Ransomware attack - Muhstik
-
- Getting the hang of things
- Posts: 71
- Joined: Wed Oct 22, 2014 7:26 pm
Ransomware attack - Muhstik
Here's a first (for me). My QNAP TS-451+ was attacked with ransomware... This has changed files names to *.muhstik and within every data directory is a text file with "instructions" for how to recover the files... I unplugged and am trying to reset the NAS. The web interface is "gone" and I'm currently trying to reset (everything). I have backups (nightly) but it will take a lot of time (bandwidth limited) to restore. Not sure where this came from. The file naming was "seen" over a windows share. So far, no evidence of my client machines being infected. I did have ssh functional as I use it remotely. I also did not change the port numbers (in the guidance). Passwords were strong (IMO). Using a Verizon router with ports mapped for external access... Need to do some changes I guess.
Some questions:
1) I did the 10 second reset. NAS boots back up - but with system still not reset (admin password still works).
2) there is a new directory called new_root with today's date for creation.
3) When I boot using keyboard, mouse and HDMI monitor, it comes up with the ability to use <alt>-F2 to get to command line. Is there any way to "reset" the system from command line? Forgot to mention, no web access (https://ip shows "refused to connect" )
Wondering how to progress - I'd like to wipe completely clean and set up new...
Some questions:
1) I did the 10 second reset. NAS boots back up - but with system still not reset (admin password still works).
2) there is a new directory called new_root with today's date for creation.
3) When I boot using keyboard, mouse and HDMI monitor, it comes up with the ability to use <alt>-F2 to get to command line. Is there any way to "reset" the system from command line? Forgot to mention, no web access (https://ip shows "refused to connect" )
Wondering how to progress - I'd like to wipe completely clean and set up new...
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Ransomware attack - Muhstik
https://www.hackmageddon.com/2019/01/15 ... nt-page-1/
https://www.bleepingcomputer.com/news/s ... n-routers/
https://www.reddit.com/r/qnap/comments/ ... w_malware/
TLDR
the reason for reflashing dom is because sometimes the malware survives a reinitialization. only way to be sure is to reflash the DOM. this is basically the nuclear option for disinfection
i would also suggest doing other stuff
1. update your router (clear nvram as well while you are at it)
2. update all your pc clients on the same network (windows 10, anti virus, anti malware, everything)
3. run anti virus and anti malware scan on all devices on your network. pc clients, smartphones etc.... since your qnap was compromised, you don't know what else on your network was also compromised right?
4. DO NOT PORT FORWARD YOUR QNAP TO THE INTERNET! Do not use UPNP on router, and qnap. This is usually the PRIMARY cause of how people get infected in the first place
5. only install qpkgs from legimate sources like appcenter, or possibly qnapclub.eu
6. do not install dodgy apps on your qnap. do not store files that have not been screened first by an anti virus ( i use bitdefender on my desktop pc, so everything gets auto real time scanned so i know they are safe before i store onto the qnap)
7. Always update to the latest QTS STABLE (probably not qts 4.4.1 tbh). Check the forum first for whether the QTS build is stable BEFORE updating. usually if a qts goes a week or month without complaints, usually means it's fine.
8. all things from qts, router, windows 10 (desktop pc), everything needs to be regularly updated.
9. backup regularly. How else are you going to restore from a clean source?
If you don't take any precautions, you are bound to be reinfected again
https://www.bleepingcomputer.com/news/s ... n-routers/
https://www.reddit.com/r/qnap/comments/ ... w_malware/
TLDR
You need to reflash your DOM in the NAS.
https://wiki.qnap.com/wiki/Firmware_Recovery
You must copy all the data outside your NAS. Reflash your DOM and then initialize your NAS from scratch. Then copy your data back.
the reason for reflashing dom is because sometimes the malware survives a reinitialization. only way to be sure is to reflash the DOM. this is basically the nuclear option for disinfection
i would also suggest doing other stuff
1. update your router (clear nvram as well while you are at it)
2. update all your pc clients on the same network (windows 10, anti virus, anti malware, everything)
3. run anti virus and anti malware scan on all devices on your network. pc clients, smartphones etc.... since your qnap was compromised, you don't know what else on your network was also compromised right?
