ech0raix

124»

All Replies

  • Simon01
    Simon01 Posts: 3
    First Comment

    @Macace

    Hello

    I was going to my local PC shop and bought two new Hard Disks.

    1 Before mounted HD’s in my NAS 542, I removed all old HD’s,

    2 Made a factory reset (once again) and updated firmware to ABAG.15.

    3 Mounted the two brand-new HD’s and power up. (100% clean HD’s)

    4 After power up, select RAID 1 (Two HD’s)

    5 All looks OK, login, change password, check both HD’s installed correct.

    6 BUT, after 10 minutes, something strange happened:

    Both HD’s was very byssi, the LED’s was flashing very fast. (Maybe it is normal ?)

    I was a little worried, so I made check/screen-dumps of the log file.

    Log (Partly):

    Approximately 12 minutes after power up:

    Class: backup Severity: info Message: zysync server v2.00 starting, listening on port 873

    Approximately 20 minutes after power up:

    Class: user Severity: notice Message: Add new user zin7hcFg_V07- - - -

    After above, I made a check of NAS542 registered users:

    #1: admin System default user (After factory reset)

    #2: pc-guest Guest (After factory reset)

    #3: zyxel@”My e-mail addr” Cloud user (Automatic Add-on user after power-up?)

    I am a little surprised over user #3, I have used this mail address to Zyxel registration for 8 years ago? (Not since, I open normal a specific mail address to companies).

    After a factory reset, I expected all these setup was total cleared?

    After approximately 25 minutes, I powered NAS542 down, because of bad filling, that something was wrong!

    I have removed both new HD’s and made a new factory reset, so now I’ am standby once again.

    What’s happened inside this NAS542?

  • Macace
    Macace Posts: 9  Freshman Member
    Friend Collector First Comment

    Hello

    I have removed the automatic generated Cloud User as follow:

    Go to the MyZyxel Cloud Website and do a disconnect from your NAS from the MyZyxel Service.

    After this uninstall the MyZyxel App in the NAS. After this the Cloud User should automatic remove after a short time.

    I have one of the 10 NAS that had not delete the Cloud User after this , but it is not the infected one. I dont know why.

    After the new Informations I think the Cloud User is not the main problem. With the new FW it should be save at the moment. But how long ?

  • LDS
    LDS Posts: 2
    First Comment First Answer
    edited July 25

    Today 25.07.2024 C3RB3R crypted my ech0raix crypted file.

    So. Zyxel DO SOMETHING!!!

    Find a solution for US.

    Or, you gave acces to this pirates?

  • Macace
    Macace Posts: 9  Freshman Member
    Friend Collector First Comment

    @LDS

    How is this possible?

    Did you install the newest Firmware after the first Infektion and disable the complete internet access for the NAS after the update ?

    From the 13 NAS that I have in service there was only one infected. After that I have done the update and close Internet complete for the other 12. There are actual no more problems.

    There is no way to decrypt the files. To pay the hackers is a 50:50 chance.

    In your case, when i understand correct, your files are now double crypted. In my opinion delete all and use your backup.

  • gabimes
    gabimes Posts: 3  Freshman Member
    First Comment Friend Collector

    @Macace

    On NAS542 I was encrypted with eCh0raix Ransomware
    I have a backup on an external hard drive made recently, but when restoring at the end of the process, we have the WRONG PASSWORD error written in red

    Is something that we didn't do right.

Categories

Consumer Product Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)