× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: nampohyu on Readynas

funglenn
Luminary

nampohyu on Readynas

is it possible that this new ransomware virus some how infected my NAS shares? not the shares but linux OS itself? i am runnign 6.6.0

Model: RN51600|ReadyNAS 516 6-Bay Diskless
Message 1 of 24
StephenB
Guru

Re: nampohyu on Readynas


@funglenn wrote:

is it possible that this new ransomware virus some how infected my NAS shares? 

 


What symptoms are you seeing that make you suspect this?

 


@funglenn wrote:

i am runnign 6.6.0


Pretty old firmware (Oct 2016).  Lots of security fixes since then, so you should upgrade.

Message 2 of 24
funglenn
Luminary

Re: nampohyu on Readynas

all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption.  only the NAS.  

Message 3 of 24
StephenB
Guru

Re: nampohyu on Readynas


@funglenn wrote:

all my anonymous accessible fileshares are encrypted with the .namphyu extenstion with the txt file suggesting payment. all PCs on my network have their local files fine with no encryption.  only the NAS.  


Ouch - Sorry to hear that.  It's conceivable that the NAS OS is infected - I haven't seen a writeup of Megalocker that clearly states what operating systems are vulnerable.  But it's also possible that the files were infected through SAMBA access.

 

Do you have any fileshares on the NAS that aren't encrypted? (that is, shares that don't have anonymous access enabled).

Is your NAS accessible over the internet (for instance with ReadyCloud, FTP, OpenVPN, etc)?

Do you have any ports forwarded to the NAS in your router?

Do you have snapshots enabled on affected NAS shares?

 

It's possible that the NAS logs would show installation of the malware.  So you could download the log zip file from the NAS web UI, and ask someone to analyze them for you.  For instance, @JohnCM_S or @Hopchen.

 

After you get the logs, it might be wise to disconnect the NAS from the network (at least for now).

 

 

 

 

 

 

 

Message 4 of 24
funglenn
Luminary

Re: nampohyu on Readynas

There has been some reporting that namphoyu is targeting NAS units. Admittedly becuase i had compiled virtualbox on my NAS, i had gotten lazy about updating.  The shares that did not have anonymous write access were indeed unaffected. and I pulled down the data from the cloud to replace what was lost on the NAS.

 

I reformatted 2 of 5 PCs but again all showed clean.  i did have snapshot for my most important data (which was unaffected due to right permissions set).  

 

however i did an OS reinstall  and followed it with update to 9.6.5.  All seems good and nothing else is affected nor has one temp folder (left anonymous on purpose) been reinfected.

 

I do have it open accessible via readycloud, OPENVPN and Plex. I have shut off readycloud and plan to lock down the other two.  Now to reinstall Virtualbox! nice update 9.6 by the way! i have downloaded the logs but cannot find anything out of the ordinary. happy to send them in if it helps. 

 

Also enabled the built in Antivirus on the NAS

Message 5 of 24
StephenB
Guru

Re: nampohyu on Readynas


@funglenn wrote:

There has been some reporting that namphoyu is targeting NAS units.


I think the actual malware name is MegaLocker, though googling on nampohyu also brings up hits.  It is a bit troubling, and even though this has been out there for 3-4 weeks there isn't much being said about it. 

 

In any event, I also saw some reports of Synology NAS being affected, and one report of a WD NAS.  It wasn't clear if the OS was infected, or if the files were encrypted via Samba.  If the OS was infected, I'd expect it to encrypt all data files, since the OS clearly does have access to them all.  Also, I'd expect to see packages installed on the NAS - which you are not seeing.

 


@funglenn wrote:

i did have snapshot for my most important data (which was unaffected due to right permissions set).  

 


Good to hear.  Snapshots can be useful for ransomware protection - but unfortunately the NAS will start deleting them if the volume gets too full.  So you need a lot of free space (order of 60%) in order to ensure that doesn't happen.  It'd be ideal if there was a way to switch the volume to read-only if it gets too full (preserving the snapshots).

Message 6 of 24
funglenn
Luminary

Re: nampohyu on Readynas

also at your suggestion Stephen--checked. It was on the DMZ and did not need to be.

who/how can i send my logs?

 

also FYI to all--i had my cloud backups set to not delete items that were deleted from main location. Although this requires more storage, it means the ransomware deletions of the primary files was not propogated to my automatic cloud backups! Another share was not so lucky, but not critical data....

Message 7 of 24
StephenB
Guru

Re: nampohyu on Readynas


@funglenn wrote:

also at your suggestion Stephen--checked. It was on the DMZ and did not need to be.

 


That of course makes it wide open, especially if your ISP doesn't block inbound 139 or 445.  I think that's more likely to be the vector than ReadyCloud, OpenVPN or Plex.

 


@funglenn wrote:

who/how can i send my logs?

