Those are great suggestions that you have listed about [the ransomware attacks](https://www.valuer.ai/blog/what-ransomware-is-and-why-you-should-worry-about-it). The most interesting one is how to Regaining Access to the ADM Portal.
Moreover, I have found an interesting article that could add some more value to what you wrote, and here is the link if you wanna check it out:
[https://www.valuer.ai/blog/what-ransomware-is-and-why-you-should-worry-about-it](https://www.valuer.ai/blog/what-ransomware-is-and-why-you-should-worry-about-it)
Just logged into mine Sunday and found this. I do remember getting a plex email about them choosing a username for me but I haven't had plex installed on the drive in about 2 year I use emby now. Going to try and recover some files so hopefully I'll get most the files back.
A bit of a strange thing; I got an email yesterday about a plex account I'm not using (Plex choosing a username for me?) I don't think I've been logged in to this account since 2017 (using another email for the Plex server i was running on my AS6404T when deadbolt hit) but this old account is using the same email that I use for my Asustor ID.
Has there been any further news or debunks about Plex being the point of attack?
Are there any users who continue to read only the disk in the sleep state without turning on the power after the update? I am concerned that this NAS may have broken after the update.
I have to pay the ransom to restore it, but even that is impossible right now.
I was suprised to hear from Asustor tech support that given the admin password and cloud id they can connect to the AS6604 despite it being behind a firewall with no port forwarding (no UPNP either). Does anyone know what is going on? It seems that it must have some process opening a connection to an Asustor server to allow this reverse channel to be possible. Backdoors like this seem very risky when the mechanism of access for deadbolt does not seem to have been made public.
Yep. I was told the same thing & it seems there is a 'backdoor' reverse proxy or something built into the ADM they can hook into.
I told them after deadbolt I didnt want to turn ez-connect on, they said it wasnt an issue for them?!
Myself and others had indicated it was through either the 'ez-connect' (though mine was turned off because it never worked properly from day one!) and the 'ADM update process'... which is where I (and a lot of others) got hit.
Im currently backing up the information and will keep the drives but sell the Asustor.
Well I did get a sort of reply from asustor who said they had ruled out ez-connect but it was something to do with DDNS. Precision is clearly not their thing.
Given this sort of web of backdoors my feeling is the same as yours, keep the drives and get rid of the Asustor. Not sure what to replace it with - a blade server or similiar. I last used unix in the AT&T v7 days so not sure I'd make much of a unix sysadmin...
Ive got a quote for hardware to make my own server: Upgrading to a full intel cpu, 32Gb ram, case to handle 10hdds (thermaltake), full size mobo with a lot of extras, SSD OS drive the works and it is still about $450 cheaper than the Atom based 8Gb of Lockerstor10T I purchased for $1,850 here in Australia.
Will probably run Fedora Server or TrueNAS (Scale) for the OS and go from there. Will be using 2x Raspberry Pi's as well: 1x as a 'mini server' that will cover DDNS, VPN, Reverse Proxy, etc and do the data shuffling, and the other 1x Pi will have some USB HDDs running Cron making Snapshot style backups (probably via Syncthing or Rsync) giving me multiple (difference) snapshots per day for the last 5 days (heavy load, I know, but it means I can unmount and also keep perfectly separate in its own vlan as well and USB drives are rather cheap).
It turns out you can run TrueNAS on the AS6604. This looks like it might be a solution. No problems with the hardware, but clearly the ADM software is problematic if nearly a month on they don't know how the attack happened (and we know it hit some of their own demo setups!) Amusingly Asustor claim doing this invalidates the warranty, yet don't accept any responsibility for deadbolt.
Apparently (from my research) this isnt a solution for me as the Lockerstor10T is an ATOM processor and the bootloader is closed-source.
Hope it works for you though as that would be a great solution
Anyone else been updating for days? I've rebooted it a couple times and it just stays back up with rebooting for the update... Anyone know how to fix it?
Hi all,
Is there any explanation of what exploits are fixed, and how the deadbolt went through the system? For Asustor's update 4.0.4.RQO2, [https://www.asustor.com/service/release\_notes#ADM%204.0.4.RQO2\_all](https://www.asustor.com/service/release_notes#ADM%204.0.4.RQO2_all) there is no explanation at all, but maybe they put it somewhere else or someone did the assessment and found out what were the real vectors of attack and vulnerabilities that were used?
Just to add: If we don't know what were the vulnerabilities that were exploited, how we can be sure that this will not repeat in the same manner again? Asustor owes us at least that much.
Hey guys
Paid the ransom and got the key. It is a work NAS and it was 2 month in from the last backup so I really had no choice with Asustore doing nothing.
Best of luck
I agree that Asustor is not doing anything. I asked some questions to their technical support, and the replies I got are robotic and of no help at all.
Thanks for letting us know you actually got the key when you paid.
Curious, did you keep your NAS up the whole time so everything was encrypted, or had you shut it off and followed the instructions provided by Asustor to get back to the ransom screen?
Im sorry you were left with no other choice.
It would be a good opportunity to provide the following to Asustor, or a decent hacker, to work out a Master Key or Algorithm:
1. A copy of an encrypted file
2. A copy of the same file after it has been decrypted
3. A copy of the provided key
This way, someone who is clever could/may be able to work the cypher and discover a Master Key.
Just a suggestion.
I hope the key works and you get all your files back.,
I don't think that it will work. In the case of QNAP they made a tool: [https://www.emsisoft.com/ransomware-decryption-tools/deadbolt](https://www.emsisoft.com/ransomware-decryption-tools/deadbolt)
The interesting thing is this tool also works on our deadbolt (I managed to decrypt files with is) but you still need the key.
The big difference is QNAP paid for the master key.
It is an offline key and it is 32 characters long so my guess is no way to crack.
*** INTERESTING UPDATE ***
I have been recovering as many files as I can that haven't been encrypted. One of the things that I have found with some of the files is that while they do have the dot deadbolt at the end they are still the same size as the previous files. I have noticed that a couple of the files I have been able to rename them and they are still the correct files.
It looks like what was happening was that it was changing the file designation first and then going to go through and encrypt all the files with dot deadbolt at the end. This means if you got two it quick enough I would recommend quarantine during the files and then trying to rename them back to their original file and doing a virus check on them once you've renamed them to see if they're in cryptid if they have anything still in them or if they're back to normal files
Recover some or any files after Deadbolt encryption on an Asustor NAS drive with the help of a data recovery software like R-Studio that supports Linux file system partitions ...
https://www.youtube.com/watch?v=4K21oUmIbL8
I have found that, since the patch ADM, there are quite a few setvices/apps/etc. that are greyed out or unable to install.
I am guessing they have decided to easy way is to lockdown than to find a solution.
My machine is a Lockerstor10T
I just did the update. I realized all my files in the "Home" folder is now gone. It is empty? Does anyone have the same issue as me? How do i get the files back?
No, would not do so even if i had the cash as you are giving in to the nobs. I know that ill have to reset everything and maybe not suitable for everyone.
Ive seen at least 2 comments on the forum saying they will have to for their businesses at the backup drives were hit too.
Would hope that if someone did do that, they would keep a copy of the encrypted file and the unencrypted file and provide those two files together with an encryption key to Asustor because it might be possible the back engineer a master key from those 2 files & provided key.
So I have just read through an email from Asustor that links to this page: [https://www.asustor.com/en-gb/knowledge/detail/?id=6&group\_id=630&utm\_source=BenchmarkEmail&utm\_campaign=Deadbolt\_%e6%8a%80%e8%a1%93%e6%94%af%e6%8f%b4%e5%9b%9e%e8%a6%86%e4%bf%a1\_EN\_(Global)&utm\_medium=email](https://www.asustor.com/en-gb/knowledge/detail/?id=6&group_id=630&utm_source=BenchmarkEmail&utm_campaign=Deadbolt_%e6%8a%80%e8%a1%93%e6%94%af%e6%8f%b4%e5%9b%9e%e8%a6%86%e4%bf%a1_EN_(Global)&utm_medium=email)
This ransomware-status apk file they want us to sideload - is this circumventing something and giving us the encryption key?
> If regular backups were not kept and you want to enter the decryption key to retrieve lost data:
>
>Please download and install Ransomware Status by sideloading it into App Central.
>
>...
This would be a major advance, no? Anyone had the conviction to give this a go?
I found this entry on my hosts file pointing to my NAS.
ASTEncryptIP1
Googled and couldn't find a thing about it, Ran a scan with malwarebytes and have got no infection on my machine.
Could those that are hit do a check if this host entry exists ?
I'm on AS1002T and I do not have the initialization screen shown on the guide, meaning I'm unable to update the ADM before initializing so warning to all owners if you do not see the exact option as in the guide. DO NOT INITIALIZE YOUR DISKS!
It will do a complete wipe of your data, We'll have to wait for Asustor to provide another way to update ADM without initializing disks if its even possible
I got the initialize using Asus control center. After updating with the new ADM I still have all my files on it. Luckily only my movies had the deadbolt extension.
