Ransomware attack - Muhstik

tboydva · Post by **tboydva** » Tue Oct 01, 2019 7:59 am

Here's a first (for me). My QNAP TS-451+ was attacked with ransomware... This has changed files names to *.muhstik and within every data directory is a text file with "instructions" for how to recover the files... I unplugged and am trying to reset the NAS. The web interface is "gone" and I'm currently trying to reset (everything). I have backups (nightly) but it will take a lot of time (bandwidth limited) to restore. Not sure where this came from. The file naming was "seen" over a windows share. So far, no evidence of my client machines being infected. I did have ssh functional as I use it remotely. I also did not change the port numbers (in the guidance). Passwords were strong (IMO). Using a Verizon router with ports mapped for external access... Need to do some changes I guess.

Some questions:

1) I did the 10 second reset. NAS boots back up - but with system still not reset (admin password still works).
2) there is a new directory called new_root with today's date for creation.
3) When I boot using keyboard, mouse and HDMI monitor, it comes up with the ability to use <alt>-F2 to get to command line. Is there any way to "reset" the system from command line? Forgot to mention, no web access (https://ip shows "refused to connect" )

Wondering how to progress - I'd like to wipe completely clean and set up new...

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Tue Oct 01, 2019 8:23 am

https://www.hackmageddon.com/2019/01/15 ... nt-page-1/

https://www.bleepingcomputer.com/news/s ... n-routers/

https://www.reddit.com/r/qnap/comments/ ... w_malware/

TLDR

You need to reflash your DOM in the NAS.

https://wiki.qnap.com/wiki/Firmware_Recovery

You must copy all the data outside your NAS. Reflash your DOM and then initialize your NAS from scratch. Then copy your data back.

the reason for reflashing dom is because sometimes the malware survives a reinitialization. only way to be sure is to reflash the DOM. this is basically the nuclear option for disinfection

i would also suggest doing other stuff

1. update your router (clear nvram as well while you are at it)
2. update all your pc clients on the same network (windows 10, anti virus, anti malware, everything)
3. run anti virus and anti malware scan on all devices on your network. pc clients, smartphones etc.... since your qnap was compromised, you don't know what else on your network was also compromised right?
4. DO NOT PORT FORWARD YOUR QNAP TO THE INTERNET! Do not use UPNP on router, and qnap. This is usually the PRIMARY cause of how people get infected in the first place
5. only install qpkgs from legimate sources like appcenter, or possibly qnapclub.eu
6. do not install dodgy apps on your qnap. do not store files that have not been screened first by an anti virus ( i use bitdefender on my desktop pc, so everything gets auto real time scanned so i know they are safe before i store onto the qnap)
7. Always update to the latest QTS STABLE (probably not qts 4.4.1 tbh). Check the forum first for whether the QTS build is stable BEFORE updating. usually if a qts goes a week or month without complaints, usually means it's fine.
8. all things from qts, router, windows 10 (desktop pc), everything needs to be regularly updated.
9. backup regularly. How else are you going to restore from a clean source?

If you don't take any precautions, you are bound to be reinfected again

tboydva wrote: ↑Tue Oct 01, 2019 7:59 am So far, no evidence of my client machines being infected. I did have ssh functional as I use it remotely. I also did not change the port numbers (in the guidance). Passwords were strong (IMO). Using a Verizon router with ports mapped for external access... Need to do some changes I guess.

how do you know? do you have anti virus and anti malware installed? did you run the scans to check?

dolbyman · Post by **dolbyman** » Tue Oct 01, 2019 8:31 am

external access is the issue

should only be done via vpn ... exposing your nas is a bad idea

the best passwords or 2FA doesn't help when exploits are used

whizard12 · Post by **whizard12** » Tue Oct 01, 2019 12:47 pm

I was hit with this also, but immediately shut down once I noticed the files being renamed with the Muhstik extension. I'm afraid to boot back up to view the damage or try to clean the virus. You didn't happen to save the "instructions" did you? Curious as to what it's saying to do in order to recover the files.

Anyone know if there's a way to decrypt the files? I'm assuming the instructions will promise to decrypt for you if you pay them money?

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Tue Oct 01, 2019 2:25 pm

About .muhstik File Virus
.muhstik File Virus is a deadly computer infection that is recognized as ransomware. It has been created by vicious cyber criminals in order to extort money from victims. It sneaks into the targeted computer by stealth and is capable to encrypt all kinds of important files completely. Once executes, it quickly infect your entire computing machine and makes your files completely inaccessible. Moreover, it will blackmails the users to pay money in exchange of the access of your important files. Hence, if you delete .muhstik File Virus virus at the earliest then you will lose all your important data permanentally.

