Quick Security-LegendaryDisk Security-DiskStation Security Ransomware

There is nothing new to report that I am aware of.

hi

 

have same or similar problem

 

find description below

 

if threre are any news, I would really appreciated it for sharing

 

Best regards

Gasper

 

-----------------
 

• as I was told on 3.1. noticed that documents are missing on the NAS - Synology
• The NAS is connected to 3 other computers in the home household, so it mostly deleted the documents on those too, luckily not quite all
• from what I saw (date of creation !!_!!README!!_!!.txt file) this happened on 01.01.2024@06:01
• according to their log, the attached picture (Screenshot 2024-01-05 150705.png) shows that the volume of documents has dropped from approx. 6 (75%) to 2.7TB (38%) - I have 8TB disks in the NAS
• logged on to the NAS via a web browser and found some documents in the #recycle folders, not all, but what belongs to this root folder. Unfortunately, some root folders do not have #recycle and as a result I do not know where this data is
• I save the data on a local disk (I hope they are not infected as well)

When or if a free (or legitimate paid for) decryption solution is found, that information will be provided in this support topic and victims will receive notification if subscribed to it. In addition, a news article most likely will be posted on the Bleeping Computer front page.
 
Contents of !!_!!README!!_!!.txt which indicates they are calling this LegendaryDisk Security.

HI
This is LegendaryDisk Security.
What happened?
- Your Network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean!? 
Where are my files!?
- All your data has been encrypted and moved to a special shared folder.
- All your important documents have been downloaded.
What can I do to recover my data!?
- If you want to recover your data, you have to send 0.03 Bitcoin to this wallet address:
bc1pj3udvah8xelvenu93dm0dc9sllgmev2xcfvck5de2c6pc3hqpzxs2nnjvc
Always double check the address when copy/pasting it !!!!!
- You have up to 15 days to send the payment. 
After this date the decryption will be almost impossible.
What should I do after sending the payment?
- Your ID is: Lne1rcbnmzce8:nas-h227:yg33fspkiee01
- Please email us your ID and payment confirmation(txid) to:
diskbleeper@onionmail.org
- After we confirm your payment you will receive the password and download link  so you can mount the shared folder and decrypt all your data.
Can I still use my nas?
- Do not delete any files you find on your nas.
- Do not try to recover your data using any software as it will not work.
- Do not modify any volumes or storage pools on your nas.
- Do not write large amounts of data to your disk.
- Do not restart or power on/off your synology multiple times. It will result in archive corruption!
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if you don't contact us.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
https://paxful.com/buy-bitcoin
https://paybis.com/
https://www.moonpay.com/buy/btc
https://noones.com/
https://www.bybit.com/en-us/learn/crypto/buy-bitcoin/
https://www.binance.com/en/buy-Bitcoin
https://localcoinswap.com/buy/bitcoin
Search for Bitcoin ATM's in your area.
You can think of this as a failed security audit.
We are professionals. This is a one time deal. We will decrypt a few files from your nas, as proof, if you need it.
We will send you the password immediately after the payment.
All Files, folders and subfolders will be unchanged.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.
Thank you.

Bad news. If you want your data you will have to negotiate with the hackers. The encryption in 7zip is robust and the password is long, meaning it is impossible to break the encryption. It would be interesting to know what version of the Synology DSM they were on when they were hacked.

Bad news. If you want your data you will have to negotiate with the hackers. The encryption in 7zip is robust and the password is long, meaning it is impossible to break the encryption. It would be interesting to know what version of the Synology DSM they were on when they were hacked

Did you managed to negotiate? if yes, did you get it cheaper and did you get all files back?

If you are thinking about paying the ransom, negotiating with the ransomware developers (which is not advisable) or using a data recovery service, you may want to read my comments about victim experiences in Should you pay the ransom? (Post #17) first.

We managed to negotiate. It wasn't cheap, the information was important, and we had to pay. They sent the password to decrypt the files with 7zip after receiving the payment. We learned that we must have a secondary backup to avoid massive data loss. The Synology brand disappointed me. I think the NAS was hacked for having Synology quickconnect active.

We managed to negotiate. It wasn't cheap, the information was important, and we had to pay. They sent the password to decrypt the files with 7zip after receiving the payment. We learned that we must have a secondary backup to avoid massive data loss. The Synology brand disappointed me. I think the NAS was hacked for having Synology quickconnect active.

Another question is, if they hacked NAS, is there anything on PCs ?
I do have few financial programs or web site access that I don't want them to get.
All those are 2FA protected, but still it concerns me.
What program or service to use ?

When I will put all my data "leftovers" that I will find, there will be lots of duplicated data. What program do you suggest to use for sync it to avoid missing or duplicated files?


Thank you for Ans support

Hackers take any vulnerability in the network or computers to infiltrate. You definitely can't depend on a single repository to store data. Some things we have implemented: antivirus with mandatory EDR for each computer on the network. Network segmentation with VLAN. Restriction of administrative access on computers. Backup in the cloud, with Microsoft 365 OneDrive + idrive. Recurring backup at the end of the day on external hard drive and in the cloud.

@nicovelas

DiskStation Security is probably another variant related to 7even Security, Umbrella Security, Quick Security & LegendaryDisk Security Ransomware. As such I have merged your topic into this one.

Unfortunately, like 7even Security & Umbrella Security, there is no known method that I am aware of to decrypt files encrypted by DiskStation Security, Quick Security or LegendaryDisk Security without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced.

I had a Nas compromised with LegendaryDisk Security ransomeware, this is what I did:

 

1. Mount RAID HDDs into a Ubuntu PC (follow the instructions here: https://kb.synology.com/tr-tr/DSM/tutorial/How_can_I_recover_data_from_my_DiskStation_using_a_PC)
2. Could not find an encrypted zip file anywhere, so go to the folder:

    /mnt/@synologydrive/@sync/repo/ 

3. There you can find your info disorganized and renamed to folders and files like .W or a-z list of names.
4. In the terminal type:

   file '/mnt/@synologydrive/@sync/repo/M/v/.X'
   

   and you will get the type of file that you should use: 

   PDF Document, version 1.6+
   

5. I scan the entire disk with clamAV, no viruses but in your case could be different.

6. If you do not find any of your info, try to scan the folder for big files or folders using the command:

   sudo du -h /mnt/@synologydrive/ --max-depth=1
   

   and check the type of file using the file command.

Edited by ThomasKliet, 20 January 2024 - 10:22 AM.

Hi everyone!, 

 

I`ve been hacked, the text of the rescue note is this: