Recommended Posts

The .NamPoHuy is indeed terrible. Just to be sure of the symptoms:

Pmarty/Xfifi: do you also have found some modified executables on your NAS (as I have described above), or was it an additional infection? Typically you would find these files when you search in explorer on ‘*.exe’ on the NAS and when you looking at the creation date of those files. When those creation-dates/times are very similar, quite recent and not matching with your installation, probably the executables were modified by the attacker. DO NOT USE/EXECUTE these files, it might be the trigger of the ransomware. What I did is, I changed the extension and stored the files on a USB stick. Doing so, my anti-virus program keeps alerting on those files.

ADDED INFO: DO NOT erase the infected executables: You might need it as input at a later moment in time when someone is succeeding preparing a decryption tool to this virus. The best you could do is saving these files on a empty USB stick. Mind you that this type of ransomware is new on the market and we don’t know yet what will be required to put an end to the ransom.

GT500 did you receive that file I had submitted on Sunday, and is it helpful for your analysis? Can I help with something more?

Edited by Albert-S

Share this post


Link to post
Share on other sites

Yes.

In this case there is only a small light at the end of the tunnel.
At first there was only one my article MegaLocker Ransomware with several variants, then a topic on the BC forum, then a topic on this forum, now an article on the BC website.
Victims should somehow unite in this matter, connect the right-guards, because Without technical specialists and equipment technical support services, this question cannot be solved.
This vulnerability will continue miss to attacks and Ransomware will continue encrypt information on yours NAS-devices.
With forces only of freelancers and AVers do not stop it.

Share this post


Link to post
Share on other sites
2 hours ago, Albert-S said:

GT500 did you receive that file I had submitted on Sunday, and is it helpful for your analysis? Can I help with something more?

Some of your posts have been edited, so I'm not sure if you posted it here and then removed the links later, or if you sent them via e-mail. Regardless, I didn't download any files from this topic in the last week.

 

2 hours ago, Albert-S said:

modified executables on your NAS

I must have missed that in your original post. Would it be possible for you to send those to me? You can do so in a private message, or by attaching the files to a post here (only authorized personnel can download file attachments, unless they are pictures/images).

Share this post


Link to post
Share on other sites

@GT500 Thank you for your concern and the good work.

However, I did not post the file on the forum, because I thought it is not a good habit to spread a potential virus on this platform :)

So I have attached it in an email to: [email protected] // subject: referring to ransom message of Albert-S (including some typo's)

I have mentioned my concerns regarding this executable on the forum at Tuesday 3:30 PM, EUROPE. Hope it finds well now, did not ment to confuse ...

Since you mentioned only autherized persons can download, I tried to add the file to this post. But I can't: my virus-scanner does not allow me

Edited by Albert-S

Share this post


Link to post
Share on other sites

It appears that the “.NamPoHyu” ransomware is often attacking Synology NAS systems. This comment therefore is only related to

Synology NAS systems.

 

1. Regular data-recovery is a no go: decryption is the only way to restore data!

As GT500 said the chances for regular data recovery are already very low, since it is more likely that the data is overwritten than it has been copied. However in this case regular data recovery software does not allow you to access the NAS drives directly. Therefore, the following has been suggested:

On 4/16/2019 at 1:33 AM, GT500 said:

@Albert-S and @borstibo there is a possibility that if you remove the drives from the effected NAS, and connect them to a computer that is capable of reading them (if they are formatted with either that FAT32 or NTFS filesystems then Windows computers should be able to read them), that you may be able to use file recovery/undelete software to recover some of the files. Please note that this is based on an assumption, and may not be correct.

I have contacted the Synology helpdesk and the bad news is that the disk format is ext4 or BTRFS which a regular PC can't read. Moreover, for the Synology system no data recovery software exist that can recover files or folders.

 

2. Block the guest - account

I have good reasons to assume that the guest-account on the system is a potential problem. I therefore recommend the following: Enter the configuration screen, open Users, select Guest, edit, select: switch off this account immediately & do it directly (no delay). Basically I believe you don’t want unknown ‘guests’ on your NAS. If you have other accounts you working with and you are logged in by one of those accounts, I suggest you do the same with the admin account, too.

 

For more info on NAS check this forum too.

