Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Quick Security-LegendaryDisk Security-DiskStation Security Ransomware


  • Please log in to reply
34 replies to this topic

#1 jamessturge

jamessturge

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 29 December 2022 - 10:43 AM

Hello. You can help me identify and know what to do with a Synology NAS that has been hacked and all the information has been compromised.

 

We have a Synology NAS DS216+II that had several shared folders with access to about 20 computers on the network. There was only one administrative user: admin. Last weekend we realized that we couldn't access the shared folders.When I logged into the NAS as an administrator, I saw that we had been hacked.

 

They left a note on .txt.

Hello.
This is Quick Security.
What happened?
- Your Network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.06 Bitcoin to this wallet address:
xxxxxxxxx
Always double check the address when copy/pasting it !!!!!
- You have until the 3rd of January 2023 to send the payment. 
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: 187.76.x.x
- Please email us your ID and payment confirmation to:
quick.connect@zohomail.eu
quick.connect@beeble.com
alt.gl-4vpkkx0@yopmail.com
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your nas.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your nas.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
You can think of this as a failed security audit.
We are professionals. This is a one time deal. We will show you proof if you need it.
We will restore your data immediately after the payment.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.
Thank you.
 
All shared folders are now compressed files with 7z and zip extension in a folder named _______
 
nas2.JPG

 

The 7z and zip files have a password to be able to unzip them which I obviously don't have.
 
We had the quickconnect enable in the Synology. I don't know if they did brute force.
 
According to the NAS the DSM firmware is up to date.
 
nas3.JPG

 

On the Synology website I see that it was necessary to apply an UPDATE 6 and the NAS had a UPDATE 2. The Nas could have been hacked due to this lack of updating, or do you think some PC on our network is hacked? We use Emsisoft Antivirus on all our computers.
 
What I can do? Do you know what the ransomware was?
 
Thanks guys.

Attached Files



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 29 December 2022 - 01:53 PM

Please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database). Alternatively, you can use a third-party file hosting service to upload the files and provide a link or send a PM with a link to Amigo-A.
 
Click the More Reply Options button in the bottom right corner of the Board Editor...then click the Browse... button under Attach Files.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#3 jamessturge

jamessturge
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 29 December 2022 - 04:40 PM

Sure.

 

The entire structure of the shared folders of the NAS were compressed into large files (about 550Gb in total). I can open the 7z and zip files and can view all the zipped files. All files have a password to unzip the files. I have attached the only two small files that I found on the NAS. I have also attached the original note.

 

Is there a way to get the password on the NAS?

 

nas files-.jpg

 

Thanks 

Attached Files



#4 jamessturge

jamessturge
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 December 2022 - 08:46 AM

I think the ransomware attack is very similar to this one. The message they left is very similar.

 

https://www.bleepingcomputer.com/forums/t/769484/7even-security-nas-ransomware-please-read-me-txt-support-topic/



#5 jamessturge

jamessturge
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 December 2022 - 08:59 AM

https://www.pcrisk.com/removal-guides/21824-umbrella-security-ransomware <-- Umbrella Security, similar txt but different type of ransomware.



#6 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 30 December 2022 - 04:00 PM

Yes the note does look similar to 7even Security (NAS) and Umbrella Security Ransomware.



This is 7even Security.
What happened?
- Your Network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.04 Bitcoin to this wallet address:
bc1qc56dddrkdm2rxyqw27knjj7rj97kj5sfkgqtpa
- You have until the 12th of March 2022 to send the payment. 
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: 69.125.229.228
- Please email us your ID and payment confirmation to:
team.seven@zohomail.eu
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your nas.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your nas.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
You can think of this as a failed security audit.
We are professionals. This is a one time deal. We will show you proof if you need it.
We will restore your data immediately after the payment.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.

 

 


Hello.
This is Umbrella Security.
What happened?
- Your Network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.011  Bitcoin to this wallet address:
1LwTujzoFf9WcVSYUNBzXgruYZxrRT3nz
- You have until the 10th of September 2021 to send the Bitcoin.
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: 235.110.146.255
- Please email us your ID and payment confirmation to:
umbrella_cor@zohomail.eu
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your nas.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your nas.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
hxxps://paxful.com/buy-bitcoin
hxxps://localbitcoins.com/buy_bitcoins
You can think of this as a failed security audit.
We will even send you tips on how to strengthen your network security.
Thank you.

