× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

ransom ware restoration

BBuzz
Apprentice

ransom ware restoration

RN524X00 RUNNING  FW: V6.6.1

PAID THE RANSOM BUT THIEF'S CHANGED USER ID AND PASSWORD AND I HAVE NO ACCESS TO GET TO THE DATA. I need help if Netgear can provide any work around for me to gain access to the data that is still on the NAS

Message 1 of 5
StephenB
Guru

Re: ransom ware restoration


@BBuzz wrote:

RN524X00 RUNNING  FW: V6.6.1

PAID THE RANSOM BUT THIEF'S CHANGED USER ID AND PASSWORD AND I HAVE NO ACCESS TO GET TO THE DATA. I need help if Netgear can provide any work around for me to gain access to the data that is still on the NASu 




No support from Netgear anymore.

 

One option is to do an OS-reinstall from the boot menu.  That will reset the admin password back to password.  Before you do that I suggest blocking internet access to the NAS from your router.

 

Another option is to get a 4-bay USB disk enclosure, and move the disks into the enclosure.  Power down the NAS first, and label the disks by slot number as you remove them.  Connect the USB enclosure to a Windows PC, and see if ReclaiMe (RAID recovery software) can find the files.  You can download ReclaiMe for free to check this, but you'll need to purchase it in order to actually offload the data.

 

Either way, if the files are still encrypted you are out of luck.

Message 2 of 5
Sandshark
Sensei

Re: ransom ware restoration


@StephenB wrote:

 

Either way, if the files are still encrypted you are out of luck.


Maybe not, if snapshots are available.  Unfortunately, that's not always a solution unless you have a lot of unused space on the NAS.  If the NAS had insufficient space to store the "new" encrypted files, it'll delete snapshots to make way.

 

If an OS re-install doesn't get your access back, then you may also be able to access your files via tech support mode.

 

I am wondering why you believe the attacker changed (or maybe removed) the admin user name.

Message 3 of 5
BBuzz
Apprentice

Re: ransom ware restoration

We have tried to gain access to the stored information after payment but are unable to use any past user ID or passwords.  There wasn't any further communication with the thief's after payment. Is there something we are unaware of from other knowledge you may have gained that we should do to get to our info? Of course, this is the first (and hopefully the last time experiencing this ransom situation)

Message 4 of 5
StephenB
Guru

Re: ransom ware restoration


@BBuzz wrote:

We have tried to gain access to the stored information after payment but are unable to use any past user ID or passwords.  


Are you saying that when you go to the NAS admin page ( https://nas-ip-address/admin ) you cannot log into that site with the NAS admin credentials?

 

As I mentioned, you can do an OS-reinstall that will reset the admin password back to password.

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 604 views
  • 0 kudos
  • 3 in conversation
Announcements