Share this post


Link to post
Share on other sites

@Albert-S I can't find strange .exe files on My Synology NAS which where affected by .NamPoHyu virus
Can you give some filenames or directories which I can search for with more accuracy?

Thanks for your feedback about the Synology recovering possibility, what a pity...

Share this post


Link to post
Share on other sites

For me, there is no .exe files for this virus.  It's an intrusion from a remote script executed by the hackers. Samba server or FTP vulnerability via the Guest user in Synology. :(

Share this post


Link to post
Share on other sites

@pmarty  @xfifi 

What I notice is that none of the .exe files of the attacked drives/partitions were encrypted, and thus exe-files do not have the ‘.nampohyu’ extensions. They still are regular executable files and are not encrypted. I wonder if you could affirm this observation?

Further, I have found the infected executables by a virus on very unexpected directories, including the recycle bin, as well as that not all executables were infected by a virus. There is no logic (to me) in the directories to search for. But when you use windows-explore you should be able to search all the sub-directories. You also could check if there were more drives/partitions infected. In my case they attacked 4 drives/partitions and leave 6 drives/partitions unchanged, I assume that they had no access to the other drives/partitions.  

Share this post


Link to post
Share on other sites
On 4/17/2019 at 5:30 PM, Albert-S said:

So I have attached it in an email to: [email protected] // subject: referring to ransom message of Albert-S (including some typo's)

That would have gone directly to our malware analysts. They don't typically respond to e-mails they receive (unfortunately they receive to many of them to respond to them), however they do read everything and check everything that is submitted. Note that they probably won't let me know what they found unless I ask them, so I'll have to see if they remember the e-mail.

 

12 hours ago, Albert-S said:

I have contacted the Synology helpdesk and the bad news is that the disk format is ext4 or BTRFS which a regular PC can't read.

In this case you'd most likely either need a computer running Linux to connect the drives to, or a Linux Live DVD (you can usually put these on USB flash drives using a tool like Rufus). Maybe something like Knoppix? Unfortunately it's difficult to get a hold of anything newer than version 8.1 of Knoppix, as newer versions were only distributed via third-parties (for instance version 8.5 was only distributed through a German magazine).

Granted there are alternatives that do run on Windows and can recover files from drives formatted in fourth extended (ext4), most of them cost money, however I was able to find at least a couple of free softwares that can at least access fourth extended (ext4) formatted partitions. TestDisk only appears to be able to recover files from a second extended (ext2) partition, however R-Linux appears to support fourth extended (ext4). R-Linux actually has a Windows version (there's a "for Windows" tab just above the description of the software on the R-Linux page I linked to), and in theory should be able to read a fourth extended (ext4) partition even from Windows. I wasn't able to test this quickly, since every Linux installation I have is on XFS formatted partitions instead of ext4...

Keep in mind though, all of this is really just a "shot in the dark", and there are no guarantees. It sounds like in the case of your NAS some sort of malicious code did execute on it, so the odds of data recovery succeeding are very low.

Just be sure you don't write any data to the drive you're trying to recover data from, or you may permanently prevent data recovery. Always recover data to a different drive than the one you're restoring from. ;)

 

13 hours ago, Albert-S said:

2. Block the guest - account

I have good reasons to assume that the guest-account on the system is a potential problem. I therefore recommend the following: Enter the configuration screen, open Users, select Guest, edit, select: switch off this account immediately & do it directly (no delay). Basically I believe you don’t want unknown ‘guests’ on your NAS. If you have other accounts you working with and you are logged in by one of those accounts, I suggest you do the same with the admin account, too.

Guest accounts are fairly normal, at least in Windows. It's possible the account is there on your NAS merely for proper Windows networking support, since Windows will expect it to be there. I don't know if there will be any side effects to disabling it, however you may want to contact Synology to ask them.

 

8 hours ago, xfifi said:

For me, there is no .exe files for this virus.

EXE files are Windows executables, and can't run on Linux without some sort of API wrapper or emulator (such as Wine). If something was copied to the NAS and executed, then some sort of script would be more likely.

 

8 hours ago, Albert-S said:

What I notice is that none of the .exe files of the attacked drives/partitions were encrypted, and thus exe-files do not have the ‘.nampohyu’ extensions. They still are regular executable files and are not encrypted. I wonder if you could affirm this observation?