Why .muhstik File Virus Is Dangerous
To be more specific, .muhstik File Virus virus is programmed with a very strong crypto-graphic algorithm. File encrypted by this particular ransomware virus features a very strange extension. After encryption, it replace your system wallpaper with a very strange ransom note. It threatens the victims that all your important files encrypted and in order to get your files back you need to pay the ransom money. Meanwhile, it also set a dealine for you to pay ransom and warns that if money will not be paid soon then you will never be able to access your files. It also causes various critical issues in your system and can make your system completely unusable. However, users must know that even when you pay the money .muhstik File Virus virus will delete all your important data.

How To Deal With .muhstik File Virus Virus
Well, paying money is certainly not a good option for you to deal with .muhstik File Virus as it will motivate the hackers to commit further crimes in your system. Additionally, the decryption key provided by this notorious ransomware virus is unable to decrypt all your data completely. The only possible way to restore your files is to remove this threat completely. Once the threat is removed then you can easily decrypt all your important files by using a powerful data recovery tool. Therefore, it is recommended the users to get rid of .muhstik File Virus virus as soon as possible it detected in your Windows PC.

How To Remove .muhstik File Virus
.muhstik File Virus is certainly the most devastating computer threat which needs to be removed immediately from your PC. To remove .muhstik File Virus and other harmful malware from your PC, you need to go through various removal steps. Beware! it is a nasty malware which may have spread its hidden copies at different locations on your system with different names. Hence, you must clean your system properly and remove all the core files related to .muhstik File Virus. Go through this removal guide that may be helpful for you in attempt of removing this infection from your computer. Manual Removal process need some technical expertise otherwise you may end up corrupting your system files.

Code: Select all

https://www.pcmalwarerepair.com/how-to-remove-muhstik-file-virus-data-decryption-help

.muhstik Virus is another recently found variant of Scarab Ransomware. It is a crypto malware that thrive on encrypting users data and extorting ransom money. It is also commonly known as .muhstik file virus or the .muhstik Ransomware.

It is able to infect all types of computer that run on Windows OS. It is very good at targeting its victims and then forcing them to pay the ransom money by encrypting their files. It is known for adding .muhstik extension to the end of file names of your infected data. It encrypt all types of computer files like videos, images, music, documents and every thing. It silently enter your computer without your permission and hide deep into your system. It executes several malicious programs into your system that slow down your system to give enough time to .muhstik ransom virus to encrypt your files. After successful encryption, it will leave ransom note on your computer explaining the entire encryption incident. It will ask you to pay the ransom money to get the decryption key that can unlock your files. It is dirty game but .muhstik file virus is just a criminal program fair and square. Its has only motive hijack your files and force you to pay the ransom money.

Description
.muhstik Ransomware encrypt your files by adding .muhstik extension to file names and demands a ransom to give decryption key

Symptoms
You will not be able to access any files on your system. You will find Ransom note in each folder demanding money.

Distribution
Spam Emails, Email Attachments, bundled freeware, porn or torrent sites

Code: Select all

https://topvirusremoval.com/muhstik-file-virus-ransomware-muhstik-file-recovery

This is a problem with virus/malware/rootkits

Code: Select all

https://www.infopackets.com/news/10411/explained-if-i-reset-windows-10-will-it-remove-malware

for me, i would run antimalware, and av scans first, try remove what i can. then refresh. then instead of booting OS, i would reflash bios, and also install windows 10 from USB flash drive (yes you can do a refresh from within windows 10, but i'm trying to avoid loading possible bad stuff. and the only safe way i know how is this way), then in the windows setup do the format hdds.

Obviously you should have backups prior to doing any reformat, or win10 reset etc

...

//note: i am not endorsing installing any of the apps at the links in the articles above. sometimes these kinds of sites give you crapware. best rely on the right tools, a few suggestions with links below (that i actually tested myself)

anti malware
https://www.malwarebytes.com/
https://www.zemana.com/
https://www.malwarebytes.com/adwcleaner/
https://www.hitmanpro.com/en-us/hmp.aspx

Code: Select all

https://toolslib.net/downloads/viewdownload/111-rkill/

OSarmor locks down your pc from malicious scripts running in background without your knowledge. i can manually allow or to temporary disable whenever i have to. other times it will auto block anything running behind your back

Code: Select all

https://www.novirusthanks.org/products/osarmor/

Code: Select all

https://www.youtube.com/watch?v=HKx6O9qjX4A

Anti virus *this is a solid AV (refer to https://www.av-test.org/en/ & https://www.av-comparatives.org/ )

You can get 180 free trial with bitdefender total security (instructions here)
https://www.bitdefender.com/solutions/free.html
https://www.nsaneforums.com/topic/35340 ... nt-1508565

this helps check for any dodgy apps that try to hide when you open task manager to check whats running
https://www.nirsoft.net/utils/computer_ ... _view.html

anti root kit
https://www.malwarebytes.com/antirootkit/
https://usa.kaspersky.com/downloads/tdsskiller
https://www.youtube.com/watch?v=82rv6Ymo-WI

troubleshooting

process hacker (a very good alternative is process explorer by sysinternal)
http://processhacker.sourceforge.net/)

Farbar recovery
https://www.bleepingcomputer.com/downlo ... scan-tool/
https://support.malwarebytes.com/docs/DOC-1318

sysinternal suite (i recommend only process explorer and process monitor. i never used the other tools in this package. with process explorer you can submit an exe to totalvirus and it will check if that exe file is a virus or not based on it's file signature)
https://docs.microsoft.com/en-us/sysint ... nals-suite

With farbar you basically get some logs which you can then share with your technical support to help you troubleshoot. for free support... there is communities like... wildersecurity or malwaretips

https://www.wilderssecurity.com/forums/ ... s-news.38/
https://malwaretips.com/

Here are some basic guides i found, to make this process easier (maybe there are better ones

)
https://www.youtube.com/watch?v=HawNtYduDi4
https://www.youtube.com/watch?v=noErOEHcAj8

These are all detection, removal and troubleshoot for pc client devices.

For the NAS, i already mentioned to reflash the dom, reinitialize, then recover from a backup.

the NAS defense only has malware remover qpkg. i'm unsure if this is capable of realtime scanning, or whether it's merely scheduled runs

Code: Select all

https://www.qnap.com/en/app_releasenotes/list.php?app_choose=MalwareRemover

If you don't have backup, then you are probably screwed.

In your case, best not turn on the QNAP and go check with support first for what to do next.

Code: Select all

https://service.qnap.com

and consider a backup solution to avoid this issue next time. it's not just virus/malware... other things can happen

if you must pay someone, invest into a backup solution

worth it.

tboydva · Post by **tboydva** » Tue Oct 01, 2019 6:44 pm

Moogle -many thanks for the advise/links for resetting the NAS and reflashing the DOM. Will do this tonight.

i would also suggest doing other stuff

1. update your router (clear nvram as well while you are at it)

I updated the firmware in recent history. When exactly, I do not recall. It's a Verizon FIOS router. Maybe an updated model is warranted.

2. update all your pc clients on the same network (windows 10, anti virus, anti malware, everything)

Ran scan on the only current client (Win10). Will run Offline scan when I get home tonight

3. run anti virus and anti malware scan on all devices on your network. pc clients, smartphones etc.... since your qnap was compromised, you don't know what else on your network was also compromised right?

In process

4. DO NOT PORT FORWARD YOUR QNAP TO THE INTERNET! Do not use UPNP on router, and qnap. This is usually the PRIMARY cause of how people get infected in the first place

This will require a re-think for how I use my resource(s) from "outside" for sure... I do use SSH and I RDP to my Win10 machine. Those are the ports I have forwarded. I believe they should be TCP only (how I set them up). I have had multiple QNAP firmware updates since that time and perhaps the qnap (name escapes me) app that tries to autoconfigure has updated the router... I have the firewall set to high. I suppose it might be worth downloading the security logs just in case.

5. only install qpkgs from legimate sources like appcenter, or possibly qnapclub.eu

Hmmm. I believe I do - with the exception perhaps of Serviio. I just updated this over the weekend... I've run the old version(s) for years....

6. do not install dodgy apps on your qnap. do not store files that have not been screened first by an anti virus ( i use bitdefender on my desktop pc, so everything gets auto real time scanned so i know they are safe before i store onto the qnap)

see above... The serviio qpgk is being wiped (or will be).

7. Always update to the latest QTS STABLE (probably not qts 4.4.1 tbh). Check the forum first for whether the QTS build is stable BEFORE updating. usually if a qts goes a week or month without complaints, usually means it's fine.

