In response to the infections, the company has released firmware updates (ADM 4.0.4.RQO2) to "fix related security issues." The company is also urging users to take the following actions to keep data secure –
- Change your password
- Use a strong password
- Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively
- Change web server ports (Default ports are 80 and 443)
- Turn off Terminal/SSH and SFTP services and other services you do not use, and
- Make regular backups and ensure backups are up to date
The attacks primarily affect internet-exposed ASUSTOR NAS models running ADM operating systems including, but not limited to, AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T.
Much like the intrusions targeting QNAP NAS devices, the threat actors claim to be using a zero-day vulnerability to encrypt ASUSTOR NAS devices, demanding that victims pay 0.03 bitcoins (~$1,150) to recover access.
The ransomware operators, in a separate message for ASUSTOR, said they're willing to share details of the flaw should the company make a bitcoin payment of 7.5BTC, in addition to selling the universal decryption key for a total payment of 50BTC.
Exact details of the security vulnerability used is not clear, but it's suspected that the attack vector relates to a flaw in the EZ Connect feature that allows remote access to the NAS devices, as the company has urged to disable the functionality as a preventive measure.
Users who have their NAS devices already compromised with the ransomware are advised to follow the below steps –
- Unplug the Ethernet network cable
- Safely shut down your NAS by pressing and holding the power button for three seconds
- Do not initialize your NAS as this will erase your data, and
- Fill out the form here