 


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#7 jamessturge

jamessturge
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 December 2022 - 08:49 PM

It would be interesting to know what Synology vulnerability they are exploiting.



#8 Durmix

Durmix

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 23 February 2023 - 10:15 AM

I encountered a similar attack today. I was able to investigate everything and figure out how they got into the Synology NAS.

  • This is a small office with only 3 people working there. Each person has a Windows 10 OS installed on their own computer. I checked all of them and no program was installed prior to the attack. I also checked with anti-malware software and found no signs of infection.
  • There is a Mikrotik router with the latest OS, no NAT is set up on the firewall. The default user is disabled, services are turned off, and only Winbox can access it from the LAN side with a strong password. There are no interesting events in the logs.
  • Synology DS: version 6, a bit behind unfortunately. Besides the basic packages, only Hyper Backup and SMB were installed because that's all they used. They deleted all logs after the attack, probably automatically because it was too fast. They deleted the backups (even the directories), compressed all the data into one file, and encrypted it with a password. The attacker did not encrypt the file names, so everything is visible. Then they deleted the data along with the folder. The operations were done under a specific administrator user. Since the account brute-force protection was enabled, they surely knew the password.

Quickconnect service was enabled on the NAS, so it was accessible from the open internet bypassing the firewall. They probably logged in through the NAS web interface, so it's almost certain that they stole the login credentials from the administrator. It's a serious risk because the administrator may have installed Synology NAS for others, and their data could be in danger too.

Lesson learned:

  • Disable quickconnect service. Use only when necessary,
  • Do not open ports on the router to the internet (do not NAT),
  • Always use 2FA,
  • One backup is not enough,
  • Never store passwords unencrypted,
  • Implement password rules.

Regards,

DurmiX



#9 AnsPap

AnsPap

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 14 June 2023 - 10:24 AM

I encountered a similar attack today. I was able to investigate everything and figure out how they got into the Synology NAS.

  • This is a small office with only 3 people working there. Each person has a Windows 10 OS installed on their own computer. I checked all of them and no program was installed prior to the attack. I also checked with anti-malware software and found no signs of infection.
  • There is a Mikrotik router with the latest OS, no NAT is set up on the firewall. The default user is disabled, services are turned off, and only Winbox can access it from the LAN side with a strong password. There are no interesting events in the logs.
  • Synology DS: version 6, a bit behind unfortunately. Besides the basic packages, only Hyper Backup and SMB were installed because that's all they used. They deleted all logs after the attack, probably automatically because it was too fast. They deleted the backups (even the directories), compressed all the data into one file, and encrypted it with a password. The attacker did not encrypt the file names, so everything is visible. Then they deleted the data along with the folder. The operations were done under a specific administrator user. Since the account brute-force protection was enabled, they surely knew the password.

Quickconnect service was enabled on the NAS, so it was accessible from the open internet bypassing the firewall. They probably logged in through the NAS web interface, so it's almost certain that they stole the login credentials from the administrator. It's a serious risk because the administrator may have installed Synology NAS for others, and their data could be in danger too.

Lesson learned:

  • Disable quickconnect service. Use only when necessary,
  • Do not open ports on the router to the internet (do not NAT),
  • Always use 2FA,
  • One backup is not enough,
  • Never store passwords unencrypted,
  • Implement password rules.

Regards,

DurmiX

Hello iam really up set of what iam reading because the exact thing happend to me last week
Did you finally found a solution?
 



#10 abdelghani

abdelghani

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 December 2023 - 03:36 AM

hello we get attacked by a ransomware can we get help ?
i give one ss for the virus file and the txt file from hacker 
anyone know the decrypter 
 
virus file <removed>
 
our anti virus edr detected this one Ransom.Win32.Save.a
 
thank you
 
 SHA1: 6de463f29412dd4300e543b461f87b1d9602588c [/size]https://id-ransomware.malwarehunterteam.com/ after scanned the file and txt file

Attached Files


Edited by quietman7, 10 December 2023 - 02:16 PM.


#11 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 10 December 2023 - 06:40 AM

Are there any obvious file extensions appended to the end of your encrypted data files? If so, what is the extension? 
 
Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension? 
 