I always do suggested update(s) when I'm notified. I think the last was within the past week or two... Good suggestion waiting a bit...

8. all things from qts, router, windows 10 (desktop pc), everything needs to be regularly updated.

This is "done" - at least I feel so. I will do a Defender Offline scan when I get home. I turned everything off with the idea of searching a bit at work today.

9. backup regularly. How else are you going to restore from a clean source?

Done - I use the cloud sync (daily) and have interim(s) stored in fire safe. I don't think I will loose any data.

If you don't take any precautions, you are bound to be reinfected again

Indeed! Thanks for the list and taking the time to walk me through. I will be challenged to not use my systems remotely.... Will have to balance risk/reward and perhaps upgrade my FIOS router to something with greater configuration capability. Perhaps a VPN solution with static IP restrictions could get me through...

how do you know? do you have anti virus and anti malware installed? did you run the scans to check?

No evidence with quick look. Deep scan in the plans (wanted the machine off as soon as possible so I could do some online research today)

Thanks again for the detailed response and information! A major inconvenience this will be - but perhaps a learning experience and a kick in the rear to be more careful in the future. Thankfully, I will loose no data. Time is always at a premium and that I cannot get back....

elvisimprsntr · Post by **elvisimprsntr** » Tue Oct 01, 2019 7:43 pm

Conclusion
1. Don’t open ports to QNAP, not even myQNAPcloud. Use VPN.
2. Don’t use cloud storage if you have limited BW and in case your WAN is down. Use local rotating pool and a fire rated safe.
3. An enterprise class firewall (e.g. pfSense) and white list services you insist on having open.
4. Update QTS frequently. If your QNAP is EOL, replace or repurpose.
5. Implement grandfather, father, son backup strategy. HW redundancy is also a must.

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Tue Oct 01, 2019 7:59 pm

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Moogle -many thanks for the advise/links for resetting the NAS and reflashing the DOM. Will do this tonight.

you are welcome

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm I updated the firmware in recent history. When exactly, I do not recall. It's a Verizon FIOS router. Maybe an updated model is warranted.

In QTS you can get alert prompts when you visit qts about new firmware. UNTICK for beta (never use beta firmware for production nas). I would recommend subscribing to the QTS security bulletin for your email. Usually the important security issues they will then email you. You can also additional setup notifications in QTS to tell you when a new update is release (it can either sms or email to you)

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Ran scan on the only current client (Win10). Will run Offline scan when I get home tonight

yes i think it is important to ALSO check out your other devices on the same network. Another user who got infected by malware did not have his NAS online. Yet he still got infected. There are scenarios where the devices on the same network then branch out to other devices on same network, then infect them. Thats why you should also check those things out just in case.

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm In process

If you already got a good av then use that. I only recommend bitdefender trial (since this is what i am using) and it's free for a long period. so why not

and it does well on av-test/av-comparison for detecting and removing virus/malware.

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm This will require a re-think for how I use my resource(s) from "outside" for sure... I do use SSH and I RDP to my Win10 machine. Those are the ports I have forwarded. I believe they should be TCP only (how I set them up). I have had multiple QNAP firmware updates since that time and perhaps the qnap (name escapes me) app that tries to autoconfigure has updated the router... I have the firewall set to high. I suppose it might be worth downloading the security logs just in case.

Honestly this is not my expertise. I only know that if remote access is required, use VPN. If it's helpdesk remote, keep it short, to limit your exposure.

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Hmmm. I believe I do - with the exception perhaps of Serviio. I just updated this over the weekend... I've run the old version(s) for years....

legitimate sources for qpkg afaik is appcenter, qnapclub.eu and on some trusted sites like Plex, Emby, (there are probably others but i can't think of them). If you are using Chrome browser, i would suggest using netcraft extension. It warns you when you visit a FAKE/phishing site
https://chrome.google.com/webstore/deta ... amia?hl=en

Phishing is a tactic to trick you into downloading stuff on a fake site. this extension helps alert you about these kinds of dodgy sites when browsing the net.

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm see above... The serviio qpgk is being wiped (or will be).

noted

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm I always do suggested update(s) when I'm notified. I think the last was within the past week or two... Good suggestion waiting a bit...

sounds good. Although 4.4.1 says it's stable, i would suggest sticking to latest 4.3.6 for now. 4.4.1 may be ready in the 2 or 3 revisions i think... always check forum BEFORE updating

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm This is "done" - at least I feel so. I will do a Defender Offline scan when I get home. I turned everything off with the idea of searching a bit at work today.

not sure about defender reliability, but malwarebytes can be used to scan and remove for free. the only downside is, no access to real time. however there is a short trial you can use the app which will be sufficient to run a full scan and removal without having to purchase.

