× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

RN212 BotNet or Hacked Infection

Zizuar
Aspirant

RN212 BotNet or Hacked Infection

So over the last 4 months I have had some rather unfortunate issues with my work and home network. Our office was hit with ransomware and infected with various other malware bloom issues when our network admin tried to stop it. I unfortunatly took some of that mess home with me. Other than unrelated issues with my C7800 modem/router which I will be posting in another forum about, my only remaining network issue lies with my RN212 ReadyNAS device. I have 2 Red Pro 4TB HDD's in this thing almost full to the brim with various development projects, all my music and some unreplaceable videos. Twice I have brough it back online to try and make sure it is safe, but both times within 24-48 hours I have what appears to be botnet activity and then network intrusions or attempts on various other computers and devices. Normally I would wipe the drives and start over with backups and redundant storage I have setup.. but I already had to wipe even my backups. While I have no idea where is the myriad of data the corrupted or whatever it is files might be hiding I know certain things that are definitly safe and I want to extract. Problem is I can't access them without hooking up the NAS and exposing whatever plays havoc with things. Since wiping the drive means some sentimental memory loss as well as loss on code not uploaded to git or some other 3d prototype files does anyone know of a way that i can access the files without exposing the bad stuff to even an offline LAN? Any suggestions would be helpful.

Model: RN212|2 BAY Desktop ReadyNAS Storage
Message 1 of 2

Accepted Solutions
StephenB
Guru

Re: RN212 BotNet or Hacked Infection


@Zizuar wrote:

So over the last 4 months I have had some rather unfortunate issues with my work and home network. Our office was hit with ransomware and infected with various other malware bloom issues when our network admin tried to stop it.

 

You'll need to expose it to your home network (or at least one PC) for a short time, so be sure that PC is backed up.   You should install at least one antimalware software package on the PC that offers real-time protection.  Perhaps turn off SMB file sharing, as that is likely the main vector for spreading the infection.  Also, disconnect the router WAN port when you power up the NAS again.  Turn off or disconnect or turn off everything but the PC before you turn on the NAS.

 

After that you set a static IP address on the NAS, but deliberately misconfigure the gateway.  That will prevent the NAS from reaching the internet.  Also, disable all the file sharing protocols (SMB, AFP, NFS) - as the spread to other PCs might involve these protocols.

 

Then set up USB backup jobs to back up the network shares, and tie those to the backup button. 

 

After that you can disconnect the NAS from the network, and turn everything back on again.  Connect an NTFS formatted USB disk to the NAS that is large enough to hold all the files, and use the backup button to back them up.  You should scan the files for malware on the PC with the real-time protection after they are backed up (disconnecting the PC from the network before connecting the drive).

 

An alternative approach (though more expensive) is to purchase ReclaiMe RAID recovery software.  If you are using XRAID or RAID-1, then connect one of the RN212 drives to a PC with a USB adapter/dock.  If you are using jbod or RAID-0 you'll need to connect both.  The PC wouldn't recognize the disk formatting, so it is insulated from the malware.  Then use ReclaiMe to copy the files off the data volume to a USB disk.  You'd still need to have the PC to be backed up, with real-time malware protection installed, and disconnected from your network - since the data files you are extracting from the NAS drive might be infected.  

 

 

 

View solution in original post

Message 2 of 2

All Replies
StephenB
Guru

Re: RN212 BotNet or Hacked Infection


@Zizuar wrote:

So over the last 4 months I have had some rather unfortunate issues with my work and home network. Our office was hit with ransomware and infected with various other malware bloom issues when our network admin tried to stop it.

 

You'll need to expose it to your home network (or at least one PC) for a short time, so be sure that PC is backed up.   You should install at least one antimalware software package on the PC that offers real-time protection.  Perhaps turn off SMB file sharing, as that is likely the main vector for spreading the infection.  Also, disconnect the router WAN port when you power up the NAS again.  Turn off or disconnect or turn off everything but the PC before you turn on the NAS.

 

After that you set a static IP address on the NAS, but deliberately misconfigure the gateway.  That will prevent the NAS from reaching the internet.  Also, disable all the file sharing protocols (SMB, AFP, NFS) - as the spread to other PCs might involve these protocols.

 

Then set up USB backup jobs to back up the network shares, and tie those to the backup button. 

 

After that you can disconnect the NAS from the network, and turn everything back on again.  Connect an NTFS formatted USB disk to the NAS that is large enough to hold all the files, and use the backup button to back them up.  You should scan the files for malware on the PC with the real-time protection after they are backed up (disconnecting the PC from the network before connecting the drive).

 

An alternative approach (though more expensive) is to purchase ReclaiMe RAID recovery software.  If you are using XRAID or RAID-1, then connect one of the RN212 drives to a PC with a USB adapter/dock.  If you are using jbod or RAID-0 you'll need to connect both.  The PC wouldn't recognize the disk formatting, so it is insulated from the malware.  Then use ReclaiMe to copy the files off the data volume to a USB disk.  You'd still need to have the PC to be backed up, with real-time malware protection installed, and disconnected from your network - since the data files you are extracting from the NAS drive might be infected.  

 

 

 

Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 967 views
  • 1 kudo
  • 2 in conversation
Announcements