Further, I have found the infected executables by a virus on very unexpected directories, including the recycle bin, as well as that not all executables were infected by a virus. There is no logic (to me) in the directories to search for. But when you use windows-explore you should be able to search all the sub-directories. You also could check if there were more drives/partitions infected. In my case they attacked 4 drives/partitions and leave 6 drives/partitions unchanged, I assume that they had no access to the other drives/partitions.

Is it possible that these files were unrelated to the ransomware? EXE files wouldn't be able to run on a Linux-based NAS without assistance, and Linux executables usually name no file extension.

Share this post


Link to post
Share on other sites

Thanks for all the answers. It did help me forward, though I did not worked on the linux programs yet. I however succeeded to restore some files by screening other backup’s on the post-content after the first 64kB of a file and comparing it with the .nampohyu files. I also succeeded to ‘repair’ a database by exchanging the first 64kB with an older version uncorrupted access-file. Note that this is a dirty way to repair, but after that I was able to copy the table content to other clean database, so I was lucky that it works. Anyway, as others I will look forward to a decryption-tool (the real solution) in future. If there is any information required for that, I believe we all are happy to give input.

What I noticed is that only (the first part of) files with an specific extension had been encrypted. These extensions include: ‘pdf’, ‘jpg’, ‘doc/docx’, ‘xls/xlsx’ etc, it however does not include the extension: ‘exe’, ‘gif’, ‘html’, ‘png’, etc. Also files smaller than 16 bytes/128 bit (thus extremely small) are not encrypted. This logic is consistent to all what I have observed.

Regarding the executable I was thinking that the exe-files have been infected by the attacker (using Samba by copying files) and inside this files, which could be triggered by the user itself there could be a code which created and started a separate process in the linux environment of the NAS itself (DSM). This could make sense if the attacker is not able to create or start directly a process which can be executed in the DSM.

Share this post


Link to post
Share on other sites
7 hours ago, Albert-S said:

If there is any information required for that, I believe we all are happy to give input.

If you ever find out what actually encrypted the files, then that's what we need to figure out if there's a way to recover files. Once we have that, our malware analysts can pick it apart to figure out how it encrypts files, and try to see if there is anything that would allow for easy decryption.

 

7 hours ago, Albert-S said:

Regarding the executable I was thinking that the exe-files have been infected by the attacker (using Samba by copying files) and inside this files, which could be triggered by the user itself there could be a code which created and started a separate process in the linux environment of the NAS itself (DSM). This could make sense if the attacker is not able to create or start directly a process which can be executed in the DSM.

It's possible they were left there in the hopes that a user might accidentally infect their Windows system as well. It's also possible that the attacker wasn't actually aware of what kind of system they had gained access to and simply copied a number of things that they may need while decrypting files, or that they just have a standard toolkit that they copy to compromised systems/devices and just copy everything instead of only what they need.

Share this post


Link to post
Share on other sites

Hello all, 

I too am a victim of the .NamPoHuy. I have a WD My Cloud NAS device and it was his on Sunday evening (BST) over the course of about 6 hours. I will monitor this topic with great interest, and am happy to provide any information or files or anything else that may be useful to anybody working on this. Unfortunately I am not hugely IT literate, but am able to follow the conversation so far. The NAS is now offline and I've pulled off all unaffected files onto another HDD. I've also made a copy of all the infected files onto another HDD. 

Share this post


Link to post
Share on other sites

Out of curiosity, do any of the effected NAS devices save access logs?

Share this post


Link to post
Share on other sites
On 4/24/2019 at 10:34 PM, GT500 said:

Out of curiosity, do any of the effected NAS devices save access logs?

Actually, I have found some good access logs: On the Synology NAS systems they can be found by first pressing main menu, than select the icon "Log-center", then select on the left side "log-books" from there use the dropdown and select the second item: "Connection" and then search for "guest" (all small caps). In that list I noted that 1 second before the encryption started a connection was made using smb2: 

Date/time: User [guest] from [description(IP adres)] via [CIFS(SMB2)] accessed shared folder [foldername].

The nice thing about this log is you can export it.

