• March 28, 2024, 12:58:31 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 2 [3]

Author Topic: Ransomware Infects D-Link NAS Devices  (Read 21756 times)

JavaLawyer

  • BETA Tester
  • Level 15 Member
  • *
  • Posts: 12190
  • D-Link Global Forum Moderator
    • FoundFootageCritic
Re: Ransomware Infects D-Link NAS Devices
« Reply #30 on: March 03, 2019, 08:29:16 AM »

For those of you who are not yet infected, please read this post for precautionary measures: http://forums.dlink.com/index.php?topic=74600.0
Logged
Find answers here: D-Link ShareCenter FAQ I D-Link Network Camera FAQ
There's no such thing as too many backups FFC

pecirepi

  • Level 1 Member
  • *
  • Posts: 2
Re: Ransomware Infects D-Link NAS Devices
« Reply #31 on: March 04, 2019, 06:36:02 AM »

Bosnia and Herzegovina.
What region are you located?
Latest if v1.11: http://forums.dlink.com/index.php?topic=73863.0

I have same situation, my dns-320 affected and all data encrypted on volume 1 (25.2.2019) and backup volume 2 backed up same day in midnight. My question is is there anyone who try to recover files, is it possible to use any of the tools to recover from backup volume. Since this volume is used only once a day during backup. MY DEVICE DNS-320 FIRMWARE 1.02. Latest for this hardware on d-link website.
Inside 2 hdd drives from WD WD30EZRX  3TB DRIVES.
Any help will be appreciated. This is binary files mostly, job of last 15 years destroyed.
Thank you.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #32 on: March 04, 2019, 06:51:04 AM »

FW located here for your region:
https://eu.dlink.com/ba/hr/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support

Bosnia and Herzegovina.
What region are you located?
Latest if v1.11: http://forums.dlink.com/index.php?topic=73863.0

I have same situation, my dns-320 affected and all data encrypted on volume 1 (25.2.2019) and backup volume 2 backed up same day in midnight. My question is is there anyone who try to recover files, is it possible to use any of the tools to recover from backup volume. Since this volume is used only once a day during backup. MY DEVICE DNS-320 FIRMWARE 1.02. Latest for this hardware on d-link website.
Inside 2 hdd drives from WD WD30EZRX  3TB DRIVES.
Any help will be appreciated. This is binary files mostly, job of last 15 years destroyed.
Thank you.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

1funryd

  • Level 1 Member
  • *
  • Posts: 2
Re: Ransomware Infects D-Link NAS Devices
« Reply #33 on: March 08, 2019, 06:37:57 AM »

Another victim here.  Location in WA, USA.  According to the files modification my NAS was hit on 2-23-2019.
I did noticed on that day the the NAS was working really hard while I was watching TV, and I was not trying to access anything on it.
I got suspicious of it, and disconnected the NAS. 
Not thinking about it too much, I reconnected it and then access the files, and everything seemed fine until I days later when I decided to open up a file and got the message "This file is not supported."
I have been searching the net for solutions and to no avail.
All my data is on the NAS, and I always intended to back up my data to and external USB drive as well for my 3rd layer, I never got around to it.
So I am stuck, years of information and crucial data locked away.
After reading this thread, I noticed a member stated they logged in and looked at there user accounts an noticed different groups and users where created.
I just now realized I cannot even login with my admin or own user account because it does not recognize me or my credentials.
This is embarrassing and stupid on my part.  But the biggest take away is that I have lost everything from precious photos, to custom files I had created for my small business.
I have my NAS on my home network hooked up to the main router.
I should have used multiple networks to try to at least hide the NAS, but never thought I would have this issue.
If anyone has any advise for trying to recover the data I would appreciate it.
I might still have a IDE back drive where all the older files were from but its a 50/50 chance that drive is still viable.
Logged

Picchio

  • Level 1 Member
  • *
  • Posts: 24
Re: Ransomware Infects D-Link NAS Devices
« Reply #34 on: March 09, 2019, 02:37:57 AM »

same to me from Italy
entire NAS is compomised, files are date Feb 23
firmware very old and I can't upgrade it , it always fails... do not know why... tried several releases with several browsers also with cascade unzipping...
about the problem, some people saying a brute-force could help but I suspect it would keep so many time to find it...
is it possible to start the NAS in a safe mode and manually remove the ARM file ?
I also find the following https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html
seems some people identified the crypto library used by those criminals... hoping they will find some more info to help finding a decypher method.
G
Logged

ivan

  • Level 8 Member
  • ***
  • Posts: 1480
Re: Ransomware Infects D-Link NAS Devices
« Reply #35 on: March 10, 2019, 10:18:23 AM »

