My Cloud has been hacked and they ask for money to give my files files back

They have implemented certain security options on their more expensive My Cloud devices. The more expensive units have the “Anti-Virus Essentials” app that can be added through the Dashboard app option.

To expect the single bay My Cloud units, most of which tend to cost $20 to $40 (US dollars) more than the bare WD Red many of them contain, to support an antivirus module/app may be just a bit unrealistic. To make these single bay NAS drives as cheap as possible WD has made various decisions that limit the hardware/firmware capabilities of the devices. The single bay My Cloud devices are bare bones NAS devices with limited capabilities. Their features (and lack of features) are plainly advertised both on the box and online.

One cannot blame WD or any other manufacturer of lower cost NAS devices when the customer chooses the cheapest item possible yet illogically expects that cheap device to have similar capabilities of NAS devices costing twice or more the price. One cannot blame WD when it is or was the end user who allowed, either knowingly or unknowingly, an infected computer to connect to their local network and infect the My Cloud and possibly other local computers.

Edit: Couple of additional comments. It may be possible for one to install ClamAV (https://www.clamav.net/) to the single bay My Cloud, if the My Cloud hardware supports it, and if ClamAV supports being installed to those My Cloud’s with the 4K firmware file system. The obvious solution to this problem is to setup one’s computer based Anti Virus program to scan the My Cloud (and its Shares) if it can.

Others have asked for AV support in the Cloud Ideas subforum:

https://community.wd.com/t/please-add-an-anti-virus-solution-maybe-based-on-clamav-to-my-cloud/97179

https://community.wd.com/t/allow-users-to-install-anti-virus-software-on-mycloud/97016

1 Like

It’s essentially no different to a hard disk. Do you expect hard disk manufacturers to implement anti-virus measures?

If it was someone who just came over and connected its laptop to the wifi, then only Public folders must to been affected. Unless he was provided with a username/password for Private shares. Did you ever set private shares for important files?
If not, do it next time regardless of NAS type, WD, Qnap, Sysnology, Plain Linux, Windows, etc.

And still hasn’t been mentioned, how important are the files and do you have backup?
If no backup, this is probably the most important lesson of this whole fiasco.

Which further highlights why one should be able to disable or set to private the main default Public Share folder. Its something several of us have complained about for more than a year and so far ignored by WD. One would have to use SSH to change the config files to hid the main Public Share.

I have the MCM Gen 2 and the Anti-Virus Essentials has to be side loaded from a unpublished link. In my case the install fails. Those with the devices capable should install the ClamAV as a added defense.

I need to restrict my public share to read only too since my children may not be aware of what they are doing. Minecraft and Roblox download launchers are vulnerable to being spoofed when Google searching.

Yeah the side loading while it may work for certain My Cloud units may end up dragging down the My Cloud to the point its unusable per the comments in that thread.

For those interested in changing the main Public Share to private or read only:

https://community.wd.com/t/public-share-public-access-on/96854

https://community.wd.com/t/removing-public-share-wd-mycloud/137086

1 Like

I don’t know how the laptop just by connecting to home wi-fi could spread Ransomware to whole MyCloud both public than private. He just connected to wi-fi in order to use internet and didn’t even try to connect to cloud.

Hard drive on PC is perfectly fine and Norton cannot find a single threat (I wonder if PC had been ON then Antivirus could have done its job and stop the attack?)

Tomorrow I should receive a call from WD technician in order to try to assess causes of disaster (check log etc) and see if there’s a way to recover files. And I don’t think I have ever done a back up unfortunately…

I’d really like to know the outcome of your issue. I have some additional questions for you.

  1. Do you have “Cloud Access” enabled?
  2. Do you use the default admin account for your account or did you setup a user account for you?
  3. How many named users have access to your MC device?
  4. How many shares do you have? Are any of those shares publicly accessible? If so, do they have read-only or read-write permissions?
  5. Have you performed a backup of your data previously? If so, is the drive currently connected? If so, was it compromised?

Actually I have another question…

What ports do you have open to the internet on your router?

