NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
nampohyu on Readynas
is it possible that this new ransomware virus some how infected my NAS shares? not the shares but linux OS itself? i am runnign 6.6.0
all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption. only the NAS.
funglenn wrote:
all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption. only the NAS.
Ouch - Sorry to hear that. It's conceivable that the NAS OS is infected - I haven't seen a writeup of Megalocker that clearly states what operating systems are vulnerable. But it's also possible that the files were infected through SAMBA access.
Do you have any fileshares on the NAS that aren't encrypted? (that is, shares that don't have anonymous access enabled).
Is your NAS accessible over the internet (for instance with ReadyCloud, FTP, OpenVPN, etc)?
Do you have any ports forwarded to the NAS in your router?
Do you have snapshots enabled on affected NAS shares?
It's possible that the NAS logs would show installation of the malware. So you could download the log zip file from the NAS web UI, and ask someone to analyze them for you. For instance, JohnCM_S or Hopchen.
After you get the logs, it might be wise to disconnect the NAS from the network (at least for now).
There has been some reporting that namphoyu is targeting NAS units. Admittedly becuase i had compiled virtualbox on my NAS, i had gotten lazy about updating. The shares that did not have anonymous write access were indeed unaffected. and I pulled down the data from the cloud to replace what was lost on the NAS.
I reformatted 2 of 5 PCs but again all showed clean. i did have snapshot for my most important data (which was unaffected due to right permissions set).
however i did an OS reinstall and followed it with update to 9.6.5. All seems good and nothing else is affected nor has one temp folder (left anonymous on purpose) been reinfected.
I do have it open accessible via readycloud, OPENVPN and Plex. I have shut off readycloud and plan to lock down the other two. Now to reinstall Virtualbox! nice update 9.6 by the way! i have downloaded the logs but cannot find anything out of the ordinary. happy to send them in if it helps.
Also enabled the built in Antivirus on the NAS
funglenn wrote:
There has been some reporting that namphoyu is targeting NAS units.
I think the actual malware name is MegaLocker, though googling on nampohyu also brings up hits. It is a bit troubling, and even though this has been out there for 3-4 weeks there isn't much being said about it.
In any event, I also saw some reports of Synology NAS being affected, and one report of a WD NAS. It wasn't clear if the OS was infected, or if the files were encrypted via Samba. If the OS was infected, I'd expect it to encrypt all data files, since the OS clearly does have access to them all. Also, I'd expect to see packages installed on the NAS - which you are not seeing.
funglenn wrote:
i did have snapshot for my most important data (which was unaffected due to right permissions set).
Good to hear. Snapshots can be useful for ransomware protection - but unfortunately the NAS will start deleting them if the volume gets too full. So you need a lot of free space (order of 60%) in order to ensure that doesn't happen. It'd be ideal if there was a way to switch the volume to read-only if it gets too full (preserving the snapshots).
also at your suggestion Stephen--checked. It was on the DMZ and did not need to be.
who/how can i send my logs?
also FYI to all--i had my cloud backups set to not delete items that were deleted from main location. Although this requires more storage, it means the ransomware deletions of the primary files was not propogated to my automatic cloud backups! Another share was not so lucky, but not critical data....
funglenn wrote:
also at your suggestion Stephen--checked. It was on the DMZ and did not need to be.
That of course makes it wide open, especially if your ISP doesn't block inbound 139 or 445. I think that's more likely to be the vector than ReadyCloud, OpenVPN or Plex.
funglenn wrote:who/how can i send my logs?
Try sending a private message to one of the mods (perhaps JohnCM_S ), and ask if they will review. Seems to me they should want to.
Hopchen is a former netgear employee, and he also has been willing to analyze some logs.
As far as sending them goes, they can be emailed to Netgear, though I think most people are putting them in a cloud repository (google drive, dropbox, etc) and provding a link.
Don't post a link to the logs here, as there is some information leakage. You should instead send them via private message. The PM facility is the envelope icon in the upper right of the forum.
BTW, the recently released 6.10.0 software includes an optional audit log facility for x86 NAS including your RN516). So you might look into that after you get this sorted out.
StephenB wrote:
But it's also possible that the files were infected through SAMBA access.
I have NamPoHyu too till yesterday on my NAS. My SMB access was on, but completely unnecessarily because I use WebDAV to connect with NAS so I have a question: this infection was possible through WebDAV?
radziuxd wrote:
I have NamPoHyu too till yesterday on my NAS. My SMB access was on, but completely unnecessarily because I use WebDAV to connect with NAS so I have a question: this infection was possible through WebDAV?
What ports were forwarded to your NAS? Was it also in the DMZ?
I don't know if WebDAV can be a vector for this particular malware, but SMB/SAMBA seems more likely to me. That said, you shouldn't be allowing anonymous access to your files over the internet, and if you allow any access you should be using strong passwords.
- Thankfully I keep private files under password on other account so only copies of movies and games have been infected.
My NAS forward 39076, 29897, router forward 22333 and well... yes, NAS was on DMZ.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
