My Cloud Ex2 Ultra. Firmware 5.10.122. Cloud Access enabled (OS5)
Apps installed: Transmission (v.1.13) and Plex (v.1.22.0.4163)
Only in public folder of NAS appeared strange files… if i delete them they reappers (see attechments).
Date and time of creation are date and time where my PC are turned off.
My Antivirus Software (Eset Nod32, no problem in my pc’s after scan) tell me there are viruses.
What can i do?
Thanks for support
Luigi
Hi Luigi, if those files are not from you and they reappear after deleting, I also would be really suspicious. I would recommend you to upload these files to an online virus scanner like virustotal.com to be 100% sure.
Two days ago I also found out that my EX2 Ultra got hacked by a ransomware called MARS Decryption. Thank you WD for that amazing product! There is unfortunately no way to delete the public folder. This functions is disable by WD. If those are some viruses or trojans I definitely recommend you to back up all your files from your NAS on a external hard drive, make a full virus scan on that drive and delete your NAS. This is the safest way to get rid of it.
Here I made a screenshot from my ransomware in the public folder. All my files, which were luckily only a handful of movies got encrypted and in every folder there was a text message added. There it was written that I have to get in touch with them via email, they will proof me that they can decrypt everything and will provide me with a remover tool, after paying 500$ in Bitcoin.
Of course I laughed and ignored the message. But still it proofs how ■■■■■■ actually the WD NAS products are. They even recommend to do TimeMachine Backups with a guest access. I don’t want to imagine if that thing would have encrypted my Mac Backups.
Sorry but if they don’t change anything soon to make the whole NAS more user friendly and safe, I definitely will switch to Synology!
It can be that your NAS is hacked OR any PC or network device, which then scans for writeable network drives and puts on these files.
So the problem can be everywhere…
Well at least in my case I definitely can tell that it not from any of my macs. In the the openers case sure, but then it might also would be in every other folder since usually they are connected and the credentials are saved.
I wrote in this forum because I have suspect that the virus doesn’t came from the inside.
I have one PC connected in LAN. NAS has more folders with public access, and some folder with restricted access protected by password. Only “Public Folder” have these files inside.
Very Strange, and these files appeared after I expose my NAS to public internet (Plex needs open ports).
Can be a security bug.
This ransomware hacked only your public folder? Did you have other folders with public access (same as me)?
No, the only public access was for the public folder. Other than recommended by WD my TimeMachine backup folder is also restricted with a password, which I am now very happy that I did so.
It definitely came from outside my network. I guess someone just scanned the internet for unrestricted access to NAS Systems. I’m curious if there are other people affected. Anyway, all files are deleted, the public folder ist now without public access and files which are placed there don’t get encrypted. So I guess it was a one time attack.
Do you have a port forwarding from the router to the NAS ??
No port forwarding and netbios filter is also on. I am using a AVM Fritz Box.
Good to hear! 
But then this is not an option: “… scanned the internet for unrestricted access to NAS Systems”
Would be very interesting to know what happened. Maybe get in contact with german c’t magazin, if they are interested in such things to report on.
| Forums | News and Announcements | Register | Help | Forum Guidelines |
Copyright © 2021 Western Digital Technologies, Inc. All rights
reserved.
|
Trademarks
|
Privacy
|
Community Terms of Service
|
Site Terms of Use
|
Copyright
|
Contact WD
|
