actually set that Public Share to Private in early firmware versions. Just a few past threads…

A few years ago I had the same problem, since that case, I don’t map it as a network drive or make windows to remember my password, and all the important stuff are backed up on an external Hard Drive.

I have the same problem too :frowning: , still no solution ?

Huh? It is ransomware so there is no easy solution other than wiping ALL devices who accessed the NAS clean or throwing them ALL in the garbage.

I recommend ONLY using these type NAS devices as HOME ONLY NAS with no internet access blocked via a properly configured and secured router.

^- - - -which is why I have nearly ZERO data on my PC’s. . . and the NAS units are backed up to non-connected drives.

I find myself once again debating the siren call of web connections into the units. . . .but between THIS thread and the INDEXING thread that is currently being discussed. . . . I am thinking one needs to either “roll your own” with a PC and VPN; or commit to a public service like DropBox or OneDrive.

1 Like

Not sure what kind of “solution” you were looking for, but the solution is to wipe the unit and restore data from a clean backup. Even if there was a one click solution to unlock the encrypted files there is no guarantee the malware/virus isn’t still lurking around somewhere on your local network just waiting to reinfect the My Cloud. That’s why the only way to be sure is to wipe the device and reload the data from a backup.

Don’t think its been determined exactly how people’s My Cloud’s are being infected. Is the firmware itself being compromised to run the malware/virus from the root level? Is it from just having one Public Share? Is it from the Remote Access feature? Is it from SSH being enabled? Is it from another local network device being infected? Was it due to someone opening up an infected email or infected webpage or infected file they downloaded? Is it due to one’s local network security being compromised? Etc.

As has been indicated above there are ways (using SSH) to try and disable or remove the default Public Share on a single bay/single drive My Cloud which cannot currently be changed to Private through the My Cloud Dashboard.

1 Like

@Bennor Your response was much nicer than the blunt , harsh response I provided.

Same issue except, I have not connected my Mac to my MyCloud EX2 in over 2 years. The Kupidon appeared on Aug 28, 2020. My last connect to EX2 hardline or wireless was in May 2019. I only have photos on it which I already have in another drive from years back. I can simoky toss the drives and install new drives, but won’t as EX2 is no longer supported. I’m not even sure if EX2 Ultra is even supported anymore. Thus, I can only assume the ransomware got through via the internet. I have a router that connects to a switch. Off the switch runs to Samsung TV, to Xbox and to MyCloud. I haven’t uploaded any photos to the EX2 since May 2019 and that was from my Note 9 phone: 10 photos.

Marry Me! I’m right there with you. You’re intimations are correct. The initial draw into WD cloud devices and notably, the EX2 when it first was launched was for those traveling to be able to remote in to show photos, documents, etc. on their phone, tablet, etc. I still have the original WD Photos app, which is not on the app store anymore. I simply transfer apps from old phone to new when I get new phones and the WD Photo app transfers over; thus still get the nice photo album library. Yet, as you note, once you open the cloud to the internet, anything can happen and again you’re correct; WD security is not strong. I don’t like cloud-based services as I’ve had data lost, even on Apple’s iCloud. I do backup drives also, and not really too much work as I add to my backups regularly; take photos, download photos to drive weekly. What I never liked about the EX2 was that when you move photos onto the drive(s), they images are reduced to micro size and you cannot pull them off those drives as original full size.