Your !!Read Me!!.txt looks similar to a ransom note from 7even Security (NAS) Ransomware as noted here by Amigo-A (Andrew Ivanov)

Hello.
This is DiskStation Security.
What happened?
- Your network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.03 Bitcoin to this wallet address:
bc1qyh0evjp07kzqahf2xmgzs5zgvxevjhjqm9vcv8
Always double check the address when copying/pasting it!!!!!
- You have until the 15th of December 2023 to send the payment.
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: viperxxx
- Please email us your ID and payment confirmation to:
diskbleeper@proton.me
diskbleeper@mailfence.com
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your NAS.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your NAS.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
https://www.moonpay.com/buy/btc
https://paxful.com/buy-bitcoin
https://localbitcoins.com/buy_bitcoins
https://www.binance.com/en/buy-Bitcoin
You can think of this as a failed security audit.
We are professionals. This is a one time deal. 
We will restore your data immediately after the payment.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.
Thank you.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#12 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 10 December 2023 - 06:44 AM

BTW the llnk to the virus file indicates: The transfer you requested has been deleted.

 

That link as been removed as we do not allow the posting of any links to  possible malware (malicious files), including links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics.

 
Samples of any suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted (uploaded) to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data. 

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#13 abdelghani

abdelghani

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 December 2023 - 08:17 AM

Are there any obvious file extensions appended to the end of your encrypted data files? If so, what is the extension? 
 
Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension? 
 
Your !!Read Me!!.txt looks similar to a ransom note from 7even Security (NAS) Ransomware as noted here by Amigo-A (Andrew Ivanov)

Hello.
This is DiskStation Security.
What happened?
- Your network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.03 Bitcoin to this wallet address:
bc1qyh0evjp07kzqahf2xmgzs5zgvxevjhjqm9vcv8
Always double check the address when copying/pasting it!!!!!
- You have until the 15th of December 2023 to send the payment.
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: viperxxx
- Please email us your ID and payment confirmation to:
diskbleeper@proton.me
diskbleeper@mailfence.com
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your NAS.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your NAS.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
https://www.moonpay.com/buy/btc
https://paxful.com/buy-bitcoin
https://localbitcoins.com/buy_bitcoins
https://www.binance.com/en/buy-Bitcoin
You can think of this as a failed security audit.
We are professionals. This is a one time deal. 
We will restore your data immediately after the payment.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.
Thank you.

 

random caracter extension .j , .AB, .12345 ...ect
 
 

BTW the llnk to the virus file indicates: The transfer you requested has been deleted.
 
That link as been removed as we do not allow the posting of any links to  possible malware (malicious files), including links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics.
 
Samples of any suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted (uploaded) to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data.

virus total cant find anything in the file crypted https://www.virustotal.com/gui/file/6910780a2c9482d291a5c07284f59f5ec58e1b937b42e32ee9bdaa0d92f0404d



#14 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 10 December 2023 - 08:30 AM

There are several different ransomware infections which append a random 2, 3, 4, 5, 6, 7, 8, etc character extension to the end of encrypted data filenames to include Sodinokibi (REvil), Magniber (Magniber 2022), LockBit 3.0 (LockBit Black)/CriptomanGizmo, N3ww4v3/Mimic, HsHarada, Zeppelin, Conti, Snatch, STOP (Djvu), NoEscape (No_Escape), AVADDON, Ako, BlackCat/ALPHV, Black Basta, Mad Cat, RCRU64, LV Ransomware, 0kilobypt (Wiper/Eraser), GermanWiper, MrDec (Mr.Dec), Buran, Geneve, Maze (ChaCha), Hades, Mailto (Koko - Netwalker), Mailto-2 (Kazkavkovkiz), Nomikon, Paymen45, B2DR, Blitzkrieg, BitRansomare, Erika, Skull, SynAck, 05250lock, CTB-Locker, Crypt0L0cker, CryptON (Cry9, Cry36, Cry128, Nemesis), GandCrab V5.0.4+/v5+, Maktub Locker, Alma Locker, $$$ LokerAdmin, Princess Locker, Princess Evolution, Locked-In, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x, some Xorist variants and many other unidentified ransomwares.
 

Please attach several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov), rivitna (Andrey Zhdanov) or Demonslay335 (Michael Gillespie) can manually inspect them and possibly identify/confirm the infection if they see this topic.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#15 chelesoft

chelesoft

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 27 December 2023 - 06:20 PM

Hello Everyone, i´m dealing with this ransomware too, have anyone found a solution to unzip the files?






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users