Grzech

nampohyu NAS decrypt

Recommended Posts

Hi, 

 

I have a problem. The nampohyu virus encoded the files on my Synology NAS, I see on the web that there are many similar cases.
Is there a solution and tool for decoding files?

Share this post


Link to post
Share on other sites

There is no public decrypter, but there is another solution.

In the near future another Visiting Expert will contact you about this problem. 

Perhaps you will succeed. There is hope, but this is not a 100% solution. 

 

Emsisoft released Decryptor for MegaLocker with .nampohyu extension 

https://www.emsisoft.com/decrypter/megalocker

 

 

 

Share this post


Link to post
Share on other sites

But besides this, you must understand that you can no longer use this device as you used it before.

Extortionists who attacked your devices exploited several vulnerabilities. Some NAS ships with a Samba server to ensure compatibility when sharing files between different operating systems. Samba developers fix vulnerabilities regularly.

After solving the problem with the files, you need to install all the released patches, if this has not been done before.

Official page with patches and descriptions of each vulnerability: https://www.samba.org/samba/history/security.html 

Share this post


Link to post
Share on other sites
16 hours ago, Amigo-A said:

After solving the problem with the files, you need to install all the released patches, if this has not been done before.

Official page with patches and descriptions of each vulnerability: https://www.samba.org/samba/history/security.html 

He'll need to get firmware updates from Synology. Assuming of course that they still provide updates for his NAS.

He'll also need to go into the router configuration and make sure that there are no ports forwarded to the NAS, that the NAS is not configured as a DMZ, and turn off UPnP so that the NAS can't request that ports be forwarded for it automatically. Also, if possible, it is best to disable the guest user, since the ransomware creator was able to gain access to the devices as the guest user.

Share this post


Link to post
Share on other sites

Yes, all these actions have already been done, access to SAMBA on the router is closed, Guest's account too. The Synology software has always been updated on a regular basis - but that did not help - unfortunately, as you can see.
So I am waiting for information and advice on how to decode these files - I will be grateful for your help.

  • Upvote 1

Share this post


Link to post
Share on other sites

The server I own was recently infiltrated with the .nampohyu ransomware. I have a Synology Diskstation that I use to store my DVD and Bluray collection, consisting mostly of direct backups of my collection (for DVDs it's file folders each containing the .VOB files and .IFO files for each individual movie. For Blurays, its a folder for each movie that contains either an .ISO file of the disc or BDMV and CERTIFICATE folders for each individual movie). The files on my Diskstation are not 'encrypted' even though the ransom note would have you believe that. While I could physically wipe the server and re-load all my movies (they are in boxes in my basement), I've discovered a time-consuming solution for myself:

 For the DVDs, each movie was saved in an individual folder containing the AUDIO_TS and VIDEO_TS folders from the DVD. In the folders are the .VOB files, .IFO files and .BUP files. I used command prompts to bulk remove the .nampohyu extensions from the .VOB files. I found that the existing .IFO files were corrupted so I deleted them and renamed the accompanying .BUP files as .IFO files. This restored the functionality of the DVDs.

For the Blu-Rays, the ones that were saved as .ISO files, it seems that the .nampohyu ransomware corrupted the header in the .ISO file. I used the command prompt line to bulk delete the .nampohyu extensions on the files. Then I purchased a program called IsoBuster, loaded the .ISO file of the movie into it, then extracted the BDMV, CERTIFICATE and whatever other files were in the .ISO file into another folder. I'm assuming this got rid of the corrupted header in the original .ISO file because it brought the Bluray back to life.

It is a tedious process to do this for all my movies but at least I didn't lose my collection and be d***ed if I am going to pay some thief to return to me what id rightfully mine. Hope this information helps.

Share this post


Link to post
Share on other sites

If either of you would like to report this to the authorities for investigation (which will hopefully lead to the arrest of the criminal behind this ransomware), then you can find links to contact law enforcement in most countries at the following link:
https://www.nomoreransom.org/en/report-a-crime.html

Note that while reporting this to your local police is not a bad idea, it might also be prudent to report it to national authorities as well, since they will have more resources for investigating these kinds of crimes, and are often able to work with law enforcement in other countries in cases where the criminal is not domestic.