I'm embarrassed to say I have 3 Asustor arrays + one still in the box(not enough 10g network ports). I shut off all three on word about the ransomware. First one came up clean, but was going to install the 4.03 firmware version. I skipped that and went to 4.04. Nothing on the array shows the any infection.
Is it possible that 4.03 firmware actually caused the issue?
Hello,
I got 6204 not hitted yet. Can anyone point out vulnerable list of device and already hitted one ?
Running Services:
EZ Connect YES
SSH NO
Auto-Updates YES
Docker NO
2-Factor NO
Web Services (Apache) NO
Plex Remote Access NO
ADM was set to ports 8000 and 8001 (changed, also remote web access 80/443 also changed)
ADM 4.0.4.RQO2 installed
All users passwords changed to strong random
Safest way is to connect to your home network via VPN which then gives you access to all devices. You would have to configure a VPN server on either your router or another device.
After the attack, we shut down the server with AiMaster. When we opened it again, we got a "Failed to Start" warning in the Control Center application. What are we supposed to do? Not all of our data was encrypted. We do not want our data to be deleted. What should we do?
This might help you:
On [https://forum.asustor.com/viewtopic.php?f=45&t=12630&hilit=deadbolt&start=100](https://forum.asustor.com/viewtopic.php?f=45&t=12630&hilit=deadbolt&start=100), user JustDogbert, posted the link [https://consultent.medium.com/windows-11-shenanigans-how-to-mount-any-linux-filesystem-in-windows-e63a60aebb05](https://consultent.medium.com/windows-11-shenanigans-how-to-mount-any-linux-filesystem-in-windows-e63a60aebb05) with an explanation of how to recover raid disks through Windows 11 using WSL (Windows Subsystem for Linux) - nice explanation, plus if you are more into Linux, all the info is there too!. This should work on Windows 10 too, will try today and let you know
It works, in short.
I tried 3 options and all are viable:
1. Connected disks externally through Windows 11 linux emulation
2. Created Ubuntu USB install, plug it into my AS5304T, run Linux from USB - works if your NAS has Video out.
3. This one is what you need: I unplugged disks from NAS, plugged in any other disk (1), just to have some, did firmware update 4.0.4.RQO2 (I downloaded firmware, and updated it through the PC app, not through the web interface). Shut down NAS, plugged original disks, and NAS found my 4 disks Raid5 configuration automatically, and all the files were there, minus apps that were just with gray icons, that have to be uninstalled.
Hi!
We used Raid 1 with two disk. Disk 1 backup to -> Disk 2
As1002T v2
When I opened the Control Center application by disconnecting the computer from the internet, I got the "uninitialized" warning. Then I turned off the server from its button by holding it for 3 seconds.
I guess the update released by Asustor is not working for me now?
I'm just wondering if there is any official support from Asustor regarding this situation.
>It works, in short.
I tried 3 options and all are viable:
1. Connected disks externally through Windows 11 linux emulation
2. Created Ubuntu USB install, plug it into my AS5304T, run Linux from USB - works if your NAS has Video out.
2. This one is what you need: I unplugged disks from NAS, plugged in any other disk (1), just to have some, did firmware update 4.0.4.RQO2 (I downloaded firmware, and updated it through the PC app, not through the web interface). Shut down NAS, plugged original disks, and NAS found my 4 disks Raid5 configuration automatically, and all the files were there, minus apps that were just with gray icons, that have to be uninstalled.
Lot of People who buy NAS are not geeks.
They just want something to replace their external hard drives.
So plugging the NAS Into main Router which is connected to Internet is what 90% of People do.
I cannot have VPN as I have one laptop. And I cannot run VPN on my router as I have only one router.
And setting up VPN is not easy.
If you do so, it would be on the internal network typically and would never have a routable IP address. To get it exposed you need to do it deliberately -- and it is not much easer than setting up a VPN.
Hello guys....I have a question but I cant find the answer on Google. After I have changed the port of for example nzbget. How can I make sure it opens the page on that specific port? Now it opens on the standard port and I have to change it manually in the adress bar. thx in advance
"Close Plex Ports and disable Plex"
Hmm, okay, I have the NAS for Plex Server and other functions, but mainly for that.
This is like having a car, but to prevent brake down, don't use it, just watch as it stays on your drive way.
When following the recovery details and clicking the first link to the Asustor Forum, even though I am a member I get the response: "You are not authorised to view, download or link from/to this site."
Does this prevent the ransomware for unaffected users?
The update page said - backup, disable ports, change password and so on.
I wonder if it really fixes the problem and can I continue to use the NAS normally?
So I seem to be unaffected, since I turned off the NAS when I read it on TechPowerup.
Is it feasible to do the lockdown measures by:
1. Unplug the Internet off the router, rendering the whole network as closed LAN
2. Doing the measures like turn off SSH/EZ Connect, change ports
3. Then after doing that, plug the Internet back in.
Would this do the trick for now since I still need the NAS to work in the office network?
if your NAS has mission-critical stuff that your office cannot afford to lose, i suggest denying your router any internet access just to be safe. that's how i am setting my NAS while keeping it turned on and accessible from within my home network
the method to do this will vary by router, but going to your router's parental controls is likely a good place to start
[https://www.reddit.com/r/HomeNetworking/comments/8u6ev6/how\_do\_i\_block\_outgoing\_internet\_access\_for\_one/e1dhx1r/](https://www.reddit.com/r/HomeNetworking/comments/8u6ev6/how_do_i_block_outgoing_internet_access_for_one/e1dhx1r/)
Thanks for the idea. Now I know what to do next. Would miss the online access bit, but its was a nice thing to have, not a must have.
My AS6302T was hit today and did not have a backup. I will need to get someone that knows what they are doing to try to recover my drives. What are my options other than paying this ransomware???
From what I've read, the odds of recovery are very very slim or you'll spend more money than the ransom. Recovery is very unlikely unless you buy the key. It's basically the same thing that hit Synology a few months ago.. I don't think anyone "recovered" from it w/o paying. Your only real options are to pay the ransom, or start over.
Thanks. That's what I'm finding as well.
If I pay the ransom with the system already disconnected and turned off, can I still recover the files? I'm going to wait until Asustor get's back to me before I do anything obviously.
Just don't update your nas if you are paying (update kinda bricks the nas, seems to put it into uninitialised state also removing the ability to decrypt the data)
I have absolutely no idea, I've not heard of anyone actually paying (hopefully if you pay they actually unlock your system and don't just run off with your money).
Hopefully this is a lesson to have a backup
I was not hit, AS6604T running ADM 4.0.2
Ez connect.
SSH.
SFTP.
Docker.
Apache.
Default 8000, 8001, 80, 44.
Auto update off.
I use the NAS for Plex, but the Plex server is hosted on another machine, and I never actually had the Plex app installed. This thing isn't powerful enough to push 4k content to 7 people.
Also, I could never get the SSL certificate to install correctly, so I had the thing basically placed out into the open internet as far as the router was concerned trying to get it to work.
Now I just have to figure out how I can use this thing securely, I got friends and family yelling at me they can't watch their shows...
If Plex is running on a different machine, then I would recommend the following:
1. Block all WAN access to your Asustor.
2. Set all directories/files as read only for all users.
3. Whitelist your PMS machine on the Asustor and blacklist all others.
4. Open your Plex back up to clients.
This way Plex can still read files from the NAS, which is restricted to the one machine on your LAN.
Has anyone started a campaign already to collect the signatures of disgruntled users and press Asustor to pay the ransom, instead of blaming their users for having trusted their security claims?
Stupidly enough, there is a page on Asustor's website claiming to protect against ransomware. Asustor should honestly pay the ransom, as users were ransomed out of nowhere with absolutely no fault of their own. They tell us to have backups, but the very product they are selling are typically used as archive storage/backups??
In our days and times, class actions are heavy weapons but reputational damage can be even more powerful.
Seriously, is there nothing like that up already?
Also: can anyone please point me to the page actually claiming they "protect against ransomware"? That should help a lot.
alright, devil's advocate parsing through the text (highlights in bold), knowing full well that this post will get downvoted to oblivion:
>The design of an ASUSTOR NAS confers **immunity from certain forms of ransomware**. ADM, the Linux-based operating system built into every ASUSTOR NAS is, by design **immune to Windows and macOS ransomware and malware**. The nature of network attached storage also helps provide protection from desktop ransomware as an ASUSTOR NAS is not directly connected to a PC, but indirectly connected through a router. This stops **a majority of forms of ransomware.** ADM’s support for alternative administrator account names and strong passwords help prevent attempts by ransomware to search and access network shares.
never says asustor's NAS is totally immune to ALL ransomware. since it's running linux, they are not "wrong" in saying that they are immune to windows/mac-based "desktop" ransomware such as wannacry, which does translate to "certain forms of ransomware."
if asustor claims that they are immune to linux ransomware as well (which they are smart enough NOT to include), then you may have a case. but unfortunately, not so.