Furthermore the following can be helpful as well: open the “configuration screen” and select security. After that enter the tab-sheet “account” and the first subject is about “enable automatic blocking”. In this subject there is a button “List allowed/blocked”. Press this button to open a new window where you select the tab-sheet “blocking list”. Here all blocked IP’s are listed. You can export this IP-deny-list file as well.

I believe these files can be helpfull when reporting the ransomware to the police, which I have done.

Share this post


Link to post
Share on other sites
39 minutes ago, Albert-S said:

I believe these files can be helpfull when reporting the ransomware to the police, which I have done.

Yes, they can be. Our malware analysts actually do recommend this.

If anyone else who has had their NAS compromised wants to report this to the authorities for investigation (which will hopefully lead to the arrest of the criminal behind this ransomware), then you can find links to contact law enforcement in most countries at the following link:
https://www.nomoreransom.org/en/report-a-crime.html

Note that while reporting this to your local police is not a bad idea, it might also be prudent to report it to national authorities as well, since they will have more resources for investigating these kinds of crimes, and are often able to work with law enforcement in other countries in cases where the criminal is not domestic.

Share this post


Link to post
Share on other sites
On 4/24/2019 at 9:34 PM, GT500 said:

Out of curiosity, do any of the effected NAS devices save access logs?

I will try and pull mine off my NAS, although at the moment I'm a bit wary of connecting the NAS back to an online network! (which I think I need to do to access the logs) 

Share this post


Link to post
Share on other sites

Extortionists who attacked your devices exploited several vulnerabilities. Some NAS ships with a Samba server to ensure compatibility when sharing files between different operating systems. Samba developers fix vulnerabilities regularly. It is urgent to install all released patches, if this has not been done before. Official page with patches and descriptions of each vulnerability: https://www.samba.org/samba/history/security.html 

---

If you want to hear my opinion about all this... 💬
Of course, extortion is a crime, but selling devices that are defenseless and have wide opened doors is also a crime.
If you draw an analogy with society and life, it turns out that a person bought a safe, put valuables there and put it on the street where does it rain, blowing the wind and walk the passersby. So, the castle rusted, the cunning hacker opened it with a special key, took everything valuable and threw what he could not carry into the dirt. Now, even if the injured party pays the ransom, it still will not return all of their valuables.

Share this post


Link to post
Share on other sites
23 hours ago, NamPoHuyvictim said:

I will try and pull mine off my NAS, although at the moment I'm a bit wary of connecting the NAS back to an online network! (which I think I need to do to access the logs) 

Check your router's configuration and make sure that there are no ports forwarded to the NAS, and especially make sure that there is no DMZ configured for the NAS. Also, be sure to turn off UPnP (Universal Plug and Play) to ensure that the NAS can't ask the router to forward ports automatically. If your NAS is connected to a cloud service, then feel free to disconnect your Internet connection to your router long enough to power the NAS on and check the logs.

As long as Internet traffic can't make it to the NAS, you should be fine. A proper router, with Network Address Translation (NAT), won't allow that to happen as long as ports aren't forwarded to the NAS.

Also, check and see if there are any updates for your NAS that you can download and install manually. It's possibly that Synology has fixed this issue.

You may also want to check for any guest users in the NAS configuration, and disable them so that no one can log in as a guest.

Share this post


Link to post
Share on other sites

The server I own was recently infiltrated with the .nampohyu ransomware. I have a Synology Diskstation that I use to store my DVD and Bluray collection, consisting mostly of direct backups of my collection (for DVDs it's file folders each containing the .VOB files and .IFO files for each individual movie. For Blurays, its a folder for each movie that contains either an .ISO file of the disc or BDMV and CERTIFICATE folders for each individual movie). The files on my Diskstation are not 'encrypted' even though the ransom note would have you believe that. While I could physically wipe the server and re-load all my movies (they are in boxes in my basement), I've discovered a time-consuming solution for myself:

 For the DVDs, each movie was saved in an individual folder containing the AUDIO_TS and VIDEO_TS folders from the DVD. In the folders are the .VOB files, .IFO files and .BUP files. I used command prompts to bulk remove the .nampohyu extensions from the .VOB files. I found that the existing .IFO files were corrupted so I deleted them and renamed the accompanying .BUP files as .IFO files. This restored the functionality of the DVDs.

