Comment #5259

Actually Classy is very cheap compared to other places.

- Carl on Just a Friendly Reminder for the boys

Tags: NAS, checkmate, ransomware, Western Digital, WD, SSD, HDD, tech stuff

I've been having trouble finding anything online about this but I think I've gotten to the bottom of it.

First the background of what's going on.
In our little office, we have a WD My Cloud Ex2 as a Network attached storage for filesharing inside the office. It worked great! Swappable hard drives, pretty robust OS with decent web based interface and had vpn capabilities for remote access. Can even do remote back ups and USB backups.

Then the shit started.

Someone found a major whole in their security and was able to push ransomware onto the thing. Not a big deal since we do backups and just erased things with minimal loss and restored from last back up. I updated firmware and thought, that's the last of that. Nope, happened again about 2 weeks later, then another 2 months later. Then WD updated their firmware and killed remote access to certain devices like our EX2. An annoyance but we'll just ftp in. Then we were hit again. So now the device is completely closed to the outside world.

After years of use I decided to upgrade the HDD to an SSD, bought a specific NAS centric SSD and spent the weekend transferring files. I was able to copy all user config from old hard drive to new set up with 2 clicks but had to recreate all shares from scratch and upload data onto the SSD in appropriate shares. Time consuming but not the end of the world.

Everything worked, and brought the EX2 back to the office and this morning, ransomware again.
It's always the same bloody ransomware with the same bloody message. Something called .checkmate. All it does is just encrypts all the files on the share with a .checkmate extension and you cannot access unless you pay the 15000US of bitcoin. I don't deal with terrorist so fuck that.

I think I know how the ransomware got on, but am not 100% certain.
I think it got on through someones computer, not a backdoor or hacking of the EX2 itself. The .checkmate only affects certain shares which leads me to believe it was from a specific users account. I don't think he ever set up his account or used a weak password and that's pretty much how they got in. I can't prove this though, just speculation.

The other idea is that it's infected the OS of the EX2 and that's how it keeps showing up. But the problem with that is that why not infect the entire drive, meaning all the shares?

All I know is that I've had to spend my morning copying information back and forth for a 3rd time in 3 days.

To remedy the situation, I'm erasing the specific shares, copying said info back and will update the antivirus or at worst reformat the offending users pc and see if that makes a difference.

I thought all of this was note worthy because I haven't really been able to find anything that helps online, so maybe someone out there will read this and know what to do in the future.