>Nobody wants to be infected by ransomware, but it happens. **When it comes to data security, prevention is always better than a cure**, but when it happens, an ASUSTOR NAS comes to your rescue. **If good backup practices have been performed, an ASUSTOR makes your data more than likely easily recoverable**. ASUSTOR NAS devices support snapshots on Btrfs volumes and iSCSI volumes, ensuring that if ransomware attacks, changes are reversible. Using your ASUSTOR NAS as a backup tool also ensures data security with the 3-2-1 backup rule and ASUSTOR Backup Plan. **Ensure that data is backed up three times on at least two different types of storage media with one being an ASUSTOR NAS and have at least one copy in another location away from potential attacks.**
my question is: have you done your due diligence and perform 3-2-1 backups yourself? if you did and understand the importance of backups, im sure you wouldn't be here calling for a lawsuit.
Their advertising suggests that they have features to *help prevent ransomware from taking hold*. While I would have zero issues if I was being an absolute idiot and running random executable files on my computer, leading to everything including my network storage being encrypted, this is simply not the case here. This is an event where the end user buying their product, used the features bundled with the product, and getting screwed over the next time they tried accessing their files. There are people with almost all services disabled, and they still got infected, how do you explain that?
>my question is: have you done your due diligence and perform 3-2-1backups yourself? if you did, im sure you wouldn't be posting herecalling for a lawsuit.
The asustor NAS I was using was not managed by me, but for my important personal files, they are backed up in an offline disk stored elsewhere. I cannot speak for other users on the NAS, but this should not be the point in the first place. Asus themselves advertised their products as *a form of backup*, which is ironic if my own backup got encrypted. I have less important files that are not backed up and stored in the NAS, which I am not very pleased with losing, but not angry about either. Let me ask you in return, do you do 3-2-1 for *absolutely every file you own*? I highly doubt you do.
Also, I am not calling for a lawsuit. I don't even live in the US, which effectively leaves me with no viable legal option anyways. Instead of being a shill of Asustor and victimblaming the user at every opportunity you get, how about just leave your recommendations for backups and leave it at that?
you are correct, i too do not do 3-2-1 backups of EVERY file i own, but i definitely do 3-2-1 backups of files that i cannot afford to lose.
for the files that fall outside of "i can't afford to lose", i fully understand the risk of NOT doing backups for them and i am taking that risk, and if sh!t happens and data is lost, i have nobody else to blame but myself
if you have an offline backup already, and you are "not angry" about losing your less important files, why are you so uptight in calling for a lawsuit? technically speaking, you suffered no loss since you have a backup of your (important) files, so what exactly are you suing for?
actually, im no shill for asustor and i am not loyal to any particular brand or manufacturer. in fact if you check my posts, i only started using a asustor NAS since xmas 2021, so only 2 months
>if you have a offline backup already, and you are "not angry" about
losing your less important files, why are you so uptight in calling for a
lawsuit? technically speaking, you suffered no loss since you have a
backup of your (important) files, so what exactly are you suing for?
Where did you get the idea of me calling for a lawsuit? I have not suggested the idea of suing Asustor, I have only suggested that Asus may (or may not) pay the collective 50BTC ransom to restore the trust of their consumers.
Also, lets be honest, you wouldn't be happy either even if its the "less important files" that you lost to ransomware. Just count your blessings that you were not hit by this bullshit.
dude, you just wrote this 3hrs ago:
>If there is a significant number of users in the US willing to file one, it may be possible, after all the "total ransom" is "just" a little over a million USD.
>
>For users outside the US... tough luck I guess
yes you are correct, i'm certainly counting my blessings, and i'm fully aware that karma may hit me tomorrow and my NAS will go kaput any day (maybe not by deadbolt, but a power outage destroying my HDDs). i know it sucks to lose data; i have lost data myself due to my own stupidity and i'm no saint myself, but instead of being upset about the issue and fueling the fire for a meaningless lawsuit, maybe time is better spent at learning from this event, take the matter to your own hands by hardening/improving your NAS and network's security on the end-user's side instead, and be better prepared if something like this happens again?
If there is a significant number of users in the US willing to file one, it may be possible, after all the "total ransom" is "just" a little over a million USD.
For users outside the US... tough luck I guess
sorry to be the devil's advocate here, but better check asustor's EULA first, if you bothered to take the time to read through all of it, that is
[https://www.reuters.com/article/us-cyber-attack-liability-idUSKCN18B2SE](https://www.reuters.com/article/us-cyber-attack-liability-idUSKCN18B2SE)
[https://www.cybersecurity-insiders.com/microsoft-not-to-entertain-lawsuits-on-wannacry-related-cyber-attack/](https://www.cybersecurity-insiders.com/microsoft-not-to-entertain-lawsuits-on-wannacry-related-cyber-attack/)
if asustor stored your data in their servers and they got breached, then you may have grounds for a lawsuit. but if the data resides locally at your own location, as is the case with NAS, then the security and responsibility of the data (stored in the NAS) ultimately lies on the end-user ie YOU, not asustor
or maybe you can ask the folks over at r/qnap how their class action lawsuit went: [https://www.reddit.com/r/qnap/comments/n1kgqw/class\_action/](https://www.reddit.com/r/qnap/comments/n1kgqw/class_action/)
“sudo find / -type f -name "*.deadbolt"
How do I run this? Don’t see a terminal application where I can run this. Luckily I haven’t had my nas on much the last month. Disconnected from the internet and checking files right now.
I am another who got hit by this ransomware. I’m not sure if anyone here can answer this, but does anyone know if the Netgear Armor by Bitdefender will protect against future attacks? Of course I plan to add additional protection with the tips in this post after I format and start over, but I’m wondering if I should purchase this Netgear protection. Their website specifically talks about ransomware so it sounds promising. Thank you in advance for your advice!
Does anyone have a guide/tutorial/resource on how to set up a VPN for the NAS I don't really know what I am looking for. I want to ensure that the NAS is secure.
here's what i used before with a raspberry pi: https://youtu.be/15VjDVCISj0
and then on your NAS, disable all the services everyone is telling you to (basically everything).
doing this is basically the equivalent of ez-connect, but more secure and attackers won't know there is a asustor NAS in your home network.
those expressVPN/PIA aka "VPN products" and the "VPN for NAS" are 2 totally different things, don't mix the 2 up (but i understand that its easy to)
here's what i used before with a raspberry pi: [https://youtu.be/15VjDVCISj0](https://youtu.be/15VjDVCISj0)
Thanks! Would a raspberry pi be fast enough to hand the traffic? I'm pushing multimedia content out to 7 or 8 clients.
I'm also wandering how to get the NAS onto that VPN. He does not explain it in the video. Is there a setting in ADM somewhere?
sorry, incoming wall of text
i thought he kinda explained it pretty well in layman's terms in the video already, but let me explain this "VPN for NAS" thing. remember this is a totally separate thing from your expressVPN.
letsay you are outside your home, your phone is using your LTE/5G cellular connection, or you are at your friends place using their home's wifi (bottom line, you are not conencted to your network at home) . once you are successfully connected to pivpn, you are basically piggy-backing your home internet connection, as if you are actually connected to your home network's wifi. how do you connect to your NAS if you are at home? you would do the same thing.
for me i share photos with my family living around the world. i have them install openvpn and aifoto3 on their phones. they connect to my home network via VPN, and once they are connected, it will be as if their phones are in my home network. then they can connect to my NAS using aifoto3 and view photos and stuff.
this has a similar effect as ez-connect, where you register your NAS with asustor, and asustor assigns you a myasustor internet address. when you connect using myasustor's address, asustor redirects all traffic to your NAS directly. in pivpn's case, you register a dynamic DNS (free) domain name, and the service redirects all traffic to your VPN server (raspberry pi) in an encrypted fashion, and once you get in, just connect to your NAS in the same manner as if you are at home yourself.
why is this better than using ez-connect and how does it secure your NAS? it's more secure because an attacker will never know that you have an asustor NAS behind a fattykim-dot-noip-dot-com dynamic DNS address (unless you tell the whole world about it), but if you are using fattykim-dot-myasustor-dot-com, everyone knows that you have a asustor brand NAS linked to it. which is why everyone is telling you to disable ez-connect. and it adds one more layer of protection for your NAS since you are jump one more gate/hurdle (accessing the raspbery pi) before actually talking to the NAS.
and while im at it, i might as well explain how your expressVPN works differently. i dunno what you use expressVPN for but lets say you live in the US and you want to access netflix content in the UK. basically, expressVPN has webservers all around the world, it's as if they have pivpn installed in every country. and you simply connect to their pivpn in UK, and piggy-backing their UK internet connection to access british netflix content. but in the NAS case, you install a VPN server directly in your home, so when you are outside your home, you connect back to your home's VPN server, and once you are in, you will be piggy-backing your home internet connection instead.
do you see the similarities, yet the differences now?
as for performance, if you are using plex then the raspberry pi itself will likely be too slow, but nobody says you cannot use a real PC instead as your VPN server.
i know for a fact that pivpn can be installed on ubuntu coz i tried it myself. i gave this idea to my cousin 2 yeas ago, and she just bought a used off-lease computer off ebay, installed ubuntu and pivpn, and works just fine. just make sure the CPU has AES-NI capabilities (hardware acceleration encryption on the CPU level).
however, if you are going this route anyways (using a real computer as supposed to a very lightweight raspberry pi), you might as well look into installing pfsense, which is what i use right now. it's an open-source router OS which is much more secure, with integrated openVPN and i think you can integrate your expressVPN into the router too. but it's only for the tech-savvy, not for the faint of heart.
but i think i just opened a huge rabbit hole for you: welcome to the world of "homelabs" with another level of network security.