4. DO NOT PORT FORWARD YOUR QNAP TO THE INTERNET! Do not use UPNP on router, and qnap. This is usually the PRIMARY cause of how people get infected in the first place
5. only install qpkgs from legimate sources like appcenter, or possibly qnapclub.eu
6. do not install dodgy apps on your qnap. do not store files that have not been screened first by an anti virus ( i use bitdefender on my desktop pc, so everything gets auto real time scanned so i know they are safe before i store onto the qnap)
7. Always update to the latest QTS STABLE (probably not qts 4.4.1 tbh). Check the forum first for whether the QTS build is stable BEFORE updating. usually if a qts goes a week or month without complaints, usually means it's fine.
8. all things from qts, router, windows 10 (desktop pc), everything needs to be regularly updated.
9. backup regularly. How else are you going to restore from a clean source?
If you don't take any precautions, you are bound to be reinfected again
how do you know? do you have anti virus and anti malware installed? did you run the scans to check?tboydva wrote: ↑Tue Oct 01, 2019 7:59 am So far, no evidence of my client machines being infected. I did have ssh functional as I use it remotely. I also did not change the port numbers (in the guidance). Passwords were strong (IMO). Using a Verizon router with ports mapped for external access... Need to do some changes I guess.
Last edited by Moogle Stiltzkin on Tue Oct 01, 2019 12:22 pm, edited 3 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
- dolbyman
- Guru
- Posts: 35252
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Ransomware attack - Muhstik
external access is the issue
should only be done via vpn ... exposing your nas is a bad idea
the best passwords or 2FA doesn't help when exploits are used
should only be done via vpn ... exposing your nas is a bad idea
the best passwords or 2FA doesn't help when exploits are used
-
- New here
- Posts: 5
- Joined: Tue Oct 01, 2019 12:14 pm
Re: Ransomware attack - Muhstik
I was hit with this also, but immediately shut down once I noticed the files being renamed with the Muhstik extension. I'm afraid to boot back up to view the damage or try to clean the virus. You didn't happen to save the "instructions" did you? Curious as to what it's saying to do in order to recover the files.
Anyone know if there's a way to decrypt the files? I'm assuming the instructions will promise to decrypt for you if you pay them money?
Anyone know if there's a way to decrypt the files? I'm assuming the instructions will promise to decrypt for you if you pay them money?
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Ransomware attack - Muhstik
About .muhstik File Virus
.muhstik File Virus is a deadly computer infection that is recognized as ransomware. It has been created by vicious cyber criminals in order to extort money from victims. It sneaks into the targeted computer by stealth and is capable to encrypt all kinds of important files completely. Once executes, it quickly infect your entire computing machine and makes your files completely inaccessible. Moreover, it will blackmails the users to pay money in exchange of the access of your important files. Hence, if you delete .muhstik File Virus virus at the earliest then you will lose all your important data permanentally.
Why .muhstik File Virus Is Dangerous
To be more specific, .muhstik File Virus virus is programmed with a very strong crypto-graphic algorithm. File encrypted by this particular ransomware virus features a very strange extension. After encryption, it replace your system wallpaper with a very strange ransom note. It threatens the victims that all your important files encrypted and in order to get your files back you need to pay the ransom money. Meanwhile, it also set a dealine for you to pay ransom and warns that if money will not be paid soon then you will never be able to access your files. It also causes various critical issues in your system and can make your system completely unusable. However, users must know that even when you pay the money .muhstik File Virus virus will delete all your important data.
How To Deal With .muhstik File Virus Virus
Well, paying money is certainly not a good option for you to deal with .muhstik File Virus as it will motivate the hackers to commit further crimes in your system. Additionally, the decryption key provided by this notorious ransomware virus is unable to decrypt all your data completely. The only possible way to restore your files is to remove this threat completely. Once the threat is removed then you can easily decrypt all your important files by using a powerful data recovery tool. Therefore, it is recommended the users to get rid of .muhstik File Virus virus as soon as possible it detected in your Windows PC.
