cryptovirus on zyxel 326s - Military grade encryption algorithm
nikolae
Posts: 13 Freshman Member
Zyxel 362s with latest firmware installed.
All files have been encrypted with this crypto virus Military grade encryption algorithm
Nas was affected at 2 of March, one share is mapped via samba on computer which was not turned on until today - 5 March. Computer has ftp, ssh, transmission, webdav and 3rd party repository installed.
How to understand how it was infected, where is the backdoor?
///////////
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to letsgetyourfileback@protonmail.com .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send "PAID" button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.
\\\\\\\\\\\\
#NAS_Mar_2020
All files have been encrypted with this crypto virus Military grade encryption algorithm
Nas was affected at 2 of March, one share is mapped via samba on computer which was not turned on until today - 5 March. Computer has ftp, ssh, transmission, webdav and 3rd party repository installed.
How to understand how it was infected, where is the backdoor?
///////////
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to letsgetyourfileback@protonmail.com .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send "PAID" button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.
\\\\\\\\\\\\
#NAS_Mar_2020
0
Comments
-
Yes I know it is old version of nas, latest installed isV5.21(AAZF.7)
I have no attention to pay I have backup of information and restore it, everything is fine
just I am curious how it is happened...0 -
How sure are you the Nas was affected at 2 of March? When remote code injection is possible, it's almost trivial to install something which survives a reboot and a firmware upgrade. And the malware has to hide itself for some time. Don't know how fast a 326 exactly is, but I would be surprised if it could encrypt far more than 1MB/sec. Which means that encrypting 1TB would cost 10 days, or something like that.Do you still have shell access? The most straight forward way is to get something surviving a reboot is to put it in /i-data/.system/zy-pkgs/ and write an entry in /i-data/.system/zy-pkgs/USRPKG_DEPS_START. So a timestamp of that file could be explanatory.ls -l /i-data/.system/zy-pkgs/USR*If you didn't reboot the box yet, you can also look for strange entries in /tmp.The output of 'ls -la /tmp/' on my 520 isdrwxrwxrwx 8 root root 0 Mar 3 13:46 .
drwxr-xr-x 19 root root 0 Mar 3 13:29 ..
drwxr-xr-x 5 root root 0 Mar 3 13:29 .MetaRepository
drwxr-xr-x 7 root root 0 Mar 3 13:30 .Tweaks
-rw-r--r-- 1 root root 0 Mar 3 13:29 LEDBlinkEnable
-rw-r--r-- 1 root root 0 Mar 3 13:29 ediskmap.map
drwxr-xr-x 2 root root 0 Mar 3 13:29 fwupgrade
-rw-r--r-- 1 root root 23 Mar 3 13:29 intern_disk.map
-rw-r--r-- 1 root root 281 Mar 3 13:46 ipcs_info
srwxr-xr-x 1 root root 0 Mar 3 13:30 job_queue_socket
-rw------- 1 root root 0 Mar 3 13:29 libzydb.lock
srwxrwxrwx 1 root root 0 Mar 3 13:29 main_wsgi.sock
-rw-rw-rw- 1 root root 16 Mar 3 13:29 md_vg.map
srwxrwxrwx 1 mysql 27 0 Mar 3 13:29 mysql.sock
-rw-r--r-- 1 root root 363 Mar 3 13:29 nsu_progress
-rw-r--r-- 1 root root 10269 Mar 3 13:29 pylog
-rw-r--r-- 1 root root 0 Mar 3 13:29 rbm_running
-rw-r--r-- 1 root root 117 Mar 3 13:29 startup-config.conf
-rwxrwxrwx 1 root root 1350 Mar 3 13:31 sto_log
drwxrwxrwt 4 root root 120 Mar 3 13:30 tmpfs
-rw-r--r-- 1 root root 1922 Mar 3 13:29 top.log
-rwxrwxrwx 1 root root 144 Mar 3 13:29 ugs.log
drwxr-xr-x 2 nobody nobody 0 Mar 3 13:29 urbackup_tmp
drwxr-xr-x 4 root root 0 May 26 2017 users
prwxrwxrwx 1 root root 0 Mar 3 13:29 zylog_fifo1
prwxrwxrwx 1 root root 0 Mar 3 13:29 zylog_fifo2
prwxrwxrwx 1 root root 0 Mar 3 13:29 zylog_fifo3
prwxrwxrwx 1 root root 0 Mar 3 13:29 zylog_fifo4
-rw-r--r-- 1 root root 4 Mar 3 13:30 zypkglist_download.progress
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight