Quick Security-LegendaryDisk Security-DiskStation Security Ransomware

Hello. You can help me identify and know what to do with a Synology NAS that has been hacked and all the information has been compromised.

We have a Synology NAS DS216+II that had several shared folders with access to about 20 computers on the network. There was only one administrative user: admin. Last weekend we realized that we couldn't access the shared folders.When I logged into the NAS as an administrator, I saw that we had been hacked.

They left a note on .txt.

Hello.

This is Quick Security.

What happened?

- Your Network was not secure.

- Your Network-Attached Storage was compromised.

What does this mean? Where are my files?

- All your data has been encrypted and hidden on a special volume.

- All your important documents have been downloaded.

What can I do to recover my data?

- If you want to recover your data, you have to send 0.06 Bitcoin to this wallet address:

xxxxxxxxx

Always double check the address when copy/pasting it !!!!!

- You have until the 3rd of January 2023 to send the payment. 

After this date your files will be almost impossible to recover.

What should I do after I send the payment?

- Your ID is: 187.76.x.x

- Please email us your ID and payment confirmation to:

quick.connect@zohomail.eu

quick.connect@beeble.com

alt.gl-4vpkkx0@yopmail.com

- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.

Can I still use my nas?

- Do not delete any files you find on your nas.

- Do not try to recover your data using any software as it will result in permanent data loss.

- Do not modify any volumes or storage pools on your nas.

- Do not write large amounts of data to your disk.

Why have my files been downloaded?

- We reserve the right to leak or sell all your important documents, if no payment is made.

Where can I buy and send bitcoin?

- You can easily buy and send bitcoin from:

https://www.moonpay.com/buy/btc

https://paxful.com/buy-bitcoin

https://localbitcoins.com/buy_bitcoins

https://www.binance.com/en/buy-Bitcoin

You can think of this as a failed security audit.

We are professionals. This is a one time deal. We will show you proof if you need it.

We will restore your data immediately after the payment.

We will even send you tips on how to strengthen your network security, to prevent any future attacks.

Thank you.

 

 

Sure.

The entire structure of the shared folders of the NAS were compressed into large files (about 550Gb in total). I can open the 7z and zip files and can view all the zipped files. All files have a password to unzip the files. I have attached the only two small files that I found on the NAS. I have also attached the original note.

Is there a way to get the password on the NAS?

Thanks 

I think the ransomware attack is very similar to this one. The message they left is very similar.

https://www.bleepingcomputer.com/forums/t/769484/7even-security-nas-ransomware-please-read-me-txt-support-topic/

https://www.pcrisk.com/removal-guides/21824-umbrella-security-ransomware <-- Umbrella Security, similar txt but different type of ransomware.

Yes the note does look similar to 7even Security (NAS) and Umbrella Security Ransomware.

Hello.

This is Umbrella Security.

What happened?

- Your Network was not secure.

- Your Network-Attached Storage was compromised.

What does this mean? Where are my files?

- All your data has been encrypted and hidden on a special volume.

- All your important documents have been downloaded.

What can I do to recover my data?

- If you want to recover your data, you have to send 0.011  Bitcoin to this wallet address:

1LwTujzoFf9WcVSYUNBzXgruYZxrRT3nz

- You have until the 10th of September 2021 to send the Bitcoin.

After this date your files will be almost impossible to recover.

What should I do after I send the payment?

- Your ID is: 235.110.146.255

- Please email us your ID and payment confirmation to:

umbrella_cor@zohomail.eu

- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.

Can I still use my nas?

- Do not delete any files you find on your nas.

- Do not try to recover your data using any software as it will result in permanent data loss.

- Do not modify any volumes or storage pools on your nas.

- Do not write large amounts of data to your disk.

Why have my files been downloaded?

- We reserve the right to leak or sell all your important documents, if no payment is made.

Where can I buy and send bitcoin?

- You can easily buy and send bitcoin from:

hxxps://paxful.com/buy-bitcoin

hxxps://localbitcoins.com/buy_bitcoins

You can think of this as a failed security audit.

We will even send you tips on how to strengthen your network security.

Thank you.

 

It would be interesting to know what Synology vulnerability they are exploiting.

I encountered a similar attack today. I was able to investigate everything and figure out how they got into the Synology NAS.

• This is a small office with only 3 people working there. Each person has a Windows 10 OS installed on their own computer. I checked all of them and no program was installed prior to the attack. I also checked with anti-malware software and found no signs of infection.
• There is a Mikrotik router with the latest OS, no NAT is set up on the firewall. The default user is disabled, services are turned off, and only Winbox can access it from the LAN side with a strong password. There are no interesting events in the logs.
• Synology DS: version 6, a bit behind unfortunately. Besides the basic packages, only Hyper Backup and SMB were installed because that's all they used. They deleted all logs after the attack, probably automatically because it was too fast. They deleted the backups (even the directories), compressed all the data into one file, and encrypted it with a password. The attacker did not encrypt the file names, so everything is visible. Then they deleted the data along with the folder. The operations were done under a specific administrator user. Since the account brute-force protection was enabled, they surely knew the password.

Quickconnect service was enabled on the NAS, so it was accessible from the open internet bypassing the firewall. They probably logged in through the NAS web interface, so it's almost certain that they stole the login credentials from the administrator. It's a serious risk because the administrator may have installed Synology NAS for others, and their data could be in danger too.

Lesson learned:

• Disable quickconnect service. Use only when necessary,
• Do not open ports on the router to the internet (do not NAT),
• Always use 2FA,
• One backup is not enough,
• Never store passwords unencrypted,
• Implement password rules.

Regards,

DurmiX

I encountered a similar attack today. I was able to investigate everything and figure out how they got into the Synology NAS.