 


Try sending a private message to one of the mods (perhaps @JohnCM_S ), and ask if they will review.  Seems to me they should want to.

 

@Hopchen is a former netgear employee, and he also has been willing to analyze some logs.

 

As far as sending them goes, they can be emailed to Netgear, though I think most people are putting them in a cloud repository (google drive, dropbox, etc) and provding a link.

 

Don't post a link to the logs here, as there is some information leakage.  You should instead send them via private message.  The PM facility is the envelope icon in the upper right of the forum.

 

BTW, the recently released 6.10.0 software includes an optional audit log facility for x86 NAS including your RN516).  So you might look into that after you get this sorted out.

Message 8 of 24
JohnCM_S
NETGEAR Employee Retired

Re: nampohyu on Readynas

Hi @funglenn,

 

You may send the logs to me so we can review it. You can just upload it to Google Drive then PM me the download link.

 

Regards,

Message 9 of 24
radziuxd
Aspirant

Re: nampohyu on Readynas


@StephenB wrote:


But it's also possible that the files were infected through SAMBA access.

 

I have NamPoHyu too till yesterday on my NAS. My SMB access was on, but completely unnecessarily because I use WebDAV to connect with NAS so I have a question: this infection was possible through WebDAV?

Message 10 of 24
StephenB
Guru

Re: nampohyu on Readynas


@radziuxd wrote:

I have NamPoHyu too till yesterday on my NAS. My SMB access was on, but completely unnecessarily because I use WebDAV to connect with NAS so I have a question: this infection was possible through WebDAV?


What ports were forwarded to your NAS?  Was it also in the DMZ?

 

I don't know if WebDAV can be a vector for this particular malware, but SMB/SAMBA seems more likely to me.  That said, you shouldn't be allowing anonymous access to your files over the internet, and if you allow any access you should be using strong passwords.

 

 

Message 11 of 24
radziuxd
Aspirant

Re: nampohyu on Readynas

Thankfully I keep private files under password on other account so only copies of movies and games have been infected.

My NAS forward 39076, 29897, router forward 22333 and well... yes, NAS was on DMZ.
Message 12 of 24
StephenB
Guru

Re: nampohyu on Readynas


@radziuxd wrote:
 well... yes, NAS was on DMZ.

So all unsolicited inbound traffic was forwarded to the NAS, including the ports used for SMB.  I think that the DMZ was also the vector for you - since only shares with anonymous read/write were affected.

 

BTW, if nothing on your home network is infected with the malware, then I doubt that the files were actually encrypted - that would require a lot of resources to do remotely.  More likely a hacker would just delete them, and create new stuff that looked encrypted megalocker.

 

Message 13 of 24
funglenn
Luminary

Re: nampohyu on Readynas


@StephenB wrote:

@radziuxd wrote:
 well... yes, NAS was on DMZ.

So all unsolicited inbound traffic was forwarded to the NAS, including the ports used for SMB.  I think that the DMZ was also the vector for you - since only shares with anonymous read/write were affected.

 

BTW, if nothing on your home network is infected with the malware, then I doubt that the files were actually encrypted - that would require a lot of resources to do remotely.  More likely a hacker would just delete them, and create new stuff that looked encrypted megalocker.

 

 

Stephen,

An update from trend micro: A ransomware family was recently spotted targeting vulnerable Samba servers: NamPoHyu Virus aka MegaLocker Virus. NamPoHyu Virus is unlike typical ransomware families that are delivered locally and launched as executables. Instead, it searches for publicly accessible Samba servers, brute-forces them, and runs the ransomware locally to encrypt the exposed servers.

were is an update from: https://www.trendmicro.com/vinfo/hk/security/news/cybercrime-and-digital-threats/nampohyu-aka-megalo...

 


 

Message 14 of 24
StephenB
Guru

Re: nampohyu on Readynas


@funglenn wrote:

Stephen,

An update from trend micro: A ransomware family was recently spotted targeting vulnerable Samba servers: NamPoHyu Virus aka MegaLocker Virus. NamPoHyu Virus is unlike typical ransomware families that are delivered locally and launched as executables. Instead, it searches for publicly accessible Samba servers, brute-forces them, and runs the ransomware locally to encrypt the exposed servers.

were is an update from: https://www.trendmicro.com/vinfo/hk/security/news/cybercrime-and-digital-threats/nampohyu-aka-megalo...

 


Thx for posting this update.  It does fit the two cases we've seen reported here (NAS in the DMZ with anonymous write access to shares).

Message 15 of 24
radziuxd
Aspirant

Re: nampohyu on Readynas

Yup, same to me. DMZ and active SMB.
Message 16 of 24
funglenn
Luminary

Re: nampohyu on Readynas

what is not clear from any of my reading is if its a SMB 1.0, 2.0, 3.0 risk.  And because i have fully factory restored my unit i cannot just look--although the logs i have from right before erasing everything are still available.

