Quick Security-LegendaryDisk Security-DiskStation Security Ransomware

I`ve been hacked, the text of the rescue note is this: 

"Hello
This is DiskStation Security......

Anyone knows what ransomware is?

 

 
Yes and I have merged your topic into the primary support topic for victims of this ransomware.

Unfortunately, my Synology NAS has also been affected by DiskStation Security ransomware.

At some point, the entire database was deleted, leaving only the !!!!README!!!!.txt ransom note.

Apart from paying them in Bitcoin, does anyone have any methods to resolve this?

For instance, is it possible to recover the deleted data from the hard drive?

Edited by tharphym, 22 February 2024 - 10:44 AM.

When dealing with ransomware, in some cases the use of file recovery software  or JpegMedic ARWE may be helpful to recover (not decrypt) some of your original files but there is no guarantee that it will be successful. However, it never hurts to try in case the malware did not do what it was supposed to do. It is not uncommon for ransomware infections to sometimes fail to encrypt all data, fail to leave ransom notes, fail to delete all shadow copy snapshots, fail to add an extension, add an extension but fail to encrypt files, especially if the encryption process encountered encryption glitches, involved shoddy malware programming code, was hindered by installed security software or was interrupted by the victim...i.e. shutting down the computer).

 
In other cases the ransomware may only partially encrypt a file (first so many KB's at the beginning and/or end especially if it is very large). Since only parts of the file may actually be encrypted, data recovery software sometimes work to recovery partial files with certain ransomware infections but not work with those which overwrite data. However, partial (intermittent) encryption often results in file corruption and renders the encrypted data useless since the encryption is usually irreversible for these files...the encryption code overwrites part of the file with the encrypted data of another part and there is no way to restore the overwritten data.
 
With some other types of ransomware, it is even possible to manually recover/reconstruct (file repair) certain file formats (i.e. .JPG and audio/video files) since the malware only encrypts 150KB of the file as explained here by Demonslay335. 
 
Although it never hurts to try this approach, in the end most victims may have no choice but to backup/save encrypted data as is and wait for a possible solution at a later time.

Thank you for the response. It seems I can only hope that  file recovery software can salvage some of the data.

When dealing with ransomware, in some cases the use of file recovery software  or JpegMedic ARWE may be helpful to recover (not decrypt) some of your original files but there is no guarantee that it will be successful. However, it never hurts to try in case the malware did not do what it was supposed to do. It is not uncommon for ransomware infections to sometimes fail to encrypt all data, fail to leave ransom notes, fail to delete all shadow copy snapshots, fail to add an extension, add an extension but fail to encrypt files, especially if the encryption process encountered encryption glitches, involved shoddy malware programming code, was hindered by installed security software or was interrupted by the victim...i.e. shutting down the computer).
 
In other cases the ransomware may only partially encrypt a file (first so many KB's at the beginning and/or end especially if it is very large). Since only parts of the file may actually be encrypted, data recovery software sometimes work to recovery partial files with certain ransomware infections but not work with those which overwrite data. However, partial (intermittent) encryption often results in file corruption and renders the encrypted data useless since the encryption is usually irreversible for these files...the encryption code overwrites part of the file with the encrypted data of another part and there is no way to restore the overwritten data.
 
With some other types of ransomware, it is even possible to manually recover/reconstruct (file repair) certain file formats (i.e. .JPG and audio/video files) since the malware only encrypts 150KB of the file as explained here by Demonslay335. 
 
Although it never hurts to try this approach, in the end most victims may have no choice but to backup/save encrypted data as is and wait for a possible solution at a later time.

You're welcome and good luck.

Thank you quietman7 for refering me to this topic.

I've asked Synology what to do, they said they encourage me "to check with data rescue companies within your local area and see if they have other professional opinions."

I've contacted a rescue company and they said they have cases like this every day and they had good chances to rescue some data. I told them that I've asked in a forum (here) and was told that only the attacker is able to encrypt the data, but they said the the chances are good anyway.

What do you guys think, could a professional rescue company rescue some of my data?

Thanks

Thank you quietman7 for refering me to this topic.
 