How To Remove .muhstik File Virus
.muhstik File Virus is certainly the most devastating computer threat which needs to be removed immediately from your PC. To remove .muhstik File Virus and other harmful malware from your PC, you need to go through various removal steps. Beware! it is a nasty malware which may have spread its hidden copies at different locations on your system with different names. Hence, you must clean your system properly and remove all the core files related to .muhstik File Virus. Go through this removal guide that may be helpful for you in attempt of removing this infection from your computer. Manual Removal process need some technical expertise otherwise you may end up corrupting your system files.
Code: Select all
https://www.pcmalwarerepair.com/how-to-remove-muhstik-file-virus-data-decryption-help
.muhstik Virus is another recently found variant of Scarab Ransomware. It is a crypto malware that thrive on encrypting users data and extorting ransom money. It is also commonly known as .muhstik file virus or the .muhstik Ransomware.
It is able to infect all types of computer that run on Windows OS. It is very good at targeting its victims and then forcing them to pay the ransom money by encrypting their files. It is known for adding .muhstik extension to the end of file names of your infected data. It encrypt all types of computer files like videos, images, music, documents and every thing. It silently enter your computer without your permission and hide deep into your system. It executes several malicious programs into your system that slow down your system to give enough time to .muhstik ransom virus to encrypt your files. After successful encryption, it will leave ransom note on your computer explaining the entire encryption incident. It will ask you to pay the ransom money to get the decryption key that can unlock your files. It is dirty game but .muhstik file virus is just a criminal program fair and square. Its has only motive hijack your files and force you to pay the ransom money.
Description
.muhstik Ransomware encrypt your files by adding .muhstik extension to file names and demands a ransom to give decryption key
Symptoms
You will not be able to access any files on your system. You will find Ransom note in each folder demanding money.
Distribution
Spam Emails, Email Attachments, bundled freeware, porn or torrent sites
Code: Select all
https://topvirusremoval.com/muhstik-file-virus-ransomware-muhstik-file-recovery
This is a problem with virus/malware/rootkits
Code: Select all
https://www.infopackets.com/news/10411/explained-if-i-reset-windows-10-will-it-remove-malware
for me, i would run antimalware, and av scans first, try remove what i can. then refresh. then instead of booting OS, i would reflash bios, and also install windows 10 from USB flash drive (yes you can do a refresh from within windows 10, but i'm trying to avoid loading possible bad stuff. and the only safe way i know how is this way), then in the windows setup do the format hdds.
Obviously you should have backups prior to doing any reformat, or win10 reset etc ...
//note: i am not endorsing installing any of the apps at the links in the articles above. sometimes these kinds of sites give you crapware. best rely on the right tools, a few suggestions with links below (that i actually tested myself)
anti malware
https://www.malwarebytes.com/
https://www.zemana.com/
https://www.malwarebytes.com/adwcleaner/
https://www.hitmanpro.com/en-us/hmp.aspx
Code: Select all
https://toolslib.net/downloads/viewdownload/111-rkill/
Code: Select all
https://www.novirusthanks.org/products/osarmor/
Code: Select all
https://www.youtube.com/watch?v=HKx6O9qjX4A
Anti virus *this is a solid AV (refer to https://www.av-test.org/en/ & https://www.av-comparatives.org/ )
You can get 180 free trial with bitdefender total security (instructions here)
https://www.bitdefender.com/solutions/free.html
https://www.nsaneforums.com/topic/35340 ... nt-1508565
this helps check for any dodgy apps that try to hide when you open task manager to check whats running
https://www.nirsoft.net/utils/computer_ ... _view.html
anti root kit
https://www.malwarebytes.com/antirootkit/
https://usa.kaspersky.com/downloads/tdsskiller
https://www.youtube.com/watch?v=82rv6Ymo-WI
troubleshooting
process hacker (a very good alternative is process explorer by sysinternal)
http://processhacker.sourceforge.net/)
Farbar recovery
https://www.bleepingcomputer.com/downlo ... scan-tool/
https://support.malwarebytes.com/docs/DOC-1318
sysinternal suite (i recommend only process explorer and process monitor. i never used the other tools in this package. with process explorer you can submit an exe to totalvirus and it will check if that exe file is a virus or not based on it's file signature)
https://docs.microsoft.com/en-us/sysint ... nals-suite
With farbar you basically get some logs which you can then share with your technical support to help you troubleshoot. for free support... there is communities like... wildersecurity or malwaretips
https://www.wilderssecurity.com/forums/ ... s-news.38/
https://malwaretips.com/
Here are some basic guides i found, to make this process easier (maybe there are better ones )
https://www.youtube.com/watch?v=HawNtYduDi4
https://www.youtube.com/watch?v=noErOEHcAj8
These are all detection, removal and troubleshoot for pc client devices.