Note that the logs from the NAS may be helpful for authorities, as they will show the IP address of the server that was used by the criminal when he connected to your NAS. Information on where to get the logs can be found in the following post in another topic:

 

Share this post


Link to post
Share on other sites

@FRezende06 and @hide I've asked the developer who made the decrypter to confirm why it's not working.

@FRezende06 if you could supply us with the ransom note and one or two encrypted files, then that may help us determine why your files can't be decrypted. Note that you can attach them to a post here, and only authorized experts will be allowed to download them.

Share this post


Link to post
Share on other sites

OK, there are two known explanations for why the decrypter may not be able to decrypt your files:

  • There's a bug where sometimes the .NET framework being used will try to encrypt its connection to our servers using TLS 1.1, which is no longer in use due to security issues. Hopefully this will be fixed soon.
  • It's possible we don't have the decryption key for your files.

Share this post


Link to post
Share on other sites

Yes, this ransomware is technically using a type of attack from an external source, however from what I have seen I do not think the attack requires anything more than some basic automation. Scanning for open ports, checking to see if the guest login works, and then proceeding with encrypting files on devices that allow connection via SMB and/or FTP. The entire process more than likely takes place remotely, and should be easily preventable.

To prevent it you should disable the guest account on any device that supports Windows Networking or FTP. You should also make sure that no ports are forwarded in your router to your NAS, and that no ports are forwarded to your computers for vulnerable services (Windows Networking/SMB/Samba, RDP, etc). Just as important as removing any dangerous port forwarding rules is disabling UPnP, as it allows devices to automatically request that your router forward ports for them, which can be extremely dangerous in the case of a NAS.

Share this post


Link to post
Share on other sites
17 hours ago, GT500 said:

Yes, this ransomware is technically using a type of attack from an external source, however from what I have seen I do not think the attack requires anything more than some basic automation. Scanning for open ports, checking to see if the guest login works, and then proceeding with encrypting files on devices that allow connection via SMB and/or FTP. The entire process more than likely takes place remotely, and should be easily preventable.

To prevent it you should disable the guest account on any device that supports Windows Networking or FTP. You should also make sure that no ports are forwarded in your router to your NAS, and that no ports are forwarded to your computers for vulnerable services (Windows Networking/SMB/Samba, RDP, etc). Just as important as removing any dangerous port forwarding rules is disabling UPnP, as it allows devices to automatically request that your router forward ports for them, which can be extremely dangerous in the case of a NAS.

I see.

Share this post


Link to post
Share on other sites

I managed to decode all files without any problem. Of course, I've also implemented all security recommendations for my NAS for the future.
Thank you very much for your help! :))

Share this post


Link to post
Share on other sites
16 hours ago, Grzech said:

I managed to decode all files without any problem. Of course, I've also implemented all security recommendations for my NAS for the future.
Thank you very much for your help! :))

You're welcome.

Share this post


Link to post
Share on other sites
On 5/20/2019 at 8:28 PM, FRezende06 said:

When can we have a new version to decrypt the NamPoHyu megalocker?

We don't have an ETA on this. Hopefully it'll be soon, however it's not possible for us to know for certain yet.

Share this post


Link to post
Share on other sites

Hi, Emsisoft, great job with your Megalocker decryptor! Thank you!

And my questions. I use it to decrypt my files for some days and today was the first time I got "Key not found"message after I tried to generate it from the ransom note. It says "Unfortunately, we were unable to find a key to decrypt your files". Why so suddenly the decryptor stopped to work?

Thank you in advance!

Share this post


Link to post
Share on other sites
13 hours ago, TheCourier said:

Why so suddenly the decryptor stopped to work?

There are two possibilities that we know of:

  • There is no key in the database for that ransom note.
  • Something interfered with the communication between our decrypter and our servers.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.