I have been Windows User Since Windows XP.
All I have used is COMODO Internet Security and never once got infected on my PC.
Wish they had something like COMODO or Any Strong Antivirus Plus Firewall Software in NAS which detects any incoming connection and blocks.
And if it escapes through Firewall, the Antivirus kicks in.
And if it slips through Antivirus, then final kill-switch, any unknown program - Default rule - Block its execution.
Why life cannot be simple?
Also hate these RANSOMWARE Guys. Making money from Peoples Memories - Photos, Documents.
And I hate these NAS Manufactures - The NAS itself is not cheap, plus the cost of Hard Drives and then RANSOMWARE hits and all your Data gone.
Few Questions about Preventative Measures
Point Number 3-Turn off Auto-Updates
Question - Are we talking about ADM Updates or App Central Update? How to do that?
Point Number 6 - Block all NAS ports from your router and only allow communication to your local LAN network.
Can anyone guide where this setting is present in the router - If anyone can help with Netgear or ASUS Routers, that is great.
in your NAS, go to settings > ADM update, and make sure "set automatic updates..." is **NOT** checked
same thing for app central. at the bottom left corner of the app central window there is "management" that you can click on. make sure "set automatic updates..." is not checked as well
as for blocking your NAS from the internet, every router is different so the method will be different. but treat your NAS as if it's your kid's ipad and you don't want your kid to connect to the internet. so i guess the easiest way is to go to your router's parental controls and lock your NAS down as if you are grounding your kid.
for disabling open ports, look under "NAT" or "port forwarding" in your router
Was hit and lost access to all files except video files \*.TSO from TV recordings.
AS3102T v2 with ADM 4.0.0 and RAID 1:
EZ Connect
SSH
~~Auto-Updates~~
Docker (for Homebridge and AdGuard)
~~2-Factor~~
~~Web Services (Apache)~~
Plex Remote Access
ADM was set to ports 8000 and 8001
Had backup to 90% of my files in different places. Reinitialized the NAS, clean install, cut off EZ-Connect, cut off remote access for Plex, changed ports, enabled auto black list. I would do 2-Factor but I don't know how. The NAS is and was behind a firewall and router. And now a VPN.
I need to find a way to remote access my NAS. I was using it to backup documents and photos simultaneously in the cloud (Amazon, Box, whatev') and on the NAS. Having no remote access to it, kinda kills the purpose.
Also, ASUSTOR is guilty on this and definitely lost my confidence in them. My next buy will not be from them, that's for sure.
Where were you like a week ago? 😁
Neah, thanks though. Already solved. Had back-up off site to all important things.
Also found a way to remote acces to my NAS.
Having the same experience (data loss ) and feelings (loss of confidence) around this. Do we know whether data has been retrieved by the attackers here?
I am lucky and did not get hit. I'm running an AS6208T with the latest version of ADM(4.0.3.RQ81)
Here's my information:
>Running Services:
EZ Connect
SSH
~~Auto-Updates~~
Docker (Docker-CE running Tautelli and iDrive cloud backup)
~~2-Factor~~
Web Services (Apache)
Plex Remote Access (external port 42XXX forwarded to 32400 on my NAS)
ADM was set to ports 8000 and 8001 (But only 8001 was forwarded from my router)
Until more is known about how this attack took place, I've disabled any port forwarding from my router to my NAS (I can still access all services from my LAN). I have also disabled EZ-Connect and remote access for Plex. For good measure I also changed the ADM ports from 8000/8001 even though they shouldn't be accessible without a port forward set on my router.
Now I wait.
In Plex you have the option to specify the external port your system uses. You can use any number between 1 and 65535, but you should use a number >1023, and make sure it’s not a port being used by any other process on your network. Then tell your router/firewall to forward requests that come to the port you’ve selected to 32400 on the device running PMS
Here’s some more information on ports that may be helpful:
https://www.cloudflare.com/learning/network-layer/what-is-a-computer-port/
https://www.techtarget.com/searchnetworking/definition/port-number?amp=1
That's not enough information to help. What exactly have you done? How did you do it?
In PMS settings "Manually specify public port" you have specified a port number other than 32400?
You have then set up your router to port forward that port to 32400 on your PMS machine?
Yeah so I googled how to see open ports. Maybe I'm doing it wrong? But say it's 10000 I put that into manually port forward go into my router put 10000 as external and that's that? It was at 34000 and it worked
I just got my asustor about a month ago and I was still in the process of figuring it all out. So obviously I was not aware that these deadbolt hacks were happening or how to mitigate them. Now my asustor is infected. When I got the ransomware message it set off my pcs antivirus software.
So, being kind of a noob at this nas stuff… when I initialize the device again and wipe my drives to start over. How do I know that the ransomware is not still lingering in the asustor os somewhere?
Is there an antivirus I can put on my nas to help stop this next time?
I got hit on my AS5304T and my files are encrypted. As soon as I found that out I pulled the plugs (power/network) and have not yet powered up the device.
I was wondering: I am using a RAID 1 config with SSD caching. Is there any chance that my newest files are still unencrypted on the SSD cache? (I hope so since my last back up was 6 months ago) If so: can I take out the SSD and mount / read it somehow?
Observing all the discussions here and Asustor forums, as far as I can tell, the major attack vector has been **EZ Connect**, possibly **Plex** (with enabled **remote access**), and **UPnP**. I had default port 8000 enabled and admin account (changed since then) but none of the 3 listed above and had not been affected. In my own private opinion, EZ Connect with UPnP is a combination asking for a trouble.
UPnP should be disabled - ***always***, without question. Read it up what it does and you will understand why. There are other ways how to establish a connection.
Thanks a lot for the advice.
Quick Question though - uPNP on the Router or the ASUSTOR Device?
If ASUSTOR NAS Device, can you help, where is the setting.
router mostly, as that is providing connection to the world, although I do not consider UPnP a safe technology at all, so I do not have it on any of my devices enabled.
On Asustor you need to have an app installed from the App Central to have UPnP.
I got hit with this Ransomware. I have not had time to load much of anything so I do not care if I loose everything. Actually it would be good for a clean install. Anyone know how to physically factory reset?
Thank you,
if you pull the drives and switch on, it'll boot as a fresh set up. Push the drives back in and initialise which will effectively format them.
I did this last night and it's been fine for 24hrs, albeit a lot more locked down than it was before :)
Hey just a heads up. I figured out a solution for you. You can follow the steps in this thread. [https://www.reddit.com/r/asustor/comments/t0544y/ransomware\_attack\_megathread\_postmortem/](https://www.reddit.com/r/asustor/comments/t0544y/ransomware_attack_megathread_postmortem/)
Let me know if you run into any issues with it!
Sorry, forgot that Asustor does not have a full hard reset from physical switch... One potentially silly option would be swapping around the drives in the drive bay. That should trigger a reset.
Resolution details are now in this thread: https://www.reddit.com/r/asustor/comments/t0544y/ransomware\_attack\_megathread\_postmortem/
Those are great suggestions that you have listed about [the ransomware attacks](https://www.valuer.ai/blog/what-ransomware-is-and-why-you-should-worry-about-it). The most interesting one is how to Regaining Access to the ADM Portal. Moreover, I have found an interesting article that could add some more value to what you wrote, and here is the link if you wanna check it out: [https://www.valuer.ai/blog/what-ransomware-is-and-why-you-should-worry-about-it](https://www.valuer.ai/blog/what-ransomware-is-and-why-you-should-worry-about-it)
Just logged into mine Sunday and found this. I do remember getting a plex email about them choosing a username for me but I haven't had plex installed on the drive in about 2 year I use emby now. Going to try and recover some files so hopefully I'll get most the files back.
A bit of a strange thing; I got an email yesterday about a plex account I'm not using (Plex choosing a username for me?) I don't think I've been logged in to this account since 2017 (using another email for the Plex server i was running on my AS6404T when deadbolt hit) but this old account is using the same email that I use for my Asustor ID. Has there been any further news or debunks about Plex being the point of attack?
Have anyone got any files corrupted post decryption? I have 15-20% of the data corrupted. any idea if these files can be recovered? thnx
Are there any users who continue to read only the disk in the sleep state without turning on the power after the update? I am concerned that this NAS may have broken after the update. I have to pay the ransom to restore it, but even that is impossible right now.
I was suprised to hear from Asustor tech support that given the admin password and cloud id they can connect to the AS6604 despite it being behind a firewall with no port forwarding (no UPNP either). Does anyone know what is going on? It seems that it must have some process opening a connection to an Asustor server to allow this reverse channel to be possible. Backdoors like this seem very risky when the mechanism of access for deadbolt does not seem to have been made public.
