cryptovirus on zyxel 326s - Military grade encryption algorithm

nikolae

Zyxel 362s with latest firmware installed.
All files have been encrypted with this crypto virus Military grade encryption algorithm
Nas was affected at 2 of March, one share is mapped via samba on computer which was not turned on until today - 5 March. Computer has ftp, ssh, transmission, webdav and 3rd party repository installed.

How to understand how it was infected, where is the backdoor?

///////////
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to letsgetyourfileback@protonmail.com .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send "PAID" button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.
\\\\\\\\\\\\




#NAS_Mar_2020

Mijzelf

How to understand how it was infected, where is the backdoor?

Latest firmware? Did you read this?

IMPORTANT: To decrypt your files, place text file on desktop and wait.

That is not very well defined. How to put a file on the desktop of a 326?

nikolae

Yes I know it is old version of nas, latest installed is 

V5.21(AAZF.7)

I have no attention to pay I have backup of information and restore it, everything is fine
just I am curious how it is happened...  

Mijzelf

How sure are you the Nas was affected at 2 of March? When remote code injection is possible, it's almost trivial to install something which survives a reboot and a firmware upgrade. And the malware has to hide itself for some time. Don't know how fast a 326 exactly is, but I would be surprised if it could encrypt far more than 1MB/sec. Which means that encrypting 1TB would cost 10 days, or something like that.

Do you still have shell access? The most straight forward way is to get something surviving a reboot is to put it in /i-data/.system/zy-pkgs/ and write an entry in /i-data/.system/zy-pkgs/USRPKG_DEPS_START. So a timestamp of that file could be explanatory.

ls -l /i-data/.system/zy-pkgs/USR*

If you didn't reboot the box yet, you can also look for strange entries in /tmp.

The output of 'ls -la /tmp/' on my 520 is

drwxrwxrwx    8 root     root             0 Mar  3 13:46 .
drwxr-xr-x   19 root     root             0 Mar  3 13:29 ..
drwxr-xr-x    5 root     root             0 Mar  3 13:29 .MetaRepository
drwxr-xr-x    7 root     root             0 Mar  3 13:30 .Tweaks
-rw-r--r--    1 root     root             0 Mar  3 13:29 LEDBlinkEnable
-rw-r--r--    1 root     root             0 Mar  3 13:29 ediskmap.map
drwxr-xr-x    2 root     root             0 Mar  3 13:29 fwupgrade
-rw-r--r--    1 root     root            23 Mar  3 13:29 intern_disk.map
-rw-r--r--    1 root     root           281 Mar  3 13:46 ipcs_info
srwxr-xr-x    1 root     root             0 Mar  3 13:30 job_queue_socket
-rw-------    1 root     root             0 Mar  3 13:29 libzydb.lock
srwxrwxrwx    1 root     root             0 Mar  3 13:29 main_wsgi.sock
-rw-rw-rw-    1 root     root            16 Mar  3 13:29 md_vg.map
srwxrwxrwx    1 mysql    27               0 Mar  3 13:29 mysql.sock
-rw-r--r--    1 root     root           363 Mar  3 13:29 nsu_progress
-rw-r--r--    1 root     root         10269 Mar  3 13:29 pylog
-rw-r--r--    1 root     root             0 Mar  3 13:29 rbm_running
-rw-r--r--    1 root     root           117 Mar  3 13:29 startup-config.conf
-rwxrwxrwx    1 root     root          1350 Mar  3 13:31 sto_log
drwxrwxrwt    4 root     root           120 Mar  3 13:30 tmpfs
-rw-r--r--    1 root     root          1922 Mar  3 13:29 top.log
-rwxrwxrwx    1 root     root           144 Mar  3 13:29 ugs.log
drwxr-xr-x    2 nobody   nobody           0 Mar  3 13:29 urbackup_tmp
drwxr-xr-x    4 root     root             0 May 26  2017 users
prwxrwxrwx    1 root     root             0 Mar  3 13:29 zylog_fifo1
prwxrwxrwx    1 root     root             0 Mar  3 13:29 zylog_fifo2
prwxrwxrwx    1 root     root             0 Mar  3 13:29 zylog_fifo3
prwxrwxrwx    1 root     root             0 Mar  3 13:29 zylog_fifo4
-rw-r--r--    1 root     root             4 Mar  3 13:30 zypkglist_download.progress