For the NAS, i already mentioned to reflash the dom, reinitialize, then recover from a backup.
the NAS defense only has malware remover qpkg. i'm unsure if this is capable of realtime scanning, or whether it's merely scheduled runs
Code: Select all
https://www.qnap.com/en/app_releasenotes/list.php?app_choose=MalwareRemover
In your case, best not turn on the QNAP and go check with support first for what to do next.
Code: Select all
https://service.qnap.com
and consider a backup solution to avoid this issue next time. it's not just virus/malware... other things can happen if you must pay someone, invest into a backup solution worth it.
Last edited by Moogle Stiltzkin on Fri Oct 04, 2019 2:52 pm, edited 2 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Getting the hang of things
- Posts: 71
- Joined: Wed Oct 22, 2014 7:26 pm
Re: Ransomware attack - Muhstik
Moogle -many thanks for the advise/links for resetting the NAS and reflashing the DOM. Will do this tonight.
i would also suggest doing other stuff
1. update your router (clear nvram as well while you are at it)
Thanks again for the detailed response and information! A major inconvenience this will be - but perhaps a learning experience and a kick in the rear to be more careful in the future. Thankfully, I will loose no data. Time is always at a premium and that I cannot get back....
i would also suggest doing other stuff
1. update your router (clear nvram as well while you are at it)
2. update all your pc clients on the same network (windows 10, anti virus, anti malware, everything)I updated the firmware in recent history. When exactly, I do not recall. It's a Verizon FIOS router. Maybe an updated model is warranted.
3. run anti virus and anti malware scan on all devices on your network. pc clients, smartphones etc.... since your qnap was compromised, you don't know what else on your network was also compromised right?Ran scan on the only current client (Win10). Will run Offline scan when I get home tonight
4. DO NOT PORT FORWARD YOUR QNAP TO THE INTERNET! Do not use UPNP on router, and qnap. This is usually the PRIMARY cause of how people get infected in the first placeIn process
5. only install qpkgs from legimate sources like appcenter, or possibly qnapclub.euThis will require a re-think for how I use my resource(s) from "outside" for sure... I do use SSH and I RDP to my Win10 machine. Those are the ports I have forwarded. I believe they should be TCP only (how I set them up). I have had multiple QNAP firmware updates since that time and perhaps the qnap (name escapes me) app that tries to autoconfigure has updated the router... I have the firewall set to high. I suppose it might be worth downloading the security logs just in case.
6. do not install dodgy apps on your qnap. do not store files that have not been screened first by an anti virus ( i use bitdefender on my desktop pc, so everything gets auto real time scanned so i know they are safe before i store onto the qnap)Hmmm. I believe I do - with the exception perhaps of Serviio. I just updated this over the weekend... I've run the old version(s) for years....
7. Always update to the latest QTS STABLE (probably not qts 4.4.1 tbh). Check the forum first for whether the QTS build is stable BEFORE updating. usually if a qts goes a week or month without complaints, usually means it's fine.see above... The serviio qpgk is being wiped (or will be).
8. all things from qts, router, windows 10 (desktop pc), everything needs to be regularly updated.I always do suggested update(s) when I'm notified. I think the last was within the past week or two... Good suggestion waiting a bit...
9. backup regularly. How else are you going to restore from a clean source?This is "done" - at least I feel so. I will do a Defender Offline scan when I get home. I turned everything off with the idea of searching a bit at work today.
