StorageCrypt SambaCry ransomware recovery advice

Marvell Kirkwood based
Post Reply
manta99
Posts: 1
Joined: Tue Jan 09, 2018 9:08 am

StorageCrypt SambaCry ransomware recovery advice

Post by manta99 » Tue Jan 09, 2018 9:44 am

Hi,

Would anyone be able to advise me what I need to do to clean up following a StorageCrypt attack/infection?

Stupidly I had not updated my NSA 325 with the latest firmware and equally as stupidly port 445 was open via upnp on my firewall - that is how I assume I ended up getting infected with StorageCrypt on my NSA 325. So we have a benchmark - I'm stupid! (Not so stupid that I don't have backups though ;) )

I have closed the holes in my firewall and updated my NAS firmware. I put some clean files on the NAS and checked a couple of days later - they are still clean.

But how do I know I'm really clean? Or does switching out the firmware mean that I get a clean build anyway?

Any advice would be greatly appreciated.

Rob

Mijzelf
Posts: 6203
Joined: Mon Jun 16, 2008 10:45 am

Re: StorageCrypt SambaCry ransomware recovery advice

Post by Mijzelf » Tue Jan 09, 2018 1:07 pm

Have a look at the running processes. Run 'ps' in the command prompt, to see if anything suspicious is running.

But unless your StorageCrypt was specifically targetting ZyXEL NASses, I think simply rebooting is enough to get the infection gone. The firmware is either on a ramdrive, or on a read-only drive, so it's hard to install anything which will survive a reboot.
Of course it can be done, else you wouldn't be able to install any packages, but it won't happen by accident.

Reading this description on a StorageCrypt attack, it seems it only 'installs' itself in the /tmp/ directory, which is volatile on most Linux systems.
On the other hand, that infection uses nohup to start the binary, which is not available on a NSA3xx, so if your infection is exactly the same, it wouldn't have started.

Post Reply