ech0raix

TomasMalina · June 22

I've joined the club, NAS542, June 10-12, ransom is also 0.019 BTC. Given the same issues were discussed a few years ago among QNAP and Synology users, the case doesn't look very promising - allegedly, unless we're lucky to be encrypted by an old version (prior to June 2019), they haven't found any mistakes in the encryption. The only option seems to be to recover from backups. If your ransom note has a ".txtt" extension, that is the newer version. If you want to try luck with the old decryptor (don't delete the original encrypted files if you plan to wait for a potential decryptor in the future), search for a post by the user BloodDolly (link).

p0mian · June 22

they/he banned me on "support chat" at ransom TOR website for talking about his mother :(

TomasMalina · June 22

Just to check, what firmware version was everyone on when it happened? My NAS542 was ABAG.13 when it got attacked.

p0mian · June 22

same

lucirau · June 24

https://community.zyxel.com/en/discussion/comment/66701#Comment_66701

It seems that more of us in Romania are affected by this ransomware. 😫Someone loves us.🤣 If you find any solution, please pm. 🙏

Thanks.

lucirau · June 24

https://community.zyxel.com/en/discussion/comment/66869#Comment_66869

Unfortunately I don't know because I gave the NAS to a friend.

Macace · June 30

I have eight of NAS540 and NAS542 at different friends.

One NAS542 ABAG.13 was also attacked at the same day.

There were three new Users, two has no access to the shares, one has full access. Everything is encrypted.

At a second NAS542 there were also three Users with the same configuration. I think we can shut down it fast enough. All files are ok.

Question to Zyxel:

Did the new ABAG.14 or ABAG.15 close the Backdoor, that the hackers use ?

What is with the NAS540 ? The last FW is ABAG.13 !

Is it possible to disable the admin user or to rename it ?

Is the big file that the internal backup program creates save against the hack?

It is enough to delete the fake users, disable FTP, disable MyZyxel, disable WebDav and close all ports in the router to become the NAS save ?

At many online shops the NAS542 is still new buyable. There is nowhere a hint that it is EOL !

Simon01 · July 2

My Zyxel NAS542, also was encrypted 10-6-2024.

I have stored 150.000 pictures, 25 years family photo, all encrypted.

I have backup of my data, but how can I restore the data without to destroy anything.

Before restore data from backup, all ports in my router are closed, and in the future, I only want to use my NAS 542 as an internal networks NAS.

I'm running the Latest NAS542 software revision.

Question to Zyxel:

Is it possible to delete all data on my hard disks, and then restore all pictures from my SSD backup, without risk for my other network units? (PC win 10, ++)

Where was the crypto program saved / running?

Is the crypto program in sleep mode, and can it make a wakeup later?

If the crypto program was stored in NAS542 flash memory or HD as a hidden file, I am worried about; it is a never-ending story. (Sleeping mode)

If it is stored and running in a memory area there are cleanup after running, I guess it is possible to give my NAS542 a new life, and I do not need to scrap it.

In Denmark many online shops the NAS542 is still new buyable!

Please give a guide for dummies, best regards grandfather

suisei · July 2

I think the NAS with the latest firmware and please always back up your data and place a router or firewall in front of your NAS, IoT devices, and laptops instead of directly exposing them to the Internet with a public IP address.

Macace · July 2

@Simon01:
Do you also have the three or more fake Users ?

@all
I have update the infected NAS to the newest firmware without HDDs. After that I have done a factory reset. Than I insert for test another HDD in the NAS. At the Moment it work.

The owner of my infected NAS planed to pay the 0.019 BTC because her backup was in parts defective.

ech0raix

All Replies

Categories

Consumer Product Help Center