If you don't take any precautions, you are bound to be reinfected againDone - I use the cloud sync (daily) and have interim(s) stored in fire safe. I don't think I will loose any data.
how do you know? do you have anti virus and anti malware installed? did you run the scans to check?Indeed! Thanks for the list and taking the time to walk me through. I will be challenged to not use my systems remotely.... Will have to balance risk/reward and perhaps upgrade my FIOS router to something with greater configuration capability. Perhaps a VPN solution with static IP restrictions could get me through...
No evidence with quick look. Deep scan in the plans (wanted the machine off as soon as possible so I could do some online research today)
Thanks again for the detailed response and information! A major inconvenience this will be - but perhaps a learning experience and a kick in the rear to be more careful in the future. Thankfully, I will loose no data. Time is always at a premium and that I cannot get back....
Re: Ransomware attack - Muhstik
Conclusion
1. Don’t open ports to QNAP, not even myQNAPcloud. Use VPN.
2. Don’t use cloud storage if you have limited BW and in case your WAN is down. Use local rotating pool and a fire rated safe.
3. An enterprise class firewall (e.g. pfSense) and white list services you insist on having open.
4. Update QTS frequently. If your QNAP is EOL, replace or repurpose.
5. Implement grandfather, father, son backup strategy. HW redundancy is also a must.
1. Don’t open ports to QNAP, not even myQNAPcloud. Use VPN.
2. Don’t use cloud storage if you have limited BW and in case your WAN is down. Use local rotating pool and a fire rated safe.
3. An enterprise class firewall (e.g. pfSense) and white list services you insist on having open.
4. Update QTS frequently. If your QNAP is EOL, replace or repurpose.
5. Implement grandfather, father, son backup strategy. HW redundancy is also a must.
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Ransomware attack - Muhstik
you are welcome
In QTS you can get alert prompts when you visit qts about new firmware. UNTICK for beta (never use beta firmware for production nas). I would recommend subscribing to the QTS security bulletin for your email. Usually the important security issues they will then email you. You can also additional setup notifications in QTS to tell you when a new update is release (it can either sms or email to you)
yes i think it is important to ALSO check out your other devices on the same network. Another user who got infected by malware did not have his NAS online. Yet he still got infected. There are scenarios where the devices on the same network then branch out to other devices on same network, then infect them. Thats why you should also check those things out just in case.
If you already got a good av then use that. I only recommend bitdefender trial (since this is what i am using) and it's free for a long period. so why not and it does well on av-test/av-comparison for detecting and removing virus/malware.
Honestly this is not my expertise. I only know that if remote access is required, use VPN. If it's helpdesk remote, keep it short, to limit your exposure.tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm This will require a re-think for how I use my resource(s) from "outside" for sure... I do use SSH and I RDP to my Win10 machine. Those are the ports I have forwarded. I believe they should be TCP only (how I set them up). I have had multiple QNAP firmware updates since that time and perhaps the qnap (name escapes me) app that tries to autoconfigure has updated the router... I have the firewall set to high. I suppose it might be worth downloading the security logs just in case.
legitimate sources for qpkg afaik is appcenter, qnapclub.eu and on some trusted sites like Plex, Emby, (there are probably others but i can't think of them). If you are using Chrome browser, i would suggest using netcraft extension. It warns you when you visit a FAKE/phishing site
https://chrome.google.com/webstore/deta ... amia?hl=en
Phishing is a tactic to trick you into downloading stuff on a fake site. this extension helps alert you about these kinds of dodgy sites when browsing the net.
noted
sounds good. Although 4.4.1 says it's stable, i would suggest sticking to latest 4.3.6 for now. 4.4.1 may be ready in the 2 or 3 revisions i think... always check forum BEFORE updating
not sure about defender reliability, but malwarebytes can be used to scan and remove for free. the only downside is, no access to real time. however there is a short trial you can use the app which will be sufficient to run a full scan and removal without having to purchase.
good well done
I recommend also trying out the qnap security counselor QPKG. it gives you a preset of security rules to configure a hardened security setup for your QNAP (without you having to know too much about what to do).tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Indeed! Thanks for the list and taking the time to walk me through. I will be challenged to not use my systems remotely.... Will have to balance risk/reward and perhaps upgrade my FIOS router to something with greater configuration capability. Perhaps a VPN solution with static IP restrictions could get me through...
