My Cloud Mirror Gen1 attacked by Ransomware!

Firmware: v 2.11.168

Media Files in my WD My Cloud Mirror is encrypted.
After I noticed that, I unpluged the network cable.
(Files on my PC are Not encrypted and My PC seems to be normal)

Encrypted Folders contains “read_me_for_recover_your_files.txt” and encrypted files are like this: “blabla.png.locked”

How Can I find the infected PC, and how can i decrypt my files?

“read_me_for_recover_your_files.txt” contains:


Your important files produced on this device have been encrypted.

No one can decrypt your files except us.

To recover your files,You have to pay 0.21 bitcoin.


If you can afford the specified amount of bitcoin ,
and you want to know if we can decrypt your files.
you can send to us up to 2 files for demonstration 

Please note that files must NOT contain valuable information
and their total size must be less than 2Mb


Do not rename encrypted files.

Do not try to decrypt your data using third party software,
it may cause permanent data loss.

Don't forget to send us your ID after payment

Contact Email :

Your ID :



Probably far out of the scope of this forums. You might run some free Vulnerability Scanners like Nessus or OpenVAS in your local network like to find the infected device. Nevertheless this probably needs some more knowledge from your side.

There are a few ransomware decryption tools like the following floating around:

You might need to first research what type of ransomware this is, if its possible to decrypt it and then following the instructions of those decryption tools.

An easier / more safe way than relying to such decryption tools is the suggestion of @dswv42 above to revert the files to your offline- backup (which you hopefully have).

The MyCloud Mirror Gen 1. is using / only having the 2.x firmware.

As a side-note, it’s not necessarily that you have an infected PC in your local network:

Could it be possible that the MyCloud devices has a port-forwarding for the SMB share and that the writable shares are publicly available via the internet (not sure if its possible to configure the MyCloud device in this way)?

AFAIK it’s not possible, and by default is a discouraged thing to do. Instead of making stuff accessible on your NAS, you should VPN into your network for safer access (instead of having x+1 services facing the public internet, you have a single port used for VPN only).

It seems to be a recent Ransomware targeting NAS.


Port-forwarding status for my MyCloud Mirror are:
TCP Port 80, 21, 22, 443, 8080

Is this Setting vulnery against SambaCry ?

According to the WD’s release note, Firmware v 2.11.168 aleady resolved related security vulnerability issue(CVE-2017-7494).
Does my case deal with different vulnerability issue??

Release Note:
Firmware Version 2.11.168 (11/28/2017)
Resolved Issues
•Resolved SMB server (samba) security vulnerability (CVE-2017-7494) - Malicious clients can upload and cause the SMB server to execute a shared library from a writable share.
•Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.

I’d rather not forward 21 and 22 to the open world. Shellshock was a huge bug, and if there’s another like it, you might be targeted.