For the Blu-Rays, the ones that were saved as .ISO files, it seems that the .nampohyu ransomware corrupted the header in the .ISO file. I used the command prompt line to bulk delete the .nampohyu extensions on the files. Then I purchased a program called IsoBuster, loaded the .ISO file of the movie into it, then extracted the BDMV, CERTIFICATE and whatever other files were in the .ISO file into another folder. I'm assuming this got rid of the corrupted header in the original .ISO file because it brought the Bluray back to life.

It is a tedious process to do this for all my movies but at least I didn't lose my collection and be damned if I am going to pay some thief to return to me what id rightfully mine. Hope this information helps.

  • Upvote 1

Share this post


Link to post
Share on other sites

 

1 hour ago, Franco C said:

renamed the accompanying .BUP files as .IFO files

You did the right thing. .BUP files are intended for backup restoration .IFO files.

Share this post


Link to post
Share on other sites

This might be some good news. Anyone tried the tool already?

Update May 3rd, 2019 - Emsisoft cyber security company has released a decryption tool capable of restoring data encrypted by MegaLocker and NamPoHyu ransomware-type viruses. You can download the decryptor for free here.

Share this post


Link to post
Share on other sites

It works like a charm.
Used on thousands of file with success, it has been a real relief!

If problem in finding the key in the !decrypt_instruction.txt file, ask some help here, one can create a specific file for you

Share this post


Link to post
Share on other sites
8 hours ago, pmarty said:

It works like a charm.
Used on thousands of file with success, it has been a real relief!

If problem in finding the key in the !decrypt_instruction.txt file, ask some help here, one can create a specific file for you

Thank you, when I try to add the ransom note, nothing happens and it says „file not supported“ . I received the information that .crypted is not supported yet... only .NamPoHyu supported.

Share this post


Link to post
Share on other sites
9 hours ago, pmarty said:

It works like a charm.
Used on thousands of file with success, it has been a real relief!

If problem in finding the key in the !decrypt_instruction.txt file, ask some help here, one can create a specific file for you

Im getting an ""Unfortunatly, we were unable to find a key to decrypt your files". Are there instructions posted somewhere to assist with that issue?

attached is an example file

 

!DECRYPT_INSTRUCTION.TXT

Share this post


Link to post
Share on other sites
7 hours ago, ChristophG said:

Thank you, when I try to add the ransom note, nothing happens and it says „file not supported“ . I received the information that .crypted is not supported yet... only .NamPoHyu supported.

That's correct, files with the .crypted extension are not yet supported.

Share this post


Link to post
Share on other sites

Hi,

5 hours ago, Neth said:

Im getting an ""Unfortunatly, we were unable to find a key to decrypt your files". Are there instructions posted somewhere to assist with that issue?

attached is an example file

 

!DECRYPT_INSTRUCTION.TXTUnavailable

I get the same message as Neth.

And my files are renamed to *.nampohyu.

The decryptor does not seem to work for our version.

 

!DECRYPT_INSTRUCTION.TXT

Edited by PaulV
added ransomfile

Share this post


Link to post
Share on other sites

I am patiently waiting with my .crypted files and occasionally following this thread.

I tried the .nampohyu unlocker but get "File not supported" whenever I select the Ransom note.

Nevertheless, these latest developments have given me hope! Keep-up the fantastic work Emsisoft Team! Thank you!

Share this post


Link to post
Share on other sites

@PaulV

I'm afraid the decrypter is correct, we don't seem to have your key at this time. Keep a look out in the news for if we update the decrypter.

Share this post


Link to post
Share on other sites
8 hours ago, Demonslay335 said:

Keep a look out in the news for if we update the decrypter.

A good source of news for this sort of thing is BleepingComputer, as they report on most ransomware decrypters, and do weekly reviews of most developments in the world of ransomware.

Share this post


Link to post
Share on other sites

Sound as very good work people of Emsisoft! 

My WD cloud mirror (gen 1), was attacked on the 10th of April, and files were encrypted into files with the '.nampohyu' extension.