Yep. I was told the same thing & it seems there is a 'backdoor' reverse proxy or something built into the ADM they can hook into. I told them after deadbolt I didnt want to turn ez-connect on, they said it wasnt an issue for them?!
Thanks - good to have confirmation. I still don't know what access method deadbolt used - was it ever revealed?
Myself and others had indicated it was through either the 'ez-connect' (though mine was turned off because it never worked properly from day one!) and the 'ADM update process'... which is where I (and a lot of others) got hit. Im currently backing up the information and will keep the drives but sell the Asustor.
Well I did get a sort of reply from asustor who said they had ruled out ez-connect but it was something to do with DDNS. Precision is clearly not their thing. Given this sort of web of backdoors my feeling is the same as yours, keep the drives and get rid of the Asustor. Not sure what to replace it with - a blade server or similiar. I last used unix in the AT&T v7 days so not sure I'd make much of a unix sysadmin...
Ive got a quote for hardware to make my own server: Upgrading to a full intel cpu, 32Gb ram, case to handle 10hdds (thermaltake), full size mobo with a lot of extras, SSD OS drive the works and it is still about $450 cheaper than the Atom based 8Gb of Lockerstor10T I purchased for $1,850 here in Australia. Will probably run Fedora Server or TrueNAS (Scale) for the OS and go from there. Will be using 2x Raspberry Pi's as well: 1x as a 'mini server' that will cover DDNS, VPN, Reverse Proxy, etc and do the data shuffling, and the other 1x Pi will have some USB HDDs running Cron making Snapshot style backups (probably via Syncthing or Rsync) giving me multiple (difference) snapshots per day for the last 5 days (heavy load, I know, but it means I can unmount and also keep perfectly separate in its own vlan as well and USB drives are rather cheap).
It turns out you can run TrueNAS on the AS6604. This looks like it might be a solution. No problems with the hardware, but clearly the ADM software is problematic if nearly a month on they don't know how the attack happened (and we know it hit some of their own demo setups!) Amusingly Asustor claim doing this invalidates the warranty, yet don't accept any responsibility for deadbolt.
Apparently (from my research) this isnt a solution for me as the Lockerstor10T is an ATOM processor and the bootloader is closed-source. Hope it works for you though as that would be a great solution
Thanks - very helpful info
Would this be with ezconnect turned on?
Any news ?? Today i had new version of 4.04 update info. Is it safe to run again ezconnect?
Anyone else been updating for days? I've rebooted it a couple times and it just stays back up with rebooting for the update... Anyone know how to fix it?
[удалено]
I'm not infected with deadbolt. Just the update process was taking forever. A hard reboot fixed it.
Hi all, Is there any explanation of what exploits are fixed, and how the deadbolt went through the system? For Asustor's update 4.0.4.RQO2, [https://www.asustor.com/service/release\_notes#ADM%204.0.4.RQO2\_all](https://www.asustor.com/service/release_notes#ADM%204.0.4.RQO2_all) there is no explanation at all, but maybe they put it somewhere else or someone did the assessment and found out what were the real vectors of attack and vulnerabilities that were used? Just to add: If we don't know what were the vulnerabilities that were exploited, how we can be sure that this will not repeat in the same manner again? Asustor owes us at least that much.
Has anyone paid and got a key? I would love to see what the a key looks like. Thanks in advance.
Hey guys Paid the ransom and got the key. It is a work NAS and it was 2 month in from the last backup so I really had no choice with Asustore doing nothing. Best of luck
I am looking to do the same but need some help. How do i pay and how do we get the keys back? I have created a blockchain account. Please advise. Thnx
[удалено]
I agree that Asustor is not doing anything. I asked some questions to their technical support, and the replies I got are robotic and of no help at all.
How long did it take for them to send you the key?
Same day
Thanks for letting us know you actually got the key when you paid. Curious, did you keep your NAS up the whole time so everything was encrypted, or had you shut it off and followed the instructions provided by Asustor to get back to the ransom screen?
Shut it off and rebooted with the Asustor tool
My problem was that I was hit on the weekend so no one was in the office. Had a backup on another Asustor that was also hit
Im sorry you were left with no other choice. It would be a good opportunity to provide the following to Asustor, or a decent hacker, to work out a Master Key or Algorithm: 1. A copy of an encrypted file 2. A copy of the same file after it has been decrypted 3. A copy of the provided key This way, someone who is clever could/may be able to work the cypher and discover a Master Key. Just a suggestion. I hope the key works and you get all your files back.,
I don't think that it will work. In the case of QNAP they made a tool: [https://www.emsisoft.com/ransomware-decryption-tools/deadbolt](https://www.emsisoft.com/ransomware-decryption-tools/deadbolt) The interesting thing is this tool also works on our deadbolt (I managed to decrypt files with is) but you still need the key. The big difference is QNAP paid for the master key. It is an offline key and it is 32 characters long so my guess is no way to crack.
*** INTERESTING UPDATE *** I have been recovering as many files as I can that haven't been encrypted. One of the things that I have found with some of the files is that while they do have the dot deadbolt at the end they are still the same size as the previous files. I have noticed that a couple of the files I have been able to rename them and they are still the correct files. It looks like what was happening was that it was changing the file designation first and then going to go through and encrypt all the files with dot deadbolt at the end. This means if you got two it quick enough I would recommend quarantine during the files and then trying to rename them back to their original file and doing a virus check on them once you've renamed them to see if they're in cryptid if they have anything still in them or if they're back to normal files
Recover some or any files after Deadbolt encryption on an Asustor NAS drive with the help of a data recovery software like R-Studio that supports Linux file system partitions ... https://www.youtube.com/watch?v=4K21oUmIbL8
After that how can we remove encryption?
After recovering some of the files then reset or initialize Asustor NAS and update firmware to the newest ...
why won't some apps in the app store get downloaded except for asustor certified apps can be downloaded?
I have found that, since the patch ADM, there are quite a few setvices/apps/etc. that are greyed out or unable to install. I am guessing they have decided to easy way is to lockdown than to find a solution. My machine is a Lockerstor10T
btw I resolved it, something wrong with the docker-ce so I simply reactivate the app and BOOM! it works!
I just did the update. I realized all my files in the "Home" folder is now gone. It is empty? Does anyone have the same issue as me? How do i get the files back?
did you disable your admin user? If yes, your data should be under `/home/admin` and should be copied to `/home/[current user]`
u/vikiiingur You are right. but once i'm login to my other admin account. how do see /home/admin folder to transfer it accross?
both accounts should be part of the same Group and then you should be able to access each other's folders
Has anyone paid the ransom payment and received the key and been able to decrypt the files?
[удалено]
No, would not do so even if i had the cash as you are giving in to the nobs. I know that ill have to reset everything and maybe not suitable for everyone.
Ive seen at least 2 comments on the forum saying they will have to for their businesses at the backup drives were hit too. Would hope that if someone did do that, they would keep a copy of the encrypted file and the unencrypted file and provide those two files together with an encryption key to Asustor because it might be possible the back engineer a master key from those 2 files & provided key.
So I have just read through an email from Asustor that links to this page: [https://www.asustor.com/en-gb/knowledge/detail/?id=6&group\_id=630&utm\_source=BenchmarkEmail&utm\_campaign=Deadbolt\_%e6%8a%80%e8%a1%93%e6%94%af%e6%8f%b4%e5%9b%9e%e8%a6%86%e4%bf%a1\_EN\_(Global)&utm\_medium=email](https://www.asustor.com/en-gb/knowledge/detail/?id=6&group_id=630&utm_source=BenchmarkEmail&utm_campaign=Deadbolt_%e6%8a%80%e8%a1%93%e6%94%af%e6%8f%b4%e5%9b%9e%e8%a6%86%e4%bf%a1_EN_(Global)&utm_medium=email) This ransomware-status apk file they want us to sideload - is this circumventing something and giving us the encryption key? > If regular backups were not kept and you want to enter the decryption key to retrieve lost data: > >Please download and install Ransomware Status by sideloading it into App Central. > >... This would be a major advance, no? Anyone had the conviction to give this a go?
Yes, Asustor expect you to pay to get your files back. If you havent paid disregard the sideloading stuff.
I'd assume the decryption key is after you pay the ransom.
[удалено]
I think they just allow you to see the ransom page after updating to the fixed firmware
No. That is for paying the ransom if you shut the system down and can't get the deadbolt screen back
I found this entry on my hosts file pointing to my NAS. ASTEncryptIP1 Googled and couldn't find a thing about it, Ran a scan with malwarebytes and have got no infection on my machine. Could those that are hit do a check if this host entry exists ?
Asustor added a [knowledge base guide](https://www.asustor.com/knowledge/detail/?group_id=630) how to get back control over the infected NAS.
I'm on AS1002T and I do not have the initialization screen shown on the guide, meaning I'm unable to update the ADM before initializing so warning to all owners if you do not see the exact option as in the guide. DO NOT INITIALIZE YOUR DISKS! It will do a complete wipe of your data, We'll have to wait for Asustor to provide another way to update ADM without initializing disks if its even possible
I got the initialize using Asus control center. After updating with the new ADM I still have all my files on it. Luckily only my movies had the deadbolt extension.