 

however i also found i had a bitcoin miner installed and perhaps another piece of malware -- both installed prior to this event.  

Message 17 of 24
StephenB
Guru

Re: nampohyu on Readynas


@funglenn wrote:

what is not clear from any of my reading is if its a SMB 1.0, 2.0, 3.0 risk. 


I think all SMB versions are vulnerable.  Based on the article, the attackers are simply scanning for open SMB servers, and then corrupting any shares that allow anonymous write access.  That attack works identically with all versions of SMB.

 


@funglenn wrote:

however i also found i had a bitcoin miner installed and perhaps another piece of malware -- both installed prior to this event.  


Ouch.  Likely someone cracked your NAS admin password, and then gained access through ssh.

 

Message 18 of 24
funglenn
Luminary

Re: nampohyu on Readynas

I thought the same thing. So changed all passwords, deleted many accounts accounts and disabled the admin account with another having elevated rights instead. Feel much better about the extra work that a  factory reset required .

 

 

Model: RN51600|ReadyNAS 516 6-Bay Diskless
Message 19 of 24
bdmoy
Aspirant

Re: nampohyu on Readynas

Hello,

 

I have a ReadyNAS at work running the 6.9.5 firmware and I have currently ran into the NamPoHyu ransomware virus as well. On some of my shared folders I an see files with a 1.pdf.nampohyu file extension and I also see some !DECRYPT_INSTRUCTION.TXT files. What do I do to get rid of this virus? I am also running on a Mac platform.

 

Thanks

Model: RN3138|ReadyNAS 3138 Series 4- Bay (Diskless)
Message 20 of 24
Sandshark
Sensei

Re: nampohyu on Readynas

Restoring snapshots from before the attack should work.  If you don't use snapsots, or if the encryption process filled your volume so much the snapshots got deleted, the only solution I know is to do a factory default and restore the files from your backup.  And you also look for how the virus got access to your NAS.

Message 21 of 24
bdmoy
Aspirant

Re: nampohyu on Readynas

I have about 12 Shared folders on my ReadyNAS. One consistant thing I'm noticing is that I had under Network Access, there were some Shared folders that had "Allow annonymous access" checked. Those seem to be the only Shared folders that have the .nampohyu extensions on the files. I have never Restored snapshots before but I am subscribed and I have bought ReadyNAS Vault access. Would deleting and restoring those corrupted Shared folders be the most effective way of fixing this issue?

Model: RN3138|ReadyNAS 3138 Series 4- Bay (Diskless)
Message 22 of 24
funglenn
Luminary

Re: nampohyu on Readynas


@bdmoy wrote:

I have about 12 Shared folders on my ReadyNAS. One consistant thing I'm noticing is that I had under Network Access, there were some Shared folders that had "Allow annonymous access" checked. Those seem to be the only Shared folders that have the .nampohyu extensions on the files. I have never Restored snapshots before but I am subscribed and I have bought ReadyNAS Vault access. Would deleting and restoring those corrupted Shared folders be the most effective way of fixing this issue?


just remember there is a difference between snapshots and vault access. Snapshots are part of your share--hidden but on your local NAS. The vault is through the internet.  I would do the snapshots local (if you have that configured and working) since it will restore much quicker based on being on the NAS vs. over the internet.

 

Godo luck.  I decided to reformat and reinstall everything-- apps and shares and info. and ensure my persmissions were nailed down--followed by ensuring it was no longer so publicly accessible from the internet by locking down the firewall/network infrastructure.

Message 23 of 24
StephenB
Guru

Re: nampohyu on Readynas


@bdmoy wrote:

Hello,

 

I have a ReadyNAS at work running the 6.9.5 firmware and I have currently ran into the NamPoHyu ransomware virus as well. On some of my shared folders I an see files with a 1.pdf.nampohyu file extension and I also see some !DECRYPT_INSTRUCTION.TXT files. What do I do to get rid of this virus?


This isn't exactly a virus.  You've allowed public access to your NAS shares over the internet, and someone has taken advantage of that mistake.

 

So the first step is to stop allowing that public access.  If the NAS is set up in the DMZ of your router, then change that setting.  Also don't forward ports 137,138,139, and 445 to your NAS.  If you must forward SMB, then make sure that you don't allow anonymous access and that you are using strong passwords.

 

After that, clean up the damage.  Emisoft recently released a free decrypter for Megalocker/Nampohyu that you could try using to recover your files: https://www.emsisoft.com/decrypter/megalocker It doesn't look like there is a version for Mac though, you'll need to run it under Windows.  I haven't used this, or seen much posted about it.

 

Alternatively restore the lost files from a backup or a NAS snapshot (deleting any files left behind by the attacker).

Message 24 of 24
Top Contributors
Discussion stats
  • 23 replies
  • 4224 views
  • 1 kudo
  • 6 in conversation
Announcements