But unfortunately the application is not able to decrypt my files. Two things I noticed:

  • In my ransom note, the money you need to pay is not 1000$ but 250$, as given in the example on: https://www.emsisoft.com/decrypter/  (For an example, I enclosed my ransom note, I was not able to upload an example file (error -200) if necessary I can share a file with you in a different way)
  • When I run the application, found on your website, and it starts reading the ransom note, it instantaneously response with “Key Not Found – Unfortunately, we were unable to find a key to decrypt your files”.

    Could it be that the application was not able to reach outside (as the manual said: an internet connection is required to use the application), due to a firewall (Windows Defender) or virus scanner (AVG free) I use?
    For your information I first used the application on a PC without internet connection and it had the exact same (quick) response.

!DECRYPT_INSTRUCTION.TXT

Share this post


Link to post
Share on other sites
8 hours ago, FromNL said:

In my ransom note, the money you need to pay is not 1000$ but 250$, as given in the example on: https://www.emsisoft.com/decrypter/  (For an example, I enclosed my ransom note, I was not able to upload an example file (error -200) if necessary I can share a file with you in a different way)

The criminal who made the ransomware threatened to increase the price of decryption if no one released a free decrypter by a certain date, and we didn't want him to know that a decrypter already existed, so no one met his deadline. It's possible that the prices in ransom notes will still vary slightly.

 

8 hours ago, FromNL said:

When I run the application, found on your website, and it starts reading the ransom note, it instantaneously response with “Key Not Found – Unfortunately, we were unable to find a key to decrypt your files”.

I've asked the developer who made the decrypter for confirmation about why your files couldn't be decrypted.

  • Like 1

Share this post


Link to post
Share on other sites

OK, there are two known explanations for why the decrypter may not be able to decrypt your files:

  • There's a bug where sometimes the .NET framework being used will try to encrypt its connection to our servers using TLS 1.1, which is no longer in use due to security issues. Hopefully this will be fixed soon.
  • It's possible we don't have the decryption key for your files.

Share this post


Link to post
Share on other sites

If the decrypter can't find a key for your ransom note, then it simply means we don't have a decryption key for you yet. My recommendation is to wait, as there's always the possibility that we may be able to update our database with your decryption keys at some point.

Share this post


Link to post
Share on other sites

Thank you. I will be monitoring. If anyone needs additional support or access to do additional analysis, I am happy to provide access to my server. It is Ubuntu 14.04.

Regards

Don

Share this post


Link to post
Share on other sites

First of all I like to thank Emsisoft for the fine decryptor offerd, it was good feeling to have the date restored.

In this contribution I want to reflect on how (in my opinion) to avoid further attacks on the NAS Synology as well as how to back-up when not using ‘cloud’ options.

As Amigo said:

On 4/28/2019 at 9:54 AM, Amigo-A said:

Of course, extortion is a crime, but selling devices that are defenseless and have wide opened doors is also a crime.

Having done my homework now, I think those machines are not defenseless, but they are sold with all doors open, furthermore it takes knowledge to find the doors, windows, escapes etc. Unfortunately the helpdesk to my experience (in many ways) was not always helpful. Anyway no (relevant) update has been provided since December 2018.

Checking the system

As a general remark I have found no (new) traces of intrusion other than I have reported before. So let’s start with that. From package center you are  able to install “Antivirus Essential”, which allows you to do a system-scan on the DSM software. As a nice to know: In case you want to deïnstall any package/program, you will first have to select (double click on a installed package) which brings you to a separate menu, where you can select delete from a dropdown. Please know, that a complete scan by antivirus includes all data could take days or weeks, but that could also be done using a regular antivirus scanner. A system scan however can be scheduled on a daily basis. I am not sure/doubt whether that the scanner will detect uninfected programs not installed by yourself and not been published by Synology and its partners, but I assume it will detect infected files. Secondly you would like to check the published cron-job’s. Those will be found in the control panel as task-manager. In that task-schedular you will find DSM auto-update and maybe some other tasks. Unfortunate you will not find all tasks. For instance a scheduled Antivirus scan will not appear. Also do check your access-logs as I wrote on April, 26th in this blog. I’m afraid there is no other opportunities available to check the system.

