is it possible that this new ransomware virus some how infected my NAS shares? not the shares but linux OS itself? i am runnign 6.6.0

funglenn wrote: also at your suggestion Stephen--checked. It was on the DMZ and did not need to be. That of course makes it wide open, especially if your ISP doesn't block inbound 139 or 445. I think that's more likely to be the vector than ReadyCloud, OpenVPN or Plex. funglenn wrote: who/how can i send my logs? Try sending a private message to one of the mods (perhaps JohnCM_S ), and ask if they will review. Seems to me they should want to. Hopchen is a former netgear employee, and he also has been willing to analyze some logs. As far as sending them goes, they can be emailed to Netgear, though I think most people are putting them in a cloud repository (google drive, dropbox, etc) and provding a link. Don't post a link to the logs here, as there is some information leakage. You should instead send them via private message. The PM facility is the envelope icon in the upper right of the forum. BTW, the recently released 6.10.0 software includes an optional audit log facility for x86 NAS including your RN516). So you might look into that after you get this sorted out.

funglenn wrote: is it possible that this new ransomware virus some how infected my NAS shares? What symptoms are you seeing that make you suspect this? funglenn wrote: i am runnign 6.6.0 Pretty old firmware (Oct 2016). Lots of security fixes since then, so you should upgrade.

all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption. only the NAS.

funglenn wrote: all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption. only the NAS. Ouch - Sorry to hear that. It's conceivable that the NAS OS is infected - I haven't seen a writeup of Megalocker that clearly states what operating systems are vulnerable. But it's also possible that the files were infected through SAMBA access. Do you have any fileshares on the NAS that aren't encrypted? (that is, shares that don't have anonymous access enabled). Is your NAS accessible over the internet (for instance with ReadyCloud, FTP, OpenVPN, etc)? Do you have any ports forwarded to the NAS in your router? Do you have snapshots enabled on affected NAS shares? It's possible that the NAS logs would show installation of the malware. So you could download the log zip file from the NAS web UI, and ask someone to analyze them for you. For instance, JohnCM_S or Hopchen. After you get the logs, it might be wise to disconnect the NAS from the network (at least for now).

There has been some reporting that namphoyu is targeting NAS units. Admittedly becuase i had compiled virtualbox on my NAS, i had gotten lazy about updating. The shares that did not have anonymous write access were indeed unaffected. and I pulled down the data from the cloud to replace what was lost on the NAS. I reformatted 2 of 5 PCs but again all showed clean. i did have snapshot for my most important data (which was unaffected due to right permissions set). however i did an OS reinstall and followed it with update to 9.6.5. All seems good and nothing else is affected nor has one temp folder (left anonymous on purpose) been reinfected. I do have it open accessible via readycloud, OPENVPN and Plex. I have shut off readycloud and plan to lock down the other two. Now to reinstall Virtualbox! nice update 9.6 by the way! i have downloaded the logs but cannot find anything out of the ordinary. happy to send them in if it helps. Also enabled the built in Antivirus on the NAS

nampohyu on Readynas | NETGEAR Communities

23 Replies

StephenB
Guru
Apr 11, 2019
funglenn wrote:

is it possible that this new ransomware virus some how infected my NAS shares?

What symptoms are you seeing that make you suspect this?

funglenn wrote:

i am runnign 6.6.0

Pretty old firmware (Oct 2016). Lots of security fixes since then, so you should upgrade.
- funglenn
  Luminary
  Apr 11, 2019
  all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption. only the NAS.
  - StephenB
    Guru
    Apr 12, 2019
    funglenn wrote:
    
    all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption. only the NAS.
    
    Ouch - Sorry to hear that. It's conceivable that the NAS OS is infected - I haven't seen a writeup of Megalocker that clearly states what operating systems are vulnerable. But it's also possible that the files were infected through SAMBA access.
    
    Do you have any fileshares on the NAS that aren't encrypted? (that is, shares that don't have anonymous access enabled).
    
    Is your NAS accessible over the internet (for instance with ReadyCloud, FTP, OpenVPN, etc)?
    
    Do you have any ports forwarded to the NAS in your router?
    
    Do you have snapshots enabled on affected NAS shares?
    
    It's possible that the NAS logs would show installation of the malware. So you could download the log zip file from the NAS web UI, and ask someone to analyze them for you. For instance, JohnCM_S or Hopchen.
    
    After you get the logs, it might be wise to disconnect the NAS from the network (at least for now).
bdmoy
Aspirant
May 08, 2019
Hello,

I have a ReadyNAS at work running the 6.9.5 firmware and I have currently ran into the NamPoHyu ransomware virus as well. On some of my shared folders I an see files with a 1.pdf.nampohyu file extension and I also see some !DECRYPT_INSTRUCTION.TXT files. What do I do to get rid of this virus? I am also running on a Mac platform.

Thanks
- Sandshark
  Sensei
  May 08, 2019
  Restoring snapshots from before the attack should work. If you don't use snapsots, or if the encryption process filled your volume so much the snapshots got deleted, the only solution I know is to do a factory default and restore the files from your backup. And you also look for how the virus got access to your NAS.
  - bdmoy
    Aspirant
    May 08, 2019
    I have about 12 Shared folders on my ReadyNAS. One consistant thing I'm noticing is that I had under Network Access, there were some Shared folders that had "Allow annonymous access" checked. Those seem to be the only Shared folders that have the .nampohyu extensions on the files. I have never Restored snapshots before but I am subscribed and I have bought ReadyNAS Vault access. Would deleting and restoring those corrupted Shared folders be the most effective way of fixing this issue?
- StephenB
  Guru
  May 08, 2019
  bdmoy wrote:
  
  Hello,
  
  I have a ReadyNAS at work running the 6.9.5 firmware and I have currently ran into the NamPoHyu ransomware virus as well. On some of my shared folders I an see files with a 1.pdf.nampohyu file extension and I also see some !DECRYPT_INSTRUCTION.TXT files. What do I do to get rid of this virus?
  
  This isn't exactly a virus. You've allowed public access to your NAS shares over the internet, and someone has taken advantage of that mistake.
  
  So the first step is to stop allowing that public access. If the NAS is set up in the DMZ of your router, then change that setting. Also don't forward ports 137,138,139, and 445 to your NAS. If you must forward SMB, then make sure that you don't allow anonymous access and that you are using strong passwords.
  
  After that, clean up the damage. Emisoft recently released a free decrypter for Megalocker/Nampohyu that you could try using to recover your files: https://www.emsisoft.com/decrypter/megalocker It doesn't look like there is a version for Mac though, you'll need to run it under Windows. I haven't used this, or seen much posted about it.
  
  Alternatively restore the lost files from a backup or a NAS snapshot (deleting any files left behind by the attacker).

Forum Discussion

nampohyu on Readynas

23 Replies

Related Content

ReadyNas 212 HELP needed

admin password discrepancy. ReadyNas 4312

ReadyNas 104

ReadyNAS 628x version 6.10.9 applications

Using my ReadyNAS 104 from Linux with NFS

NETGEAR Academy

ProSupport for Business