My Cloud has been hacked and they ask for money to give my files files back

I am having a major issue here.

My Cloud was clearly hacked and all files are still present but cannot be open.

This message comes up instead

Can you help?

It wasn’t your cloud that was hacked. It was your PC that was hacked, and your PC had a mapped drive pointing to your cloud share (or had cached credentials to it).

The Ransomware is on your PC and had (has) easy access to your files on your NAS to encrypt them and ransom them.

Sorry that happened to you!

If you’re prepared, you should be able to restore your PC (re-install the OS from scratch) and then restore from backups that you took BEFORE the hack occurred.

Unfortunately, Tony is right. There is nothing we can do about ransom-ware.

Thank you for quick replies.

PC seems fine to me. It was switched off and there’s Norton antivirus on it. All files on PC are fine it’s just the cloud that was attacked

Can you open the files on your PC? Does Norton show that it stopped the ransom-ware on your computer?

The log history on antivirus doesn’t seem to work. I m doing a full scan and PC seems fine while it detected already 1430 infected virus on cloud on 60% scan. This mess is a real cause of concern

That really sounds odd. I’m going to have support contact you. Maybe the drive logs can show us something.

When you say “this message comes up”. When and where does that message come up? When accessing a file on the My Cloud? When accessing the My Cloud Dashboard? A bit more info is needed on exactly where and when that message is appearing and in what program window its appearing (like a web browser window or a simple dialog box).

Are there any other computers or mobile devices on the local network that could have initiated the ransomware attack?

Is the My Cloud configured for Remote Access? If so does anyone else have Remote Access capabilities?

Does the My Cloud administrator account have its password enabled and was a strong password used?

Is SSH enabled?

Is there port forwarding enabled in the router/gateway to pass traffic to the My Cloud?

Were files even in Private Shares (if you have any) also encrypted by the ransomware?

Chances are a user on your local network opened up a file, or clicked on a link, that initiated the ransomware attack. Antivirus programs are only as good as the virus definitions that are programed for them and will only catch those viruses they’re programmed to catch. I’ve had viruses slip past updated McAfee and Norton products in the past to infect machines.

The downside to a ransomware attack is it may encrypt files on any mapped drives or folders on the PC that triggered/opened the attack file.

Only way to be 100% certain one has eradicated the ransomware is to erase all affected files. If the computer is infected only way to be sure is to completely wipe the hard drive and reinstall the operating system and programs from known good source media. Reinstalling from a backup is questionable since it may still contain the ransomware.

Chances are, your PC was hacked and it happens to encrypt the data that was on the NAS and/or save the infected files there.

Now, not all ramsomware is detected by antivirus apps just like malware (addware/spyware).
I use a combination of antivirus and Malwarebytes.

Try Malwarebyes free version to see if you can remove it. Pay version is only for real time.
Or search for Ramsomware remove/removal.

But as mentioned earlier, the only way to be 100%, would be to delete all infected files and rebuild PC.

@Bennor @ Shabuboy

Ransom message was saved in every single folder on a .txt and .png format and it’s the only file that can be opened while all other files have been encrypted

I just found out that someone in my family connected (for the first time ever) his old and unprotected laptop to home wi-fi network the day before MyCloud had the problem.

That laptop was subject to the same Ransomware attack the minute it connected to wi-fi and my friend thought it was “just” an old virus but wasn’t aware it could spread insanely to other hardware connected to home network.

Home PC, IPhones and other devices seems fine, WD MyCloud instead was 100% affected by it.

Is there a way I can recover all files? I have NO intention to pay ransom.

Thank you for your help guys, I appreciate

How was your MC configured regarding accounts and shares? I would suspect you most would not have a full offline backup of their MC units. I wonder if the Clam AV should be extended to all MC devices.

Sorry this happened. and hope it is not going to be a trend in the WD Community.

So, question:

I have installed on my DL2100 My Cloud NAS, the approved-by-WD app, Anti-Virus Essentials as recommended and made available by WD. Is this app going to protect my DL2100, or is it simply out-classed by this new wave of ransom ware?
I just renewed my subscription to Norton Security a few days ago. Does anyone have any info from Norton to share about this?