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Done - I use the cloud sync (daily) and have interim(s) stored in fire safe. I don't think I will loose any data.

good well done

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Indeed! Thanks for the list and taking the time to walk me through. I will be challenged to not use my systems remotely.... Will have to balance risk/reward and perhaps upgrade my FIOS router to something with greater configuration capability. Perhaps a VPN solution with static IP restrictions could get me through...

I recommend also trying out the qnap security counselor QPKG. it gives you a preset of security rules to configure a hardened security setup for your QNAP (without you having to know too much about what to do).

Like i said, i'm not an expert on remote access, but limiting ip restrictions sounds like a good idea. but if your remote has a dynamic ip, this might be difficult. I think as long as the remote client uses the VPN cert to connect that should be sufficient.

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm No evidence with quick look. Deep scan in the plans (wanted the machine off as soon as possible so I could do some online research today)

just to be clear, i wasn't trying to be rude. I just wanted to understand whether you did the proper checking or not, in case you didn't

tboydva wrote: ↑Tue Oct 01, 2019 6:44 pm Thanks again for the detailed response and information! A major inconvenience this will be - but perhaps a learning experience and a kick in the rear to be more careful in the future. Thankfully, I will loose no data. Time is always at a premium and that I cannot get back....

don't worry, i've been there before myself

thats why i help others now to avoid mistakes i've too learned in the past.

anyway you seem to be on the right track, well done

wangear@gmail.com · Post by **wangear@gmail.com** » Tue Oct 01, 2019 8:41 pm

is there recovery tools for muhstik ransomware?

tboydva · Post by **tboydva** » Tue Oct 01, 2019 11:43 pm

I plan on wiping and recovering from backups. This link by Moogle seems to offer the most information on recovery tools:

Code: Select all

https://www.pcmalwarerepair.com/how-to-remove-muhstik-file-virus-data-decryption-help

physh · Post by **physh** » Thu Oct 03, 2019 9:40 pm

Umm.. So for a virus, which cracks qnaps like like sunflower seeds, it is recommended to take and keep the server off the network and as a cure - wiping DOM+all the data?

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Thu Oct 03, 2019 10:15 pm

tboydva wrote: ↑Tue Oct 01, 2019 11:43 pm I plan on wiping and recovering from backups. This link by Moogle seems to offer the most information on recovery tools:
Code: Select all
https://www.pcmalwarerepair.com/how-to-remove-muhstik-file-virus-data-decryption-help

but like i said, i do not endorse the app they are asking u to use.

not sure how effective that is, or whether it's just crapware etc.

i only use some of what they say about the malware for information purposes only.

sites like these that tend to promote a certain product, i would take with a grain of salt.

at the end of the day i feel the best solution to this are the stuff i mentioned in solutions earlier. firstline of defense is prevention.

and if worse happens, you do the dom reflash then reinitialize, followed by recovery from your backup. thats the best solution afaik.

whizard12 · Post by **whizard12** » Thu Oct 03, 2019 10:57 pm

After reading the link Moogle posted and another article on Tom's Guide, (Unless I'm misunderstanding it) it mentions that if you stop the infection from completing and remove it prematurely, you will lose your option for paying the ransom and saving your files. Does anyone know if this is true? I ask because I shut my QNAP down as it was infecting files, with the hopes that it will have only infected some, but not all of my stuff. Am I reading those pages correctly in that I need to allow it to infect all of my files first before I have the option of being able to deal with the criminal and possibly receive a decryption key from them?

dolbyman · Post by **dolbyman** » Thu Oct 03, 2019 11:23 pm

you really want to pay ransom for your files ? .. chances are low that the payment actually results in successful decryption

same as the Nigerian prince never really has that 500million USD heritage to share

whizard12 · Post by **whizard12** » Thu Oct 03, 2019 11:38 pm

No, I don't want to pay the ransom...but I want to know that it's an option if all else fails. According to Tom's Guide, paying the ransom usually nets you in recovering your files. Not sure if that's true or not. But if it comes down to losing my files or paying $371, then I'm willing to kiss off a few hundred bucks.

QNAP NAS Community Forum

Ransomware attack - Muhstik

Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik

Re: Ransomware attack - Muhstik