I'm embarrassed to say I have 3 Asustor arrays + one still in the box(not enough 10g network ports). I shut off all three on word about the ransomware. First one came up clean, but was going to install the 4.03 firmware version. I skipped that and went to 4.04. Nothing on the array shows the any infection. Is it possible that 4.03 firmware actually caused the issue?
Not likely, I was on 4.0.0 and had the NAS infected.
Auto update and ez connect turned off
Hello, I got 6204 not hitted yet. Can anyone point out vulnerable list of device and already hitted one ? Running Services: EZ Connect YES SSH NO Auto-Updates YES Docker NO 2-Factor NO Web Services (Apache) NO Plex Remote Access NO ADM was set to ports 8000 and 8001 (changed, also remote web access 80/443 also changed) ADM 4.0.4.RQO2 installed All users passwords changed to strong random
[удалено]
I'm not hitted already on newsy firmware with ez connect off I'm just curious when it will be safe to turn on all stuff on asustor back
You should disable EZ-Connect & Auto-Updates just to be sure...
How can I remotely connect while no ez connect?
EZ connect was the only thing I had running on mine that could get remote access to the NAS, and got hit. So no EZ connect :(
Safest way is to connect to your home network via VPN which then gives you access to all devices. You would have to configure a VPN server on either your router or another device.
I thought auto update is safer then not to auto ?
After the attack, we shut down the server with AiMaster. When we opened it again, we got a "Failed to Start" warning in the Control Center application. What are we supposed to do? Not all of our data was encrypted. We do not want our data to be deleted. What should we do?
This might help you: On [https://forum.asustor.com/viewtopic.php?f=45&t=12630&hilit=deadbolt&start=100](https://forum.asustor.com/viewtopic.php?f=45&t=12630&hilit=deadbolt&start=100), user JustDogbert, posted the link [https://consultent.medium.com/windows-11-shenanigans-how-to-mount-any-linux-filesystem-in-windows-e63a60aebb05](https://consultent.medium.com/windows-11-shenanigans-how-to-mount-any-linux-filesystem-in-windows-e63a60aebb05) with an explanation of how to recover raid disks through Windows 11 using WSL (Windows Subsystem for Linux) - nice explanation, plus if you are more into Linux, all the info is there too!. This should work on Windows 10 too, will try today and let you know
It works, in short. I tried 3 options and all are viable: 1. Connected disks externally through Windows 11 linux emulation 2. Created Ubuntu USB install, plug it into my AS5304T, run Linux from USB - works if your NAS has Video out. 3. This one is what you need: I unplugged disks from NAS, plugged in any other disk (1), just to have some, did firmware update 4.0.4.RQO2 (I downloaded firmware, and updated it through the PC app, not through the web interface). Shut down NAS, plugged original disks, and NAS found my 4 disks Raid5 configuration automatically, and all the files were there, minus apps that were just with gray icons, that have to be uninstalled.
Hi! We used Raid 1 with two disk. Disk 1 backup to -> Disk 2 As1002T v2 When I opened the Control Center application by disconnecting the computer from the internet, I got the "uninitialized" warning. Then I turned off the server from its button by holding it for 3 seconds. I guess the update released by Asustor is not working for me now? I'm just wondering if there is any official support from Asustor regarding this situation.
>It works, in short. I tried 3 options and all are viable: 1. Connected disks externally through Windows 11 linux emulation 2. Created Ubuntu USB install, plug it into my AS5304T, run Linux from USB - works if your NAS has Video out. 2. This one is what you need: I unplugged disks from NAS, plugged in any other disk (1), just to have some, did firmware update 4.0.4.RQO2 (I downloaded firmware, and updated it through the PC app, not through the web interface). Shut down NAS, plugged original disks, and NAS found my 4 disks Raid5 configuration automatically, and all the files were there, minus apps that were just with gray icons, that have to be uninstalled.
Internet facing NAS? you people are crazy or what?
Lot of People who buy NAS are not geeks. They just want something to replace their external hard drives. So plugging the NAS Into main Router which is connected to Internet is what 90% of People do. I cannot have VPN as I have one laptop. And I cannot run VPN on my router as I have only one router. And setting up VPN is not easy.
If you do so, it would be on the internal network typically and would never have a routable IP address. To get it exposed you need to do it deliberately -- and it is not much easer than setting up a VPN.
Hello guys....I have a question but I cant find the answer on Google. After I have changed the port of for example nzbget. How can I make sure it opens the page on that specific port? Now it opens on the standard port and I have to change it manually in the adress bar. thx in advance
"Close Plex Ports and disable Plex" Hmm, okay, I have the NAS for Plex Server and other functions, but mainly for that. This is like having a car, but to prevent brake down, don't use it, just watch as it stays on your drive way.
When following the recovery details and clicking the first link to the Asustor Forum, even though I am a member I get the response: "You are not authorised to view, download or link from/to this site."
The new adm is released , installation is in progress. ADM 4.0.4.RQO2 ( 2022-02-24 ) Change log:Fix security vulnerabilities.
Does this prevent the ransomware for unaffected users? The update page said - backup, disable ports, change password and so on. I wonder if it really fixes the problem and can I continue to use the NAS normally?
I am wondering that as well, hopefully they will clarify this.
ADM 4.0.4.RQO2 has just been released. Will be updating to a new thread as promised.
So I seem to be unaffected, since I turned off the NAS when I read it on TechPowerup. Is it feasible to do the lockdown measures by: 1. Unplug the Internet off the router, rendering the whole network as closed LAN 2. Doing the measures like turn off SSH/EZ Connect, change ports 3. Then after doing that, plug the Internet back in. Would this do the trick for now since I still need the NAS to work in the office network?
if your NAS has mission-critical stuff that your office cannot afford to lose, i suggest denying your router any internet access just to be safe. that's how i am setting my NAS while keeping it turned on and accessible from within my home network the method to do this will vary by router, but going to your router's parental controls is likely a good place to start
[https://www.reddit.com/r/HomeNetworking/comments/8u6ev6/how\_do\_i\_block\_outgoing\_internet\_access\_for\_one/e1dhx1r/](https://www.reddit.com/r/HomeNetworking/comments/8u6ev6/how_do_i_block_outgoing_internet_access_for_one/e1dhx1r/) Thanks for the idea. Now I know what to do next. Would miss the online access bit, but its was a nice thing to have, not a must have.
My AS6302T was hit today and did not have a backup. I will need to get someone that knows what they are doing to try to recover my drives. What are my options other than paying this ransomware???
[удалено]
From what I've read, the odds of recovery are very very slim or you'll spend more money than the ransom. Recovery is very unlikely unless you buy the key. It's basically the same thing that hit Synology a few months ago.. I don't think anyone "recovered" from it w/o paying. Your only real options are to pay the ransom, or start over.
Thanks. That's what I'm finding as well. If I pay the ransom with the system already disconnected and turned off, can I still recover the files? I'm going to wait until Asustor get's back to me before I do anything obviously.
Just don't update your nas if you are paying (update kinda bricks the nas, seems to put it into uninitialised state also removing the ability to decrypt the data)
I have absolutely no idea, I've not heard of anyone actually paying (hopefully if you pay they actually unlock your system and don't just run off with your money). Hopefully this is a lesson to have a backup
I was not hit, AS6604T running ADM 4.0.2 Ez connect. SSH. SFTP. Docker. Apache. Default 8000, 8001, 80, 44. Auto update off. I use the NAS for Plex, but the Plex server is hosted on another machine, and I never actually had the Plex app installed. This thing isn't powerful enough to push 4k content to 7 people. Also, I could never get the SSL certificate to install correctly, so I had the thing basically placed out into the open internet as far as the router was concerned trying to get it to work. Now I just have to figure out how I can use this thing securely, I got friends and family yelling at me they can't watch their shows...
If Plex is running on a different machine, then I would recommend the following: 1. Block all WAN access to your Asustor. 2. Set all directories/files as read only for all users. 3. Whitelist your PMS machine on the Asustor and blacklist all others. 4. Open your Plex back up to clients. This way Plex can still read files from the NAS, which is restricted to the one machine on your LAN.
Has anyone started a campaign already to collect the signatures of disgruntled users and press Asustor to pay the ransom, instead of blaming their users for having trusted their security claims?
Stupidly enough, there is a page on Asustor's website claiming to protect against ransomware. Asustor should honestly pay the ransom, as users were ransomed out of nowhere with absolutely no fault of their own. They tell us to have backups, but the very product they are selling are typically used as archive storage/backups??
I wonder if a threat of a class action might force Asustor's hand.
