If you have an ASUSTOR NAS server connected to the Internet, you might be in danger due to the appearance of a new variant of the popular Deadbolt ransomware. Although NAS servers are designed to access your information from anywhere, due to the latest ransomware attacks one of the best ways to remotely access them is by using only and exclusively a VPN, not leaving any other ports exposed, not even the port of NAS server management. If you have an ASUSTOR NAS, here's what happened and what you should do to protect yourself.
ASUSTOR warns of a ransomware attack
Popular NAS server manufacturer ASUSTOR has issued an urgent notice through various media, including social media. It seems that in recent days the popular Deadbolt ransomware has been attacking these types of devices to hack them and encrypt all the files inside them, so we will not be able to recover the information, or at least it will be quite difficult to do so.
As a preventive measure, the manufacturer has completely disabled the following services in order to minimize the number of users that could be infected:
EZ-Connect EZ-Sync ezconnect.to
All these services for remote access to the manufacturer's NAS servers have been disabled until further notice, because right now the manufacturer is investigating the scope of the vulnerability that this ransomware exploits to hack the manufacturer's NAS server. In a statement, ASUSTOR also recommends performing the typical basic configurations to protect our NAS server, these recommendations are:
Change the default ports of the NAS to others, both ports 8000 and 8001 as well as ports 80 and 443. Disable EZ Connect until further notice. Back up all the data on the NAS server to external storage, never on the same NAS server because it would be useless in the event of an infection. Take a snapshot of the data, although this might not work in case of infection, because the ransomware could also delete these snapshots Disconnect SSH or SFTP services among others that are accessible from the outside. If you need to access the NAS server remotely, use a VPN and then log into the different services locally.
On the official ASUSTOR website you have a complete tutorial on how to protect yourself against ransomware attacks.
What do I do if I am already infected?
If you have been unlucky enough that this ransomware has infected your NAS server and all your information is encrypted, the manufacturer ASUSTOR recommends performing the following steps:
Disconnect the Ethernet cable from the NAS server, to leave it without connection to the network and the Internet. Safely shut down the NAS by pressing and holding the power button for 3 seconds. Do not start the NAS server because this will cause your data to continue to be encrypted and you will not be able to recover it. Fill out this Google questionnaire where ASUSTOR technicians will contact us.
The manufacturer is currently analyzing this attack and creating a procedure for the complete restoration of the system and recovering all the data, either from the backup or from the snapshots that we have in the operating system. Of course, the manufacturer will also release an update as soon as possible to patch the vulnerability that this ransomware exploits.
Some internet users on Reddit and other forums have been investigating and it is possible to stop the ransomware infection by "killing" the process in question, you can see all this additional information here:
Weak sauce response. The community has already identified steps to shut down the process and prevent any further encryption. Your suggestion of "Make an immediate backup" while having the process run for several more hours will lead to people loosing more data than necessary. 1/2
— Mark Schramm 🕹️ #VR #AR (@MarkSchrammVR) February 22, 2022
To carry out this process, it is necessary to enter via SSH as root and execute a series of commands, then you have to restore access via the web because it remains disabled.
We must bear in mind that, until we realize that we are getting infected, we will lose many of our files, therefore, it is essential to take preventive measures to avoid infection, and the most important is to disconnect it from the Internet.