Want_to_cry Ransomware on my NAS326

Javier38

Hi,

I´ve a NAS326 with V5.21(AAZF.18) firmware version and today morning i tried to access to my work information when i see all my files are encrypted with a .want_to_cry extension; also my folders contains a .txt file that tells me have to pay 300 btc to unlock the files.

I already resolved this problem replacing all files with a backup.

Now I want to protect my device of unwanted users, so i need to know how to install a firewall or antivirus to block external connections but keeping me possible to access from external devices (like smartphone o laptop on http adress) because if I select "allow only https connection" on 443 port i can´t access with navigator. Anyone can help me, please?

Thank you

suisei

A simple way to protect your NAS is by placing a firewall/router in front of it and allowing access only from specific IP addresses. If your NAS is using a private IP instead of a public one, you may also need to ensure that devices on the same subnet are properly checked.

Javier38

https://community.zyxel.com/en/discussion/comment/74219#Comment_74219

Thank you for your response but, how can I place a firewall on NAS? I use Mac OS and Windows to access to NAS. Can I do it from router settings? because I looked on NAS326 app center to download it, but i can´t find it. Thanks!

suisei

It's challenge to do this.
NAS is Linux-based, and you have root privileges. If you're familiar with setting up basic iptables routing rules and can modify things to prevent the NAS from resetting the configuration, it could work. However, adding a device in front of the NAS would be an easier solution.

Javier38

ok, i´ll try it. Can I improve also the security installing a SSL certificate with the SSL option in control panel?

frjonatan

@Javier38

Hi,

Also check if the latest hotfix V5.21(AAZF.18)Hotfix-01 is installed? It is not installed automatically, you need to update the firmware manually.

The link is below

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-nas-products-09-10-2024

Javier38

https://community.zyxel.com/en/discussion/comment/74237#Comment_74237

Hi,

no, i had installed 5.21(AAZF.18) firmware version. I don´t knew this patch.

I´ve already installed.

Thank you!! 

Mijzelf

have to pay 300 btc

300 btc? That is at the moment around €30.000.000. They value your data very high. In other words, I think you were infected by a very old piece of malware.

As long as you don't know how you got infected, it's hard to block it. (Are you sure the infection is gone, btw? Just putting an old (data) backup back doesn't cure it.)

Unfortunately there is no firewall on the NAS, nor can it be installed. The needed functionality is not in the kernel. Nor does a firewall necessarily help. Theoretically the problem could be one of your client's, which encrypted the files on the NAS.

To block all access from outside to the NAS there is an easy trick. Give the box a static IP address, and leave the gateway empty (or put 0.0.0.0 in it, if empty is no option), and disable IPv6. This way the NAS has no possibility to reach to the internet, nor can it answer on requests from the internet, effectively being isolated.