NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
nampohyu on Readynas
is it possible that this new ransomware virus some how infected my NAS shares? not the shares but linux OS itself? i am runnign 6.6.0
Hello,
I have a ReadyNAS at work running the 6.9.5 firmware and I have currently ran into the NamPoHyu ransomware virus as well. On some of my shared folders I an see files with a 1.pdf.nampohyu file extension and I also see some !DECRYPT_INSTRUCTION.TXT files. What do I do to get rid of this virus? I am also running on a Mac platform.
Thanks
Restoring snapshots from before the attack should work. If you don't use snapsots, or if the encryption process filled your volume so much the snapshots got deleted, the only solution I know is to do a factory default and restore the files from your backup. And you also look for how the virus got access to your NAS.
I have about 12 Shared folders on my ReadyNAS. One consistant thing I'm noticing is that I had under Network Access, there were some Shared folders that had "Allow annonymous access" checked. Those seem to be the only Shared folders that have the .nampohyu extensions on the files. I have never Restored snapshots before but I am subscribed and I have bought ReadyNAS Vault access. Would deleting and restoring those corrupted Shared folders be the most effective way of fixing this issue?
bdmoy wrote:
I have about 12 Shared folders on my ReadyNAS. One consistant thing I'm noticing is that I had under Network Access, there were some Shared folders that had "Allow annonymous access" checked. Those seem to be the only Shared folders that have the .nampohyu extensions on the files. I have never Restored snapshots before but I am subscribed and I have bought ReadyNAS Vault access. Would deleting and restoring those corrupted Shared folders be the most effective way of fixing this issue?
just remember there is a difference between snapshots and vault access. Snapshots are part of your share--hidden but on your local NAS. The vault is through the internet. I would do the snapshots local (if you have that configured and working) since it will restore much quicker based on being on the NAS vs. over the internet.
Godo luck. I decided to reformat and reinstall everything-- apps and shares and info. and ensure my persmissions were nailed down--followed by ensuring it was no longer so publicly accessible from the internet by locking down the firewall/network infrastructure.
bdmoy wrote:
Hello,
I have a ReadyNAS at work running the 6.9.5 firmware and I have currently ran into the NamPoHyu ransomware virus as well. On some of my shared folders I an see files with a 1.pdf.nampohyu file extension and I also see some !DECRYPT_INSTRUCTION.TXT files. What do I do to get rid of this virus?
This isn't exactly a virus. You've allowed public access to your NAS shares over the internet, and someone has taken advantage of that mistake.
So the first step is to stop allowing that public access. If the NAS is set up in the DMZ of your router, then change that setting. Also don't forward ports 137,138,139, and 445 to your NAS. If you must forward SMB, then make sure that you don't allow anonymous access and that you are using strong passwords.
After that, clean up the damage. Emisoft recently released a free decrypter for Megalocker/Nampohyu that you could try using to recover your files: https://www.emsisoft.com/decrypter/megalocker It doesn't look like there is a version for Mac though, you'll need to run it under Windows. I haven't used this, or seen much posted about it.
Alternatively restore the lost files from a backup or a NAS snapshot (deleting any files left behind by the attacker).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
