Therefore here is a simple to do list!
Prerequisites: you need an actual backup of your data!
!!! IF YOU DO NOT HAVE AN ACTUAL AND CLEAN BACKUP, DO NOT FOLLOW THESE STEPS !!!
Addendum: if the encrypted data is not important for you, you can follow these advises to clean up the NAS. There will be no data recovered following this steps!
There are may be other procedures and if any malware resides in DOM these steps may be not efficient to clean up, depends to "how smart the malware" was done!
If you dont have a backup, I recommend to buy new disks and setup NAS with the new disks. Store infected disks in a safe please and wait, if any anti-malware process is available later (may be much later)!
Lets start over:
0. Make sure, NAS is not accessable from internet if you do not want to do this at a regular schedule!!!
1. If access to NAS is possible, write down your system settings/app settings.
2. Shutdown NAS
3. Remove all media (disks and - if installed NVMe devices)
4. Wipe all media at a PC. Usually it is sufficient to remove all partitions! If PC do not have a SATA connector, use an USB adapter instead.
5. Power on NAS
6. Use Qfinder tool to install latest firmware at NAS (yes, its possible without any media)
7. Insert media, for NVMe devices you need a power off!
8. Setup NAS again following the wizard. Do not restore any settings if you made them in #1! If you backupped settings prior NAS was hacked, you can use it, but I recommend not to do so.
9. Check, if any unusual files, services are existing. Check autorun.sh for any strange entries. If you did not write anything in autostart.sh, the file should be empty.
If you find your NAS is clean, proceed.
10. Create your shared folders, install and configure apps.
11. Restore your data from backup
12. May be the most important: think, how you can secure the NAS/LAN to avoid an infection in future. VPN is a good advise!
All steps at your own risk!
If someone have another idea how to cleanup, go ahead...
Why do I not try a cleanup without wiping all media?
No one can be safe if malware did install some more traps, we do not know.
This can be a backdoor to ease up subsequent access, a small code, which uses the NAS as "jumphost" to takeover access of clients.
So if your NAS was infected, check your clients too!
Recommendations: do not expose NAS to internet without a secure connection (VPN is the outstanding solution)!!! Expose means that the NAS or services can be reached FROM the internet, not that NAS is able to connect to internet for downloading firmware/apps.
Anyhow: I recommend to download newer version of firmware and apps to your client PC at first and then perform a manually triggered update. This can be done using the GUI, for the firmware in control panel, for apps in AppCenter.
Note: for last recent updates (not only QTS 5) a lot of users report that it is best choice to reboot the NAS twice right after the update, to ensure all services are running without issues!
If after step 9 you find your NAS is not clean, i.e. you will find some strange/cryptic code in autorun.sh a so-called DOM recovery may be is mandatory.
But if not done properly, this can brick your NAS!!!
So if you convinced after step 9 your NAS is still affected, please request help in forum or with an local IT professional (costs money).
Do not continue at your own if your are not familiar with that, what are you doing!!
Regards and good luck
