Rispondere

Re: Attacco ransom su nas readynas 102

Miniomar
Follower

Attacco ransom su nas readynas 102

Ciao a tutti

 

ieri ho ricevuto un attacco informatico con ransom mars che ha criptato quasi tutti i file del mio NAS readynas102

intanto chiedo info se qualcuno sa se c'è un modo di recuperare i file criptati, visto che prima di cancellarli definitivamente, vorrei capire se esiste un tool per decriptarli senza pagare il riscatto.

Poi il punto chiave è che nell'interfaccia del NAS vedo l'antivirus disabilitato, ma non riesco ad abilitarlo.

C'è un link, ma non succede nulla.

Qualche suggerimento perchè accada di nuovo ?

Grazie

Marco 

Model: RN10200|ReadyNAS 100 Series 2- Bay (Diskless)
Messaggio 1 di 4

Soluzioni accettate
Sandshark
Sensei

Re: Attacco ransom su nas readynas 102

If you use snapshots, those may allow you to recover the files from before the encryption.  I say "may" because in the process of encrypting, the files would have needed a lot of new space and snapshots may have been deleted in the process to make room.  As for actual decryption, not a chance.

 

Obviously, the best solution would be a factory default and restoration from backup, but I'm assuming you would not have asked if that was an option.  This is but one reason RAID is not enough to keep your data safe.

 

Antivirus on the NAS likely would not have stopped it and certainly can't fix it.  Assuming you have kept the OS of your NAS up to date, the files were likely encrypted by a virus running on a PC that leaves an SMB connection open with a mapped drive, not by something executing on the NAS.  It's that PC that needs better protection, not the NAS.

 

Even before you get access to the files, you need to find which PC was the path for the encryption virus and fix that.  When you do get access, backup is your best insurance.  I use (and I believe @StephenB does as well) a backup NAS on a power schedule that has only rsync protocol enabled.  That makes it much more difficult for a virus to find the files on the NAS.   But there is still the issue that the backup NAS will back up the encrypted files and my delete snapshots if there is not enough free space.  So, if you can stop that backup process between when the virus hit and the next backup, that's ideal.

 

Not leaving a connection open to the NAS when it's not really needed and not using the PC password on the NAS or storing the NAS password in the PC's Windows Credentials Manager can also be a partial solution for some, but it's not foolproof.  Only using an account with the minimum access rights (so never admin) for normal file access can also help.  If you do have any ports open to the outside world, then strong passwords are also key.

 

 

Visualizza soluzione nel messaggio originale

Messaggio 2 di 4

Tutte le risposte
Sandshark
Sensei

Re: Attacco ransom su nas readynas 102

If you use snapshots, those may allow you to recover the files from before the encryption.  I say "may" because in the process of encrypting, the files would have needed a lot of new space and snapshots may have been deleted in the process to make room.  As for actual decryption, not a chance.

 

Obviously, the best solution would be a factory default and restoration from backup, but I'm assuming you would not have asked if that was an option.  This is but one reason RAID is not enough to keep your data safe.

 

Antivirus on the NAS likely would not have stopped it and certainly can't fix it.  Assuming you have kept the OS of your NAS up to date, the files were likely encrypted by a virus running on a PC that leaves an SMB connection open with a mapped drive, not by something executing on the NAS.  It's that PC that needs better protection, not the NAS.

 

Even before you get access to the files, you need to find which PC was the path for the encryption virus and fix that.  When you do get access, backup is your best insurance.  I use (and I believe @StephenB does as well) a backup NAS on a power schedule that has only rsync protocol enabled.  That makes it much more difficult for a virus to find the files on the NAS.   But there is still the issue that the backup NAS will back up the encrypted files and my delete snapshots if there is not enough free space.  So, if you can stop that backup process between when the virus hit and the next backup, that's ideal.

 

Not leaving a connection open to the NAS when it's not really needed and not using the PC password on the NAS or storing the NAS password in the PC's Windows Credentials Manager can also be a partial solution for some, but it's not foolproof.  Only using an account with the minimum access rights (so never admin) for normal file access can also help.  If you do have any ports open to the outside world, then strong passwords are also key.

 

 

Messaggio 2 di 4
StephenB
Guru

Re: Attacco ransom su nas readynas 102

Yes, I do have backup NAS on a power schedule, that only have rsync enabled.  I also use cloud backup for disaster recovery.

 


@Miniomar wrote:

 

Poi il punto chiave è che nell'interfaccia del NAS vedo l'antivirus disabilitato, ma non riesco ad abilitarlo.

C'è un link, ma non succede nulla.

 


Correct.  The RN100 series doesn't have the memory needed to run the Antivirus package.  So Netgear disabled that package in the 10.6.3 software.

 

I don't believe ClamAV would have protected against the Mars Ransomware.

Messaggio 3 di 4
ErikaMa
NETGEAR Employee Retired

Re: Attacco ransom su nas readynas 102

Salve @Miniomar,

 

benvenuto nella Community!

Vedo che ha già ricevuto risposta da @Sandshark e @StephenB 🙂

 

Per assicurarmi che tutti gli utenti della Community capiscano la risposta, farò un breve riepilogo. Non ci sono programmi che possano decriptare i file.

Forse è possibile recuperare i file dagli snapshot, se questi sono attivi e non sono stati cancellati.

 

Per garantire la salvaguardia dei dati del NAS, è fontamentale mantenere un backup esterno dei dati, costantemente aggiornato.

 

Per quanto riguarda l'antivirus, questo è stato rimosso dal NAS RN102 a partire da firmware 6.10.0, trova l'annuncio qui.

 

Saluti,

Erika

Team NETGEAR

Messaggio 4 di 4
Statistiche discussione
  • 3 risposte
  • 1412 visualizzazioni
  • 2 kudos
  • 4 con conversazione attiva