New Ransomware Attacks Target NAS Devices

If you think that leaving your My Cloud NAS devices connected to the internet is a good idea, think again. It’s only a matter of time, and RAID won’t protect you. If you don’t have external (isolated) backups, now is the time to create them, before it’s too late.

The number of ransomware strains targeting NAS and backup storage devices is growing, with users “unprepared” for the threat, researchers say.

Devices may be accessed directly through a network or may have a web interface. The problem, Kaspersky says, is that user authentication can sometimes be bypassed due to integrated software in NAS systems that have vulnerabilities.

Ransomware developers have realized this, and while there was little evidence of NAS devices being targeted in 2018, this year, a range of new ransomware families have emerged with NAS-exploit capabilities.

To begin an attack chain, operators will first perform a scan of a range of IP addresses to find NAS devices that are accessible via the Internet. Exploits of unpatched vulnerabilities are then attempted, and if successful, Trojans will be deployed and data encryption of all devices connected to the NAS drive begins.

Wipers have also become a more frequent attack tool. Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.

Network attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits.

1 Like

Can i avoid ransomware by not using windows OS to connect nas devices?

I guess there is nothing to do about it. All your data is lost. I have also been hit by the .nyton extension which made my PR2100 unusable. It is the third time with in a few months. There must be a hidden backdoor in the system and this NAS drive I dare not use any more until WD has solved this big problem. - So WD - please find a solution!!

Interesting info about EternalBlue. And "nice guys those NSA’s!! :frowning:
If the Nyton guys use brute-force, it should be possible to make a very long and complex password let’s say 50 characters and then hope they will never break it. You might save this password in a txt file and copy/paste when using it.

If you want to know the Vulnerabilities just take a look at the screen capture I posted earlier this week. I am using RADAR by F-secure Vulnerability Management software…Here’s one bad one for starters: an SMB NULL Session Authentication. Many of us have SAMBA on to viewing files on this NAS and in Windows. Many of these services have not been updated by WD as best I can tell.

I am presently blocking all PORTS from the LAN to the WAN to this device and visa versa. Only Access will be LAN to LAN, that’s it. To heck with this WAN access, its quite dangerous.

I just discovered the Nyton ransomware on a MyCloud Mirror device that I have been using to backup another Mirror that is my primary NAS for daily use. Strangely the backup is infected but the other drive is not, nor are any of the office computers. So it appears the backup Mirror was breached directly through the connection to the internet via Apple Airport Extreme. I have disconnected the infected device and will reformat and reset. However, any advice on settings to keep this from recurring would be very appreciated.
WD tech support merely suggested installing anti-virus software. But I would prefer to block these devices from the net entirely since they are only used for internal backup and storage.

1 Like

Are you referring to Anti Virus software on the WD drive [Linux based] or a Windows based PC AV software that would scan the SMB connected NAS drive files (your files)? I’m not sure if your issue is file related (your own files with an infection) or Linux OS related such as a breach that has penetrated the Linux OS.
In either case, WD sent along this message last month (a copy and paste) on my Linux findings with their NAS drive. Users are left to fend for themselves for months on end with patches long overdue as my Radar report which goes back 4 months ago (January 28)
"We appreciate you reporting these vulnerabilities to us on My Cloud PR4100. We’d like to update you on the status of your report and to communicate to you that we have been working on a large update to the security of the My Cloud operating system. This update is targeted for release in the summer of 2020 and will address this class of issue systematically by upgrading the base operating system of the device to a version based on Debian 10 “Buster”.

Unfortunately, we cannot commit to a shorter release window because of the complexity involved in developing and testing an update of this magnitude. We will update you when more concrete details are available on this operating system upgrade. In the meantime, if you have any other questions or issues to report, please feel free to reach out." (end)

Thanks - this is helpful. I am on Mac, and the malware seems to only have affected a backup MyCloud Mirror device that was connected to my router. Because the malware does not appear to have propagated from any of the computers in the office it appears to have hit the device directly from the web. Hence I surmise that it was the Linux OS of the Mirror device itself that opened the vulnerability to the attack. I am glad to hear that WD is working on a fix. I am going to follow their advice and see if it is possible to install anti-virus software directly on the Mirror devices that will protect them from this and other attacks.

Following up - was this update ever completed? And is it available for both Gen-1 and Gen-2 Mirror devices?

2 Likes

I received an email from the WD Team member in charge of this release about 4 weeks ago. It was originally scheduled for summer 2020 and delayed to October 2020 thus due out this month last I heard. There was a firmware update in early August.

My WD home cloud has been infiltrated too, 2TB of files converted to.mars files, with ransom note. A real pest, will need to wipe the disc. I think I have most of it backed up.I’m a Mac user too.