Recommended Posts

My xpenology NAS was infected with MARS ransomware. I'm on 6.2.3 25426 update 2, dsm. Last ten days I was receiving notifications for autoblock from dsm. In this moment i cant find solution for removing that specific ransomware, its pretty new. Luckily I have backup. But I think it's good to share.

Link to post
Share on other sites

i that situation you would shutdown the nas and try to recover data by booting from usb with a rescue linux and assemble and mount the raid manually

 

it sometimes is just about weak passwords and not using 2F authentication

also most it people would suggest to only make tha nas accessible over internet by vpn access to minimize the attack surcface

Link to post
Share on other sites
7 minutes ago, smilenkovski said:

Mars already encrypted 86420 files , so I will start from scratch. And what I think happened to me is not changing the username and password on new router provided by my internet provider, but, I'm not sure.

 

are you sure the infection is inside the nas, might be  windows computer that encrypts the files on the nas over network?

(i just started to read a little bit about mars)

 

edit: it does sound as a windows ransomware

https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html

Edited by IG-88
Link to post
Share on other sites
2 minutes ago, smilenkovski said:

After years using Manjaro for my desktop computer I've decide to switch to windows  few weeks ago, and... this happened.

 

as long as there is no proof from where its originated ...

in the end the encryptor and the way of infection are independent so it can be a lot of things and also linux desktop system are not immune to attacks

 

 

Link to post
Share on other sites

Your NAS is not infected, just your files.  MARS has no ability to attack a Linux system and your system files are not exposed, only the files with your shares that are accessible from Windows (where the infection occurred).

 

This would be a great time to tell us you are using btrfs and creating regular snapshots, where the entire filesystem could be rolled back to before the ransomware event.

Link to post
Share on other sites

Yes I'm using btfrs, no snapshots. I'm making backups with rsync on another xpenology nas, weekly, I've already formatted my infected nas and after checking integrity of storage pool I'l start copying files back from backup, which will take three days but, it is what it is

Edited by smilenkovski
  • Like 1
Link to post
Share on other sites

My conclusion on matter. Ransomware mars made changes only to folders mounted on boot in windows. That was easy way to maintain plex media library with tinymediamanager. So, that was my short win 10 experience, I'm back on Manjaro now. Now I'm praying for successful copy all my data back and thinking about third server for backup.

Link to post
Share on other sites
1 hour ago, smilenkovski said:

Now I'm praying for successful copy all my data back and thinking about third server for backup.

most data will not need that (like media files)

if you hold the working data on the desktop (nvme ssd's are tempting fast), backup to nas and make a backup of the nas you have 3 locations of the files

 

you should look into the way how it got into windows, 8th layer problems are also working on linux even if its not that common to be attacked directly but you can also get infection's through hacked git's or repository's and when using windows in VM's it might be the same risk for network resources/shares as running it directly

Link to post
Share on other sites

Reading around about mars ransomware, it might be the rdp flaw, because , in my case, wasn't opening an email attachment, or, like I mentioned before, maybe, it was bad password on router. Don't know, but awful experience and kinda offensive because you are taking personally, finally, you receive personal message with criminal content.

But thank you for paying attention.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.