Prevention

The most important probably is to block guest account, check my message on April 18th. Moreover, one should avoid to use regular user names such as ‘guest’, ‘admin’ or ‘user’, those names are vulnerable in general, I have noticed some hacking attempts using those names. Then open “Security Advisor” from the programs (check the most left up icon to find all your programs) and directly go to the advanced settings. Here you probably will find that the setting is set to ‘home and personal use’, which offers only restricted protection. I like to suggest to change that to custom and then select all items, to allow you to evaluate in a further phase what protections does make sense for you. Now you go back to the main screen (Overvieuw) of the security advisor and press scan to see whether your protection is good. The Security Advisor will then make suggestion what to change and where to find relevant settings for your system. It will guide you to find-out which port-numbers to change, whether your passwords are good enough, and much more.

SequrityAdvisor2.png.10f245a5009403ac065771655cacf126.png
Download Image

 

A special attention I want to draw when using the NAS on internet. I would feel like not doing that, but if you do so, It is wise to have dedicated users for the internet usage, which users you should set to double verification when connecting such as pin-code verification via SMS or email, further it is wise to use encryption during data transfer, preferable by installing a valid certificate on your system. All those features are available on the NAS but they have to be activated by yourself. The general settings of Synology will give you a maximum access as easy as possible, but that will make it for others easy as well. For more info on this subject check the Synology website.

You also want to check the firewall, which you can find in the configuration screen, item Security. I mention this point separately from the Security Advisor, because at this point the guiding is not as good. To use the firewall, you have to switch it on, and moreover you have to make your own firewall-rules. Again, don’t assume that default rules are good enough. So select a custom profile for the firewall profile and press the button change the rules. Relevant rules can be altered by selecting LAN on the up right dropdown. Now when you choose not to access your NAS via Internet I would recommend to close the ports for NTP-service, Bonjour, FTP, ATP, CIFS, NFS, Telnet and SSL. Those ports should be closed for all IP addresses ranging from 1.0.0.0 to 223.255.255.255 but not for those IP addresses (range) specifically used in your own network. B.t.w.:  the NAS will not allow you to exclude yourself as long as you are logged in.

firewall.png.53fc3969242dd12cb715d311ec5fbe48.png
Download Image

firewallDetail.thumb.png.7f758849c69270e71a7a46e8c2d062ab.png
Download Image

Finally you want to be informed in case anything unexpected has happened. You can do that by configure your email account in the settings for e-mail which can be found from control panel, messages. Indeed you can select which type of messages you want receive and which not in the tabsheet advanced.

Back-up

When deciding not to use the internet for back-up one can use several external USB-drives to have a program for backups on save places and manual rotations. For this old school solution I have used Hyper-Backup, which can be installed from the package center. Hyper-backup allows you to have a time-machine file management, to compress data and avoiding duplicated data as well as it allows to encrypt the data. Encryption is a good idea as you (should) carry the USB disks to different locations. You then will require a password which generates a RSA-key, which password and/or key you need to store in a proper way to have an orderly future access to your data.

Backup.thumb.png.3ca536f1f6b79c1430153d569a19b1f2.png
Download Image

Hyper-backup has a good interface. To have a back-up choose ‘local map & USB’, and then select as shared map the applicable USB-drive and the name of the backup. For each back-up drive you should choose a different task and a different name, as you then can continue with the other backup settings and finally the initial backup. As a consequence of compression, encryption etc, that initial backup could take several days. Of course the succeeding incremental backups are much quicker. So the next initial backup disk you want to increase the speed. This can be done by copying the data form one disk to another, where you only copy all data from that map in the root which carries the name of that backup you placed on the drive. On the new drive you will than change the name of that map to the new backup name. When now making a new backup task, again choose ‘local map & USB’ but then do not use standard the radio-button selection ‘make backup task’ but select ‘link to an existing backup task’. From here you select the new USB drive and the newly made map containing the initial or progressed backup data. You than have an initial backup right from the beginning.

Summery

The possibilities for checking the actual health of the system are available but this could be insufficient. Nonetheless, good methods for protecting the system exist, where the Security Advisor is essential to find the right protection. However, it requires the user not to rely on any default settings of Synology which in general can be described as week. Many Back-up solutions are offered including the ones which are off-line. Bottom-line there still is room to improve the product to make it more secure to a non-specialized public. To me it appears the message Synology send to us is: "We don’t care".

