NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

funglenn's avatar
funglenn
Luminary
Apr 11, 2019

nampohyu on Readynas

is it possible that this new ransomware virus some how infected my NAS shares? not the shares but linux OS itself? i am runnign 6.6.0
StephenB's avatar
StephenB
Guru - Experienced User
Apr 11, 2019
funglenn wrote:

is it possible that this new ransomware virus some how infected my NAS shares? 

 

What symptoms are you seeing that make you suspect this?

 

funglenn wrote:

i am runnign 6.6.0

Pretty old firmware (Oct 2016).  Lots of security fixes since then, so you should upgrade.

  • funglenn's avatar
    funglenn
    Luminary
    Apr 11, 2019

    all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption.  only the NAS.  

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      Apr 12, 2019
      funglenn wrote:

      all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption.  only the NAS.  

      Ouch - Sorry to hear that.  It's conceivable that the NAS OS is infected - I haven't seen a writeup of Megalocker that clearly states what operating systems are vulnerable.  But it's also possible that the files were infected through SAMBA access.

       

      Do you have any fileshares on the NAS that aren't encrypted? (that is, shares that don't have anonymous access enabled).

      Is your NAS accessible over the internet (for instance with ReadyCloud, FTP, OpenVPN, etc)?

      Do you have any ports forwarded to the NAS in your router?

      Do you have snapshots enabled on affected NAS shares?

       

      It's possible that the NAS logs would show installation of the malware.  So you could download the log zip file from the NAS web UI, and ask someone to analyze them for you.  For instance, JohnCM_S or Hopchen.

       

      After you get the logs, it might be wise to disconnect the NAS from the network (at least for now).

       

       

       

       

       

       

       

      • funglenn's avatar
        funglenn
        Luminary
        Apr 12, 2019

        There has been some reporting that namphoyu is targeting NAS units. Admittedly becuase i had compiled virtualbox on my NAS, i had gotten lazy about updating.  The shares that did not have anonymous write access were indeed unaffected. and I pulled down the data from the cloud to replace what was lost on the NAS.

         

        I reformatted 2 of 5 PCs but again all showed clean.  i did have snapshot for my most important data (which was unaffected due to right permissions set).  

         

        however i did an OS reinstall  and followed it with update to 9.6.5.  All seems good and nothing else is affected nor has one temp folder (left anonymous on purpose) been reinfected.

         

        I do have it open accessible via readycloud, OPENVPN and Plex. I have shut off readycloud and plan to lock down the other two.  Now to reinstall Virtualbox! nice update 9.6 by the way! i have downloaded the logs but cannot find anything out of the ordinary. happy to send them in if it helps. 

         

        Also enabled the built in Antivirus on the NAS

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More