It will sit dormant on his machine until it is connected to a network. The virus will then interrogate devices on the network, finding disk surfaces that are writeable, and machines it can run on. It may have subverted any other machine on your network that has write access to your MyCloud.

Viruses are written by people who know their stuff, who know about how networks work, and the common vulnerabilities and how to exploit them. They are clever…

Alternatively, as others are alluding to, it may be an external attack, coincidental with your friend.

That is why I lead off with my number 1. Since I disabled “Cloud Access” my router does not have traffic hitting the MC device. I’ve stated previously port 80 should not be used to transfer our content. Too easy to grab traffic over the unsecure connection over the Internet.

Port 80 and 443 are open. I cannot config ports on my router but just set up level of security of antivirus. None of my devices is associated to a game or service

Let me come back to you on your questions ASAP. Thank you for your interest

Port 80 and 443 are open on what? The My Cloud? You should be able to enable and configure port forwarding on your router through the router’s administration screen/page. Most routers have the option to setup port forwarding.

If you are not using remote access, simply turn off Remote Access within the My Cloud Dashboard. If not using FTP, turn FTP off as well through the My Cloud Dashboard.

Everything was poorly configurated:

Do you have “Cloud Access” enabled? -> yest it was enable for few devices
Do you use the default admin account for your account or did you setup a user account for you? -> I used default admin account from different devices
How many named users have access to your MC device? -> There were about 4/5 devices set up with a code
How many shares do you have? Are any of those shares publicly accessible? If so, do they have read-only or read-write permissions? -> 4 shares (public, smart, timemachine and A://) and they all had read write permissions for every device
Have you performed a backup of your data previously? If so, is the drive currently connected? If so, was it compromised? -> No back up ever made and nothing available from safepoints menu :frowning:

I hope this helps…

Port 80 and 443 were open to internet. I don’t think home network devices such as TV, Iphone, Cloud were open to public IP adresses or allowed to be initiated from internet… So it says on router settings interface

Users and Devices are different things. A User has an ‘account’ on the MyCloud, and can register a number of remote access Devices.

From what you are saying, it sounds like you have only a single User (Admin), and all the shares you have created are either Public, or are accessible to Admin. In the former case, everything is visible to any device on the network.

Im afraid you have lost everything. The MyCloud can be recovered, by doing a Full Factory Reßtore, which will wipe and overwrite all the disk space, which should remove any trace of the ransomware.

But your data is lost. Just like it would be if the hard disk failed.

The lessons are twofold (at least):

  • always do backups, preferably to a disk that is removable
  • make all data Private, and add strong password protection to the user account
  • if you must make data Public, make it read-only.

Way up in this thread I gave links to Norton info about ransom ware and some ways to try to get rid of it. One link suggested using Norton’s FREE Power Eraser program. Did you even try using it to see if it helped?

At present I have used McAfee antivirus to scan my PC (which was clean) and Cloud (about 1500 threats) to clean my home network. Iphones, TV, printer etc… cannot be scanned by antivirus but I presume they are fine. The laptop which I suspect created the problem has been switched off since and no rush to turn it on again

On a positive note, yesterday I spent one hour and half over the phone with WD engineer and he connected remotely and checked what happened to Cloud. I don’t know what he did exactly as it was getting too complicated to me but he seems surprised to see that Ransomware managed to change settings on accesses or authorizations … He reverted everything back and did a factory restore and managed to open the files but he said they looked damaged (as opposed to encrypt)…

He couldn’t do whatever he intended to do and he said he will “escalate” the case and they would come back to me this week to do something else.

It’s good and reassuring to see how seriously and professionally they are considering these issues! Well done WD!!

I’ll see if engineer or anyone from WD can comment on this thread and explain a bit

Well, I did not say use Norton anti-virus or their current program Norton Security. I suggested you run Power Eraser. A stand alone free program anyone can use to do deep cleaning to look for rootkits and other nasty things like ransom ware. Once again this is the link: It costs you nothing to run this easy program:

https://support.norton.com/sp/en/us/home/current/solutions/v71075396_EndUserProfile_en_us?pv=off&q=ransom+ware