  • Thanks 1

Share this post


Link to post
Share on other sites

Albert-S

Thank you for the detailed coverage of the issue. If you be added some screenshots for the important settings, then this would be a complete user manual. It would be  more than the developers could write if they wanted. 

But they didn’t really like or knew how to write a manual, they never did, because they talked to themselves "We don’t care. We don’t care. We don’t care"...

By the way, it is this meaning "We don’t care" that is expressed in the phrase NamPoHyu, if it read in Russian, and exclude obscene vocabulary.

Share this post


Link to post
Share on other sites

Hi Amigo-A

Thank you for your comment and I did add some screenshots (first I had to change the language, because I'm not using English). It turned out that the “configuration screen” was not correct translated, in the original English-layout it is called “control panel”. 😉

Anyway if you read the website of Synology it appears that for them security has a high priority and moreover they offer good bounty program on finding bugs. But this I would not regard as a bug: the problem are week default settings, without any appropriate warning or correction. To my opinion it should not be possible to access the NAS by Samba via internet at all, when the NAS has not been configured for internet access. And whist the protection available (<>protection given) is good, at the same time the possibilities to check the health of the system (when infected) appears to be limited.

Share this post


Link to post
Share on other sites
11 hours ago, Albert-S said:

not be possible to access the NAS by Samba via internet at all

 

I agree. This is a dubious and, as it turned out, the most dangerous option in all this "Sinology"...
External access could be a “software pad” that could be to order be made. This directive could come from 'Above'.

Share this post


Link to post
Share on other sites
On 5/11/2019 at 6:19 AM, DonB said:

Thank you. I will be monitoring. If anyone needs additional support or access to do additional analysis, I am happy to provide access to my server. It is Ubuntu 14.04.

I don't think that would help in this case. Access logs showing guest connections may help in tracking his activities, however beyond that we most likely won't learn anything new from your files.

Keep in mind that you can also report this to your national law enforcement, so that they can investigate this criminal:
https://www.nomoreransom.org/en/report-a-crime.html

 

On 5/11/2019 at 1:51 PM, Ajay said:

My NAS was affected by this too. I have tried running Mega Locker and it can't find the decrypter

In that case I recommend waiting until we are able to update our database to support decryption of your files.

Share this post


Link to post
Share on other sites
On 5/14/2019 at 1:27 AM, GT500 said:

I don't think that would help in this case. Access logs showing guest connections may help in tracking his activities, however beyond that we most likely won't learn anything new from your files.

Keep in mind that you can also report this to your national law enforcement, so that they can investigate this criminal:
https://www.nomoreransom.org/en/report-a-crime.html

 

In that case I recommend waiting until we are able to update our database to support decryption of your files.

I really hope there's going to be a solution to this one day. My WD Mycloud is affected too

Share this post


Link to post
Share on other sites
4 hours ago, Weissbrodt said:

I really hope there's going to be a solution to this one day. My WD Mycloud is affected too

We have to figure out more keys in order to add them to our database. Unfortunately there's no way to be certain how long that will take, so right now it's just a matter of waiting.

Share this post


Link to post
Share on other sites

Me too! I have about 14TB of movies that are encrypted. (I would hate to have to rip them all again).

Share this post


Link to post
Share on other sites

Just hold on until we can get more decryption keys added to our database. ;)

Share this post


Link to post
Share on other sites

Had no luck with my files back in May. :(

And have to ask, how often is the database with encrypting keys updated ?

Because i havent seen a version change of the tool for the last 4 months...

 

 

Share this post


Link to post
Share on other sites

I too am hoping for an update. I have about 2500 movies  and about 10000 photos that I am hoping I can decrypt eventually. Suggestions??

Share this post


Link to post
Share on other sites
6 hours ago, Mr_Ohrberg said:

And have to ask, how often is the database with encrypting keys updated ?

It's not updated on any sort of regular basis. It would only be updated if there were more keys to add.

 

6 hours ago, Mr_Ohrberg said:

Because i havent seen a version change of the tool for the last 4 months...

The database is on our servers. In theory it should never be necessary to update the decrypter.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.