2nd ranconware infection in 1 year

Hi,
I just suffered a second attack on my NAS542 in 1 year.
The first, infected with ranconware (.0xxx).
I had no choice but to format 2 hard drives out of the 4 hard drives present.
Fortunately nothing important, only archives.
But at the beginning of the week, new attack.
3 of my 4 hard drives were infected with .checkmate ranconware.
I turned to the technical support of Zyxel France.
And as an answer: product out of warranty so we will not help you.
And in addition, I am told that I am responsible for the security of my network and that I am responsible (indirectly) for the defects of this one.
I only opened port 21, to allow access to my files from the outside for the nas542 and another NAS synology.
Nothing more then.
Compared to the times and dates of infection, I compared with the logs of the nas, and nothing indicates a compromise of the user accounts.
I do not understand how your technical service in France clears itself of any problem.
I checked the 6 workstations (mac and windows) to determine if there were other infected hard drives and the other NAS.
no trace, only the infected NAS542.
So, I conclude that there is indeed a security breach present and I do not accept being told that I am entirely responsible for it.
Do you have a permanent solution to offer me or should I conclude that the NAS542 is obsolete and does not allow it to be shared safely?
The firmware is of course up to date, checked every month following the first attack.
Cordially

All Replies

  • okimarukas
    okimarukas Posts: 91  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    Ransomware typically enters a network through social engineering attacks such as phishing emails or by exploiting in software or operating systems.

    Some types of ransomware will also attempt to spread laterally across the network to other machines and devices to infect as many systems as possible.
    When the issue happens, it's important to clean all of the hard drives.

    Hard reset is required and reinstall the OS system as well.
    The best way to protect from ransomeware is to be cautious when opening emails or clicking on links from unknown sources.

  • okimarukas
    okimarukas Posts: 91  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    You have to wiped HDDs, factory reset, readded disks.

  • Hi,
    The only concern is that only Zyxel's NAS is affected and infected. Not the other NAS or the other 6 workstations.
    The only concern is that there is a fault on this one, for lack of response from the technical service which, on the pretext that now the equipment is no longer guaranteed, they have nothing to do with it.

  • Alas yes, had no other choice.
    I still backed up the corrupted data on an external HD, in case of a solution in the coming months, if that happens.
    I also plan to quickly resell this NAS which is no longer secure enough.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,271  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
    edited April 2023

    Hi @brolysan13

    It is generally recommended to reinstall the operating system on any device that has been infected with ransomware. This is because ransomware can be difficult to fully remove, and there may be hidden or residual malware that remains even after the ransomware is removed.

    Reinstalling the operating and network system can help ensure that all traces of the ransomware and any other malware have been removed from the device. However, it is important to make sure that you have a backup of any important data before reinstalling the operating system, as the process will erase all data on the device.


    For the NAS, once the device gets polluted, please wiped HDDs, factory reset, and readded disks.
    You can refer to the article below to enhance your NAS security.

    Engage in the Community, become an MVP, and win exclusive prizes!

  • brolysan13
    brolysan13 Posts: 5
    First Comment Friend Collector First Anniversary
    edited April 2023

    Good morning,

    After discussion for several days with the pirates, I found a satisfactory solution to have the decryption of the data.
    I even got the explanation of how they performed the encryption.
    And I confirm, the NAS452 DOES have a security CONCERN.
    This NAS will be quickly replaced by a synology much more secure (and benefiting from the function which prevents hackers from accessing it).
    Well the last time I use this Zyxel NAS.

  • Good morning,

    that's exactly what I did during the first rancomware attack.
    I didn't think it was going to happen a second time, surely only NAS452 was hacked and attacked. Not that of another brand nor the 6 fixed stations either.

    I think the NAS is no longer secure enough to be left with an open port for an outside connection.

  • Mijzelf
    Mijzelf Posts: 2,753  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    And I confirm, the NAS452 DOES have a security CONCERN.

    Can you elaborate on that?

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,271  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @brolysan13

    CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed cybersecurity vulnerabilities and exposures.
    Could you provide any specific CVE number associated with the security concern?
    Knowing the CVE number will help us understand the nature of the vulnerability and provide better assistance

    Engage in the Community, become an MVP, and win exclusive prizes!

Consumer Product Help Center