Like i said, i'm not an expert on remote access, but limiting ip restrictions sounds like a good idea. but if your remote has a dynamic ip, this might be difficult. I think as long as the remote client uses the VPN cert to connect that should be sufficient.
just to be clear, i wasn't trying to be rude. I just wanted to understand whether you did the proper checking or not, in case you didn't
don't worry, i've been there before myself thats why i help others now to avoid mistakes i've too learned in the past.tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Thanks again for the detailed response and information! A major inconvenience this will be - but perhaps a learning experience and a kick in the rear to be more careful in the future. Thankfully, I will loose no data. Time is always at a premium and that I cannot get back....
anyway you seem to be on the right track, well done
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Starting out
- Posts: 17
- Joined: Fri Feb 02, 2018 2:27 pm
Re: Ransomware attack - Muhstik
is there recovery tools for muhstik ransomware?
-
- Getting the hang of things
- Posts: 71
- Joined: Wed Oct 22, 2014 7:26 pm
Re: Ransomware attack - Muhstik
I plan on wiping and recovering from backups. This link by Moogle seems to offer the most information on recovery tools:
Code: Select all
https://www.pcmalwarerepair.com/how-to-remove-muhstik-file-virus-data-decryption-help
-
- Starting out
- Posts: 14
- Joined: Wed Aug 28, 2013 12:41 am
Re: Ransomware attack - Muhstik
Umm.. So for a virus, which cracks qnaps like like sunflower seeds, it is recommended to take and keep the server off the network and as a cure - wiping DOM+all the data?
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Ransomware attack - Muhstik
but like i said, i do not endorse the app they are asking u to use.tboydva wrote: ↑Tue Oct 01, 2019 11:43 pm I plan on wiping and recovering from backups. This link by Moogle seems to offer the most information on recovery tools:
Code: Select all
https://www.pcmalwarerepair.com/how-to-remove-muhstik-file-virus-data-decryption-help
not sure how effective that is, or whether it's just crapware etc.
i only use some of what they say about the malware for information purposes only.
sites like these that tend to promote a certain product, i would take with a grain of salt.
at the end of the day i feel the best solution to this are the stuff i mentioned in solutions earlier. firstline of defense is prevention.
and if worse happens, you do the dom reflash then reinitialize, followed by recovery from your backup. thats the best solution afaik.
Last edited by Moogle Stiltzkin on Fri Oct 04, 2019 11:52 am, edited 2 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- New here
- Posts: 5
- Joined: Tue Oct 01, 2019 12:14 pm
Re: Ransomware attack - Muhstik
After reading the link Moogle posted and another article on Tom's Guide, (Unless I'm misunderstanding it) it mentions that if you stop the infection from completing and remove it prematurely, you will lose your option for paying the ransom and saving your files. Does anyone know if this is true? I ask because I shut my QNAP down as it was infecting files, with the hopes that it will have only infected some, but not all of my stuff. Am I reading those pages correctly in that I need to allow it to infect all of my files first before I have the option of being able to deal with the criminal and possibly receive a decryption key from them?
- dolbyman
- Guru
- Posts: 35252
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Ransomware attack - Muhstik
you really want to pay ransom for your files ? .. chances are low that the payment actually results in successful decryption
same as the Nigerian prince never really has that 500million USD heritage to share
same as the Nigerian prince never really has that 500million USD heritage to share
-
- New here
- Posts: 5
- Joined: Tue Oct 01, 2019 12:14 pm
Re: Ransomware attack - Muhstik
No, I don't want to pay the ransom...but I want to know that it's an option if all else fails. According to Tom's Guide, paying the ransom usually nets you in recovering your files. Not sure if that's true or not. But if it comes down to losing my files or paying $371, then I'm willing to kiss off a few hundred bucks.