• This is a small office with only 3 people working there. Each person has a Windows 10 OS installed on their own computer. I checked all of them and no program was installed prior to the attack. I also checked with anti-malware software and found no signs of infection.
• There is a Mikrotik router with the latest OS, no NAT is set up on the firewall. The default user is disabled, services are turned off, and only Winbox can access it from the LAN side with a strong password. There are no interesting events in the logs.
• Synology DS: version 6, a bit behind unfortunately. Besides the basic packages, only Hyper Backup and SMB were installed because that's all they used. They deleted all logs after the attack, probably automatically because it was too fast. They deleted the backups (even the directories), compressed all the data into one file, and encrypted it with a password. The attacker did not encrypt the file names, so everything is visible. Then they deleted the data along with the folder. The operations were done under a specific administrator user. Since the account brute-force protection was enabled, they surely knew the password.

Quickconnect service was enabled on the NAS, so it was accessible from the open internet bypassing the firewall. They probably logged in through the NAS web interface, so it's almost certain that they stole the login credentials from the administrator. It's a serious risk because the administrator may have installed Synology NAS for others, and their data could be in danger too.

Lesson learned:

• Disable quickconnect service. Use only when necessary,
• Do not open ports on the router to the internet (do not NAT),
• Always use 2FA,
• One backup is not enough,
• Never store passwords unencrypted,
• Implement password rules.

Regards,

DurmiX

Hello iam really up set of what iam reading because the exact thing happend to me last week
Did you finally found a solution?
 

hello we get attacked by a ransomware can we get help ?
i give one ss for the virus file and the txt file from hacker 
anyone know the decrypter 
 
virus file <removed>
 
our anti virus edr detected this one Ransom.Win32.Save.a
 
thank you
 
 SHA1: 6de463f29412dd4300e543b461f87b1d9602588c [/size]https://id-ransomware.malwarehunterteam.com/ after scanned the file and txt file

Edited by quietman7, 10 December 2023 - 02:16 PM.

Are there any obvious file extensions appended to the end of your encrypted data files? If so, what is the extension? 
 
Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension? 
 
Your !!Read Me!!.txt looks similar to a ransom note from 7even Security (NAS) Ransomware as noted here by Amigo-A (Andrew Ivanov)

Hello.
This is DiskStation Security.
What happened?
- Your network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.03 Bitcoin to this wallet address:
bc1qyh0evjp07kzqahf2xmgzs5zgvxevjhjqm9vcv8
Always double check the address when copying/pasting it!!!!!
- You have until the 15th of December 2023 to send the payment.
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: viperxxx
- Please email us your ID and payment confirmation to:
diskbleeper@proton.me
diskbleeper@mailfence.com
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your NAS.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your NAS.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
https://www.moonpay.com/buy/btc
https://paxful.com/buy-bitcoin
https://localbitcoins.com/buy_bitcoins
https://www.binance.com/en/buy-Bitcoin
You can think of this as a failed security audit.
We are professionals. This is a one time deal. 
We will restore your data immediately after the payment.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.
Thank you.

BTW the llnk to the virus file indicates: The transfer you requested has been deleted.

That link as been removed as we do not allow the posting of any links to  possible malware (malicious files), including links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics.

Are there any obvious file extensions appended to the end of your encrypted data files? If so, what is the extension? 
 
Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension? 
 
Your !!Read Me!!.txt looks similar to a ransom note from 7even Security (NAS) Ransomware as noted here by Amigo-A (Andrew Ivanov)

Hello.
This is DiskStation Security.
What happened?
- Your network was not secure.
- Your Network-Attached Storage was compromised.
What does this mean? Where are my files?
- All your data has been encrypted and hidden on a special volume.
- All your important documents have been downloaded.
What can I do to recover my data?
- If you want to recover your data, you have to send 0.03 Bitcoin to this wallet address:
bc1qyh0evjp07kzqahf2xmgzs5zgvxevjhjqm9vcv8
Always double check the address when copying/pasting it!!!!!
- You have until the 15th of December 2023 to send the payment.
After this date your files will be almost impossible to recover.
What should I do after I send the payment?
- Your ID is: viperxxx
- Please email us your ID and payment confirmation to:
diskbleeper@proton.me
diskbleeper@mailfence.com
- After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast.
Can I still use my nas?
- Do not delete any files you find on your NAS.
- Do not try to recover your data using any software as it will result in permanent data loss.
- Do not modify any volumes or storage pools on your NAS.
- Do not write large amounts of data to your disk.
Why have my files been downloaded?
- We reserve the right to leak or sell all your important documents, if no payment is made.
Where can I buy and send bitcoin?
- You can easily buy and send bitcoin from:
https://www.moonpay.com/buy/btc
https://paxful.com/buy-bitcoin
https://localbitcoins.com/buy_bitcoins
https://www.binance.com/en/buy-Bitcoin
You can think of this as a failed security audit.
We are professionals. This is a one time deal. 
We will restore your data immediately after the payment.
We will even send you tips on how to strengthen your network security, to prevent any future attacks.
Thank you.

 

random caracter extension .j , .AB, .12345 ...ect
 
 

BTW the llnk to the virus file indicates: The transfer you requested has been deleted.
 
That link as been removed as we do not allow the posting of any links to  possible malware (malicious files), including links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics.
 
Samples of any suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted (uploaded) to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data.

virus total cant find anything in the file crypted https://www.virustotal.com/gui/file/6910780a2c9482d291a5c07284f59f5ec58e1b937b42e32ee9bdaa0d92f0404d

Please attach several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov), rivitna (Andrey Zhdanov) or Demonslay335 (Michael Gillespie) can manually inspect them and possibly identify/confirm the infection if they see this topic.

Hello Everyone, i´m dealing with this ransomware too, have anyone found a solution to unzip the files?