The only safe way to have any NAS box accessible from the internet is to have a dedicated firewall between the modem and router/switch.  When the company I setup were doing nightly NAS backups for our clients I insisted that they used a VPN equipped firewall to protect their Lan and the VPN was the only connection we had with them.  In 8 years non of their networks were compromised.  OK it is not cheap and requires careful setup (600 to 800 euro plus a fee for the yearly updates) but now there are cheaper units available from manufacturers like TP-Link (example: TL-R600VPN) but they require good password discipline on the Admin account as well as a reasonable knowledge of what whoever doing the setup is doing. 
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #36 on: March 10, 2019, 10:35:45 AM »

Also users need GOOD discipline to manage and configure there NAS to begin with. Letting NAS go un-updated is probably not wise in the first place. Putting ones NAS into the DMZ is completely not wise at all.

Though, I left my NAS using older FW, it's been updated and have never had any compromise with it. I have never used the DMZ for NAS period. I'm now using the Block feature of the main host router to help avoid issues, though possible compromise could come in from a PC on the same network.

Firewalls would be a great suggestion for those with lots of data, lots of NAS devices and historical, crucial or high priority data.

I found a firewall appliance device in my stache, however it's last FW is dated 2012 and nothing since then so I presume this device would not be idea long term.
« Last Edit: March 10, 2019, 10:38:11 AM by FurryNutz »
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

Kywalh

  • Level 1 Member
  • *
  • Posts: 2
Re: Ransomware Infects D-Link NAS Devices
« Reply #37 on: March 12, 2019, 11:44:30 AM »

Same problem in France...
All my data are encrypted.
I opened a ticket but no information yet...
Has anyone paid or at least entered in contact with these hackers ?
Logged

Kywalh

  • Level 1 Member
  • *
  • Posts: 2
Re: Ransomware Infects D-Link NAS Devices
« Reply #38 on: March 12, 2019, 11:47:15 AM »

BTW, a friend of mine has the same NAS and same situation, all files encrypted !!! 😠😠😠
Logged

marcgv

  • Level 1 Member
  • *
  • Posts: 8
Re: Ransomware Infects D-Link NAS Devices
« Reply #39 on: March 23, 2019, 08:59:38 AM »

My firmware is 1.09 and I´m not infected.

Try this: https://www.youtube.com/watch?v=nIWdZ0qDD54

remove the drive, put on a pc and use the software to try read the files.
Logged

ivan

  • Level 8 Member
  • ***
  • Posts: 1480
Re: Ransomware Infects D-Link NAS Devices
« Reply #40 on: March 26, 2019, 06:50:23 AM »

That video assumes that the files are not encrypted.  In the cases we are looking at in this thread the files have been encrypted which, unless you have the required key makes them useless even though you can copy them from the NAS you still can't open them.
Logged

Amadeus

  • Level 1 Member
  • *
  • Posts: 1
Re: Ransomware Infects D-Link NAS Devices
« Reply #41 on: January 06, 2020, 01:04:36 AM »

Hi, I find one way.

I put to my Dlink USB wit 3 pictures and 1 video. These files are immediately encrypted. As I watched this process, criptor make work file. If it's done, criptor delete original file ant rename work file as original.

Question - "for sure"?

Answer - "NO"!

I put this USB to PC and have recovered this original files with "MiniTool Power Data Recovery"

Not all files are recovered, it depends how big and how old are these files, also how much free space on disk. I've recovered 90% photo and about 10 video files from Dlink RAID1 disk.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #42 on: January 08, 2020, 12:29:54 PM »

What is this "MiniTool Power Data Recovery" tool?


Hi, I find one way.

I put to my Dlink USB wit 3 pictures and 1 video. These files are immediately encrypted. As I watched this process, criptor make work file. If it's done, criptor delete original file ant rename work file as original.

Question - "for sure"?

Answer - "NO"!

I put this USB to PC and have recovered this original files with "MiniTool Power Data Recovery"

Not all files are recovered, it depends how big and how old are these files, also how much free space on disk. I've recovered 90% photo and about 10 video files from Dlink RAID1 disk.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

superbigjay

  • Level 1 Member
  • *
  • Posts: 1
Re: Ransomware Infects D-Link NAS Devices
« Reply #43 on: February 10, 2021, 07:39:01 AM »

What is this "MiniTool Power Data Recovery" tool?

My guess is:
https://www.minitool.com/data-recovery-software/free-for-windows.html
Logged
Pages: 1 2 [3]