Just answered my own questions about Norton:

https://community.norton.com/en/blogs/norton-protection-blog/ransomware-–-what-can-you-do-about-it

http://community.norton.com/en/forums/ransom-ware-protection?solved=1
Above link suggests using the Norton Power Eraser which I have used from time to time. Might be time to use it more often. Even non-Norton users can use this free program.

http://community.norton.com/en/forums/ransom-ware-protection?solved=1

Only if you have backups taken BEFORE the encryption took place.

Why take the risk? How important are the files? Even if you run multiple AV and malware scanners on the files and they report clean do you really want to take the risk? Those are questions one will have to answer for themselves and decide how to proceed.

There may be no way to know for certain when the files were infected meaning any Safepoint/Backup may also be infected or carry the virus payload.

Unfortunately once a virus gets loose on the local network every device is suspect and may be hiding the virus.

I would not let that person who’s computer was previously infected and who thought it was an “old” virus to ever connect anything to my network again. I would complain to them loudly about the damage their actions caused and the time wasted fixing it.

Unfortunately due the nature of the My Cloud, its security, how users configure the My Cloud, and the lack of an embedded AV scanner within the My Cloud, these kinds of infections can happen. That’s why its best to stop these kinds of infections at the edge of the network and ensure that anyone who connects to your network uses proper AV security software and updates/scans regularly.

I find it hard to believe however that WD didn’t implement a proper security/antivirus/configuration capable of defending files on the device. Those drives are sold to average computer user who don’t necessarily have a clue how to set up a proper IT security and are not even aware of the risks of storing important/confidential documents on the cloud.
They should stress out how to protect your content instead of sending pointless emails trying to sell more products.

How would it possibly know? The files are not likely “infected” or harboring viruses. They were just encrypted – the same thing many other legitimate software packages or programs do with their own files. The cloud would have no way of knowing that something malicious was occurring. All it sees is an authorized user reading files and writing other normal files.

Though Bennor is correct - there’s always the possibility that the ransomware stashed itself in some of your files - it is rather unlikely. That’s not typical of ransomware.

They have implemented certain security options on their more expensive My Cloud devices. The more expensive units have the “Anti-Virus Essentials” app that can be added through the Dashboard app option.

To expect the single bay My Cloud units, most of which tend to cost $20 to $40 (US dollars) more than the bare WD Red many of them contain, to support an antivirus module/app may be just a bit unrealistic. To make these single bay NAS drives as cheap as possible WD has made various decisions that limit the hardware/firmware capabilities of the devices. The single bay My Cloud devices are bare bones NAS devices with limited capabilities. Their features (and lack of features) are plainly advertised both on the box and online.

One cannot blame WD or any other manufacturer of lower cost NAS devices when the customer chooses the cheapest item possible yet illogically expects that cheap device to have similar capabilities of NAS devices costing twice or more the price. One cannot blame WD when it is or was the end user who allowed, either knowingly or unknowingly, an infected computer to connect to their local network and infect the My Cloud and possibly other local computers.

Edit: Couple of additional comments. It may be possible for one to install ClamAV (https://www.clamav.net/) to the single bay My Cloud, if the My Cloud hardware supports it, and if ClamAV supports being installed to those My Cloud’s with the 4K firmware file system. The obvious solution to this problem is to setup one’s computer based Anti Virus program to scan the My Cloud (and its Shares) if it can.

Others have asked for AV support in the Cloud Ideas subforum:

https://community.wd.com/t/please-add-an-anti-virus-solution-maybe-based-on-clamav-to-my-cloud/97179

https://community.wd.com/t/allow-users-to-install-anti-virus-software-on-mycloud/97016

1 Like

It’s essentially no different to a hard disk. Do you expect hard disk manufacturers to implement anti-virus measures?

If it was someone who just came over and connected its laptop to the wifi, then only Public folders must to been affected. Unless he was provided with a username/password for Private shares. Did you ever set private shares for important files?
If not, do it next time regardless of NAS type, WD, Qnap, Sysnology, Plain Linux, Windows, etc.

And still hasn’t been mentioned, how important are the files and do you have backup?
If no backup, this is probably the most important lesson of this whole fiasco.