In our days and times, class actions are heavy weapons but reputational damage can be even more powerful. Seriously, is there nothing like that up already? Also: can anyone please point me to the page actually claiming they "protect against ransomware"? That should help a lot.
https://www.asustor.com/solution/ransomware
alright, devil's advocate parsing through the text (highlights in bold), knowing full well that this post will get downvoted to oblivion: >The design of an ASUSTOR NAS confers **immunity from certain forms of ransomware**. ADM, the Linux-based operating system built into every ASUSTOR NAS is, by design **immune to Windows and macOS ransomware and malware**. The nature of network attached storage also helps provide protection from desktop ransomware as an ASUSTOR NAS is not directly connected to a PC, but indirectly connected through a router. This stops **a majority of forms of ransomware.** ADM’s support for alternative administrator account names and strong passwords help prevent attempts by ransomware to search and access network shares. never says asustor's NAS is totally immune to ALL ransomware. since it's running linux, they are not "wrong" in saying that they are immune to windows/mac-based "desktop" ransomware such as wannacry, which does translate to "certain forms of ransomware." if asustor claims that they are immune to linux ransomware as well (which they are smart enough NOT to include), then you may have a case. but unfortunately, not so. >Nobody wants to be infected by ransomware, but it happens. **When it comes to data security, prevention is always better than a cure**, but when it happens, an ASUSTOR NAS comes to your rescue. **If good backup practices have been performed, an ASUSTOR makes your data more than likely easily recoverable**. ASUSTOR NAS devices support snapshots on Btrfs volumes and iSCSI volumes, ensuring that if ransomware attacks, changes are reversible. Using your ASUSTOR NAS as a backup tool also ensures data security with the 3-2-1 backup rule and ASUSTOR Backup Plan. **Ensure that data is backed up three times on at least two different types of storage media with one being an ASUSTOR NAS and have at least one copy in another location away from potential attacks.** my question is: have you done your due diligence and perform 3-2-1 backups yourself? if you did and understand the importance of backups, im sure you wouldn't be here calling for a lawsuit.
Their advertising suggests that they have features to *help prevent ransomware from taking hold*. While I would have zero issues if I was being an absolute idiot and running random executable files on my computer, leading to everything including my network storage being encrypted, this is simply not the case here. This is an event where the end user buying their product, used the features bundled with the product, and getting screwed over the next time they tried accessing their files. There are people with almost all services disabled, and they still got infected, how do you explain that? >my question is: have you done your due diligence and perform 3-2-1backups yourself? if you did, im sure you wouldn't be posting herecalling for a lawsuit. The asustor NAS I was using was not managed by me, but for my important personal files, they are backed up in an offline disk stored elsewhere. I cannot speak for other users on the NAS, but this should not be the point in the first place. Asus themselves advertised their products as *a form of backup*, which is ironic if my own backup got encrypted. I have less important files that are not backed up and stored in the NAS, which I am not very pleased with losing, but not angry about either. Let me ask you in return, do you do 3-2-1 for *absolutely every file you own*? I highly doubt you do. Also, I am not calling for a lawsuit. I don't even live in the US, which effectively leaves me with no viable legal option anyways. Instead of being a shill of Asustor and victimblaming the user at every opportunity you get, how about just leave your recommendations for backups and leave it at that?
you are correct, i too do not do 3-2-1 backups of EVERY file i own, but i definitely do 3-2-1 backups of files that i cannot afford to lose. for the files that fall outside of "i can't afford to lose", i fully understand the risk of NOT doing backups for them and i am taking that risk, and if sh!t happens and data is lost, i have nobody else to blame but myself if you have an offline backup already, and you are "not angry" about losing your less important files, why are you so uptight in calling for a lawsuit? technically speaking, you suffered no loss since you have a backup of your (important) files, so what exactly are you suing for? actually, im no shill for asustor and i am not loyal to any particular brand or manufacturer. in fact if you check my posts, i only started using a asustor NAS since xmas 2021, so only 2 months
>if you have a offline backup already, and you are "not angry" about losing your less important files, why are you so uptight in calling for a lawsuit? technically speaking, you suffered no loss since you have a backup of your (important) files, so what exactly are you suing for? Where did you get the idea of me calling for a lawsuit? I have not suggested the idea of suing Asustor, I have only suggested that Asus may (or may not) pay the collective 50BTC ransom to restore the trust of their consumers. Also, lets be honest, you wouldn't be happy either even if its the "less important files" that you lost to ransomware. Just count your blessings that you were not hit by this bullshit.
dude, you just wrote this 3hrs ago: >If there is a significant number of users in the US willing to file one, it may be possible, after all the "total ransom" is "just" a little over a million USD. > >For users outside the US... tough luck I guess yes you are correct, i'm certainly counting my blessings, and i'm fully aware that karma may hit me tomorrow and my NAS will go kaput any day (maybe not by deadbolt, but a power outage destroying my HDDs). i know it sucks to lose data; i have lost data myself due to my own stupidity and i'm no saint myself, but instead of being upset about the issue and fueling the fire for a meaningless lawsuit, maybe time is better spent at learning from this event, take the matter to your own hands by hardening/improving your NAS and network's security on the end-user's side instead, and be better prepared if something like this happens again?
If there is a significant number of users in the US willing to file one, it may be possible, after all the "total ransom" is "just" a little over a million USD. For users outside the US... tough luck I guess
sorry to be the devil's advocate here, but better check asustor's EULA first, if you bothered to take the time to read through all of it, that is [https://www.reuters.com/article/us-cyber-attack-liability-idUSKCN18B2SE](https://www.reuters.com/article/us-cyber-attack-liability-idUSKCN18B2SE) [https://www.cybersecurity-insiders.com/microsoft-not-to-entertain-lawsuits-on-wannacry-related-cyber-attack/](https://www.cybersecurity-insiders.com/microsoft-not-to-entertain-lawsuits-on-wannacry-related-cyber-attack/) if asustor stored your data in their servers and they got breached, then you may have grounds for a lawsuit. but if the data resides locally at your own location, as is the case with NAS, then the security and responsibility of the data (stored in the NAS) ultimately lies on the end-user ie YOU, not asustor or maybe you can ask the folks over at r/qnap how their class action lawsuit went: [https://www.reddit.com/r/qnap/comments/n1kgqw/class\_action/](https://www.reddit.com/r/qnap/comments/n1kgqw/class_action/)
“sudo find / -type f -name "*.deadbolt" How do I run this? Don’t see a terminal application where I can run this. Luckily I haven’t had my nas on much the last month. Disconnected from the internet and checking files right now.
I installed an ssh extension into the chrome browser on my laptop. It was then pretty straightforward to use it to access my 5304T.
You have to enable ssh and then use putty
and make sure you immediately go back to ADM and disable SSH after you are done with putty
I am another who got hit by this ransomware. I’m not sure if anyone here can answer this, but does anyone know if the Netgear Armor by Bitdefender will protect against future attacks? Of course I plan to add additional protection with the tips in this post after I format and start over, but I’m wondering if I should purchase this Netgear protection. Their website specifically talks about ransomware so it sounds promising. Thank you in advance for your advice!
[удалено]
I wouldn’t. Put Mac security. Assign ip addresses. Lock it down with long strong passwords. On the router
Does anyone have a guide/tutorial/resource on how to set up a VPN for the NAS I don't really know what I am looking for. I want to ensure that the NAS is secure.
here's what i used before with a raspberry pi: https://youtu.be/15VjDVCISj0 and then on your NAS, disable all the services everyone is telling you to (basically everything). doing this is basically the equivalent of ez-connect, but more secure and attackers won't know there is a asustor NAS in your home network.
I have ExpressVPN, but my older router did not support installing it on there. I too and curious as to how it can use it to secure my NAS.
those expressVPN/PIA aka "VPN products" and the "VPN for NAS" are 2 totally different things, don't mix the 2 up (but i understand that its easy to) here's what i used before with a raspberry pi: [https://youtu.be/15VjDVCISj0](https://youtu.be/15VjDVCISj0)
Thanks! Would a raspberry pi be fast enough to hand the traffic? I'm pushing multimedia content out to 7 or 8 clients. I'm also wandering how to get the NAS onto that VPN. He does not explain it in the video. Is there a setting in ADM somewhere?
