The Yes, This Big Header Banner
No stickies found.
Random Comment
Comment #10283
Still no sign of them

WD MyCloud EX2 hit by .Checkmate ransomeware

at 15:43 - 27th, February 2023
I've been having trouble finding anything online about this but I think I've gotten to the bottom of it.

First the background of what's going on.
In our little office, we have a WD My Cloud Ex2 as a Network attached storage for filesharing inside the office. It worked great! Swappable hard drives, pretty robust OS with decent web based interface and had vpn capabilities for remote access. Can even do remote back ups and USB backups.

Then the shit started.

Someone found a major whole in their security and was able to push ransomware onto the thing. Not a big deal since we do backups and just erased things with minimal loss and restored from last back up. I updated firmware and thought, that's the last of that. Nope, happened again about 2 weeks later, then another 2 months later. Then WD updated their firmware and killed remote access to certain devices like our EX2. An annoyance but we'll just ftp in. Then we were hit again. So now the device is completely closed to the outside world.

After years of use I decided to upgrade the HDD to an SSD, bought a specific NAS centric SSD and spent the weekend transferring files. I was able to copy all user config from old hard drive to new set up with 2 clicks but had to recreate all shares from scratch and upload data onto the SSD in appropriate shares. Time consuming but not the end of the world.

Everything worked, and brought the EX2 back to the office and this morning, ransomware again.
It's always the same bloody ransomware with the same bloody message. Something called .checkmate. All it does is just encrypts all the files on the share with a .checkmate extension and you cannot access unless you pay the 15000US of bitcoin. I don't deal with terrorist so fuck that.

I think I know how the ransomware got on, but am not 100% certain.
I think it got on through someones computer, not a backdoor or hacking of the EX2 itself. The .checkmate only affects certain shares which leads me to believe it was from a specific users account. I don't think he ever set up his account or used a weak password and that's pretty much how they got in. I can't prove this though, just speculation.

The other idea is that it's infected the OS of the EX2 and that's how it keeps showing up. But the problem with that is that why not infect the entire drive, meaning all the shares?

All I know is that I've had to spend my morning copying information back and forth for a 3rd time in 3 days.

To remedy the situation, I'm erasing the specific shares, copying said info back and will update the antivirus or at worst reformat the offending users pc and see if that makes a difference.

I thought all of this was note worthy because I haven't really been able to find anything that helps online, so maybe someone out there will read this and know what to do in the future.


Similar posts

Anyone paying attenion to WWDC?
So far they officially announced: iPad as a gaming platform iPhone 4 how is this a ...
Samsung set to release 1TB solid state drive
Incredible that we're jumping by leaps and bounds in size. I remember how long it took tr...
Houston, we may have a problem - DART causes
Remember that satellite that NASA launched and then sent in a direct collision course with...


andrew andrew
News comment 1 | User comment 1363 | 9:28 - 1st, Mar 2023

sounds like someone is writing to it via smb mount or something.. probably someone downloaded some shit and it was copied to the NAS

windows users (especially with admin rights) should be restricted to only people who know what they're doing

Alex Alex
News comment 2 | User comment 4968 | 15:45 - 5th, Mar 2023

Hit the nail on the head. Looks like it was my uncle's account on the NAS. It's the only account that had access to everything that was affected. He's going to reformat his pc and we'll see what happens.

Alex Alex
News comment 3 | User comment 4968 | 15:47 - 5th, Mar 2023

I've restricted his access for now. Hopefully won't happen again. The really interesting thing though is that his pc was off during these times, so wondering if the nas has been permanently infected with something, and if that's the case, have the back ups as well? I can't find a way to reformat the nas itself since it has an on board os that I don't really have access to aside from resetting to factory defaults.

Who knows, might be time to bite the bullet and get something beefier?

andrew andrew
News comment 4 | User comment 1363 | 6:31 - 6th, Mar 2023

I don't know the WD products at all, the Synology NASes are pretty solid, we use these at work, and have built in anti-virus. QNAP are pretty good as well. Won't necessarily stop this from happening again however, ransomware is pretty nasty stuff.

Join the conversation

Don't have a username? Register Now
Can't remeber your login? Find Password