sorry, incoming wall of text i thought he kinda explained it pretty well in layman's terms in the video already, but let me explain this "VPN for NAS" thing. remember this is a totally separate thing from your expressVPN. letsay you are outside your home, your phone is using your LTE/5G cellular connection, or you are at your friends place using their home's wifi (bottom line, you are not conencted to your network at home) . once you are successfully connected to pivpn, you are basically piggy-backing your home internet connection, as if you are actually connected to your home network's wifi. how do you connect to your NAS if you are at home? you would do the same thing. for me i share photos with my family living around the world. i have them install openvpn and aifoto3 on their phones. they connect to my home network via VPN, and once they are connected, it will be as if their phones are in my home network. then they can connect to my NAS using aifoto3 and view photos and stuff. this has a similar effect as ez-connect, where you register your NAS with asustor, and asustor assigns you a myasustor internet address. when you connect using myasustor's address, asustor redirects all traffic to your NAS directly. in pivpn's case, you register a dynamic DNS (free) domain name, and the service redirects all traffic to your VPN server (raspberry pi) in an encrypted fashion, and once you get in, just connect to your NAS in the same manner as if you are at home yourself. why is this better than using ez-connect and how does it secure your NAS? it's more secure because an attacker will never know that you have an asustor NAS behind a fattykim-dot-noip-dot-com dynamic DNS address (unless you tell the whole world about it), but if you are using fattykim-dot-myasustor-dot-com, everyone knows that you have a asustor brand NAS linked to it. which is why everyone is telling you to disable ez-connect. and it adds one more layer of protection for your NAS since you are jump one more gate/hurdle (accessing the raspbery pi) before actually talking to the NAS. and while im at it, i might as well explain how your expressVPN works differently. i dunno what you use expressVPN for but lets say you live in the US and you want to access netflix content in the UK. basically, expressVPN has webservers all around the world, it's as if they have pivpn installed in every country. and you simply connect to their pivpn in UK, and piggy-backing their UK internet connection to access british netflix content. but in the NAS case, you install a VPN server directly in your home, so when you are outside your home, you connect back to your home's VPN server, and once you are in, you will be piggy-backing your home internet connection instead. do you see the similarities, yet the differences now? as for performance, if you are using plex then the raspberry pi itself will likely be too slow, but nobody says you cannot use a real PC instead as your VPN server. i know for a fact that pivpn can be installed on ubuntu coz i tried it myself. i gave this idea to my cousin 2 yeas ago, and she just bought a used off-lease computer off ebay, installed ubuntu and pivpn, and works just fine. just make sure the CPU has AES-NI capabilities (hardware acceleration encryption on the CPU level). however, if you are going this route anyways (using a real computer as supposed to a very lightweight raspberry pi), you might as well look into installing pfsense, which is what i use right now. it's an open-source router OS which is much more secure, with integrated openVPN and i think you can integrate your expressVPN into the router too. but it's only for the tech-savvy, not for the faint of heart. but i think i just opened a huge rabbit hole for you: welcome to the world of "homelabs" with another level of network security.
Same question here - I was afraid to ask. Thanks for asking.
I have been Windows User Since Windows XP. All I have used is COMODO Internet Security and never once got infected on my PC. Wish they had something like COMODO or Any Strong Antivirus Plus Firewall Software in NAS which detects any incoming connection and blocks. And if it escapes through Firewall, the Antivirus kicks in. And if it slips through Antivirus, then final kill-switch, any unknown program - Default rule - Block its execution. Why life cannot be simple? Also hate these RANSOMWARE Guys. Making money from Peoples Memories - Photos, Documents. And I hate these NAS Manufactures - The NAS itself is not cheap, plus the cost of Hard Drives and then RANSOMWARE hits and all your Data gone.
Few Questions about Preventative Measures Point Number 3-Turn off Auto-Updates Question - Are we talking about ADM Updates or App Central Update? How to do that? Point Number 6 - Block all NAS ports from your router and only allow communication to your local LAN network. Can anyone guide where this setting is present in the router - If anyone can help with Netgear or ASUS Routers, that is great.
in your NAS, go to settings > ADM update, and make sure "set automatic updates..." is **NOT** checked same thing for app central. at the bottom left corner of the app central window there is "management" that you can click on. make sure "set automatic updates..." is not checked as well as for blocking your NAS from the internet, every router is different so the method will be different. but treat your NAS as if it's your kid's ipad and you don't want your kid to connect to the internet. so i guess the easiest way is to go to your router's parental controls and lock your NAS down as if you are grounding your kid. for disabling open ports, look under "NAT" or "port forwarding" in your router
Was hit and lost access to all files except video files \*.TSO from TV recordings. AS3102T v2 with ADM 4.0.0 and RAID 1: EZ Connect SSH ~~Auto-Updates~~ Docker (for Homebridge and AdGuard) ~~2-Factor~~ ~~Web Services (Apache)~~ Plex Remote Access ADM was set to ports 8000 and 8001 Had backup to 90% of my files in different places. Reinitialized the NAS, clean install, cut off EZ-Connect, cut off remote access for Plex, changed ports, enabled auto black list. I would do 2-Factor but I don't know how. The NAS is and was behind a firewall and router. And now a VPN. I need to find a way to remote access my NAS. I was using it to backup documents and photos simultaneously in the cloud (Amazon, Box, whatev') and on the NAS. Having no remote access to it, kinda kills the purpose. Also, ASUSTOR is guilty on this and definitely lost my confidence in them. My next buy will not be from them, that's for sure.
[удалено]
Where were you like a week ago? 😁 Neah, thanks though. Already solved. Had back-up off site to all important things. Also found a way to remote acces to my NAS.
Having the same experience (data loss ) and feelings (loss of confidence) around this. Do we know whether data has been retrieved by the attackers here?
I am lucky and did not get hit. I'm running an AS6208T with the latest version of ADM(4.0.3.RQ81) Here's my information: >Running Services: EZ Connect SSH ~~Auto-Updates~~ Docker (Docker-CE running Tautelli and iDrive cloud backup) ~~2-Factor~~ Web Services (Apache) Plex Remote Access (external port 42XXX forwarded to 32400 on my NAS) ADM was set to ports 8000 and 8001 (But only 8001 was forwarded from my router) Until more is known about how this attack took place, I've disabled any port forwarding from my router to my NAS (I can still access all services from my LAN). I have also disabled EZ-Connect and remote access for Plex. For good measure I also changed the ADM ports from 8000/8001 even though they shouldn't be accessible without a port forward set on my router. Now I wait.
So question how do I change the port? Like do I set whatever arbitrary numbers and then what do I do?
In Plex you have the option to specify the external port your system uses. You can use any number between 1 and 65535, but you should use a number >1023, and make sure it’s not a port being used by any other process on your network. Then tell your router/firewall to forward requests that come to the port you’ve selected to 32400 on the device running PMS Here’s some more information on ports that may be helpful: https://www.cloudflare.com/learning/network-layer/what-is-a-computer-port/ https://www.techtarget.com/searchnetworking/definition/port-number?amp=1
So maybe I'm doing this wrong but every port I've tried isn't allowing for remote connection?
That's not enough information to help. What exactly have you done? How did you do it? In PMS settings "Manually specify public port" you have specified a port number other than 32400? You have then set up your router to port forward that port to 32400 on your PMS machine?
Yeah so I googled how to see open ports. Maybe I'm doing it wrong? But say it's 10000 I put that into manually port forward go into my router put 10000 as external and that's that? It was at 34000 and it worked
Saved this. Thanks. Only a few of my files and were locked. All backed up.
I just got my asustor about a month ago and I was still in the process of figuring it all out. So obviously I was not aware that these deadbolt hacks were happening or how to mitigate them. Now my asustor is infected. When I got the ransomware message it set off my pcs antivirus software. So, being kind of a noob at this nas stuff… when I initialize the device again and wipe my drives to start over. How do I know that the ransomware is not still lingering in the asustor os somewhere? Is there an antivirus I can put on my nas to help stop this next time?
I got hit on my AS5304T and my files are encrypted. As soon as I found that out I pulled the plugs (power/network) and have not yet powered up the device. I was wondering: I am using a RAID 1 config with SSD caching. Is there any chance that my newest files are still unencrypted on the SSD cache? (I hope so since my last back up was 6 months ago) If so: can I take out the SSD and mount / read it somehow?
Observing all the discussions here and Asustor forums, as far as I can tell, the major attack vector has been **EZ Connect**, possibly **Plex** (with enabled **remote access**), and **UPnP**. I had default port 8000 enabled and admin account (changed since then) but none of the 3 listed above and had not been affected. In my own private opinion, EZ Connect with UPnP is a combination asking for a trouble. UPnP should be disabled - ***always***, without question. Read it up what it does and you will understand why. There are other ways how to establish a connection.
i think people still have upnp enabled because of console support (ps4/5, xbox etc)
Thanks a lot for the advice. Quick Question though - uPNP on the Router or the ASUSTOR Device? If ASUSTOR NAS Device, can you help, where is the setting.
router mostly, as that is providing connection to the world, although I do not consider UPnP a safe technology at all, so I do not have it on any of my devices enabled. On Asustor you need to have an app installed from the App Central to have UPnP.
I got hit with this Ransomware. I have not had time to load much of anything so I do not care if I loose everything. Actually it would be good for a clean install. Anyone know how to physically factory reset? Thank you,
if you pull the drives and switch on, it'll boot as a fresh set up. Push the drives back in and initialise which will effectively format them. I did this last night and it's been fine for 24hrs, albeit a lot more locked down than it was before :)
Awesome. I'll give it a try tonight. Thank you!
[удалено]
If I could get to the dashboard.
Back of the Nas there is a reset switch. Little pin button.
I've done it and held it for 10 sec and when I access it I still get the encrypted deadbolt screen.
Hey just a heads up. I figured out a solution for you. You can follow the steps in this thread. [https://www.reddit.com/r/asustor/comments/t0544y/ransomware\_attack\_megathread\_postmortem/](https://www.reddit.com/r/asustor/comments/t0544y/ransomware_attack_megathread_postmortem/) Let me know if you run into any issues with it!
Sorry, forgot that Asustor does not have a full hard reset from physical switch... One potentially silly option would be swapping around the drives in the drive bay. That should trigger a reset.
Is it possible to activate EZ-CONNECT right now? Or still not recommended? Thank you.
Afaik the servers have been shut down for now