I've asked Synology what to do, they said they encourage me "to check with data rescue companies within your local area and see if they have other professional opinions."
 
I've contacted a rescue company and they said they have cases like this every day and they had good chances to rescue some data. I told them that I've asked in a forum (here) and was told that only the attacker is able to encrypt the data, but they said the the chances are good anyway.
 
What do you guys think, could a professional rescue company rescue some of my data?

 
Bleeping Computer cannot vouch for those who claim they can decrypt data or help in other ways. We have have no way of knowing the background, expertise and motives of all companies or individuals who indicate decryption is possible. 
 
Data recovery services typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Others hide the actual ransom cost from clients and mark the cost up exponentially as noted here. Many of them instruct victims to submit one or two limited size files for free decryption as proof they can decrypt the files with claims of 100% guaranteed success, collect the victim's money and are never heard from again. The criminals behind creating and spreading ransomware do the same.
 
Connecticut-based Coveware CEO Bill Siege refers to such data recovery services as "ransomware payment mills". Please read my comments in this topic (Post #675) for information as to what we know about those who claim they can decrypt data including using and paying data recovery services.

 We advise everyone to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money or paying a fee to anyone. 

Thank you quietman7 for refering me to this topic.

 

I've asked Synology what to do, they said they encourage me "to check with data rescue companies within your local area and see if they have other professional opinions."

 

I've contacted a rescue company and they said they have cases like this every day and they had good chances to rescue some data. I told them that I've asked in a forum (here) and was told that only the attacker is able to encrypt the data, but they said the the chances are good anyway.

 

What do you guys think, could a professional rescue company rescue some of my data?

 

Thanks

First of all, if you considering to use profesional data recovery services, please make sure that :
1. You've been informed for the price, totally.
2. See their profile or website, and ask their portfolio or work documentation.
3. DONT PAY ANYTHING UPFRONT, even for $10 because so many scammer ask for checking fee or whatsoever to be paid upfront.

4. See their google review or product, and see their review. Check and see their organic review. Theres a huge chance you got scam if they use paid review or worse if theres no review at all.
4. Last but not least, use your common sense.

 

Thank you very much quietman7 and Bokerss.

The google and truspilot reviews of a company I'm checking look very good.

But the first time I've called them, they didn't even want to know anything about the .txt file left on the drives of the NAS. That makes me sceptical.

They said they have these cases every day and I have chances to get my data back.

Later I sent them the file. They said they have checked it and recommend me to try to rescue with them.

I will see what I do.

You're welcome and good luck.

Bad news. If you want your data you will have to negotiate with the hackers. The encryption in 7zip is robust and the password is long, meaning it is impossible to break the encryption. It would be interesting to know what version of the Synology DSM they were on when they were hacked.

Mind sharing how complex the password was? I know you say it's impossible, but i'm interested in how many characters and what character types were used in the password. Might be possibly vulnerable to a plain-text attack?

I am scanning my SynologyNAS over Network with "EaseUS Data Recovery Wizard" (Trial) at the moment.

It has just started but it's finding lots of data!

So if you maybe haven't tried that shadooo, maybe you should. There are many tools out there for that.

I have not tried to restore yet, but when I first partially scanned one drive of the NAS via USB, I could preview some videos and PDF, but many of them have lost their names, dates and folder structure.

Now I'm scanning over network and it looks much better with names, dates and folder structure, but I cannot preview.

I do not understand how this is possible when people here say that a NAS infected with "DiskStation Security" cannot be rescued without the decription key... Am I lucky and my data was not encrypted, only invisible?

As I said previously, in some cases the use of file recovery software may be helpful to recover (not decrypt) some of your original files...no decryption key is needed to try this method. Data Recovery is a process of salvaging (retrieving) inaccessible, lost, deleted, corrupted, damaged or formatted data. Since Windows NTFS file system saves the file description information, that makes it easier for recovery software to find these files using that information. Data Recovery uses complex algorithms that search for pieces (fragments) of recoverable information left on the hard drive in order to guess where the file was originally physically stored. The recovery program then attempts to put back together that information in a salvageable format. However, if the data has been overwritten, complete recovery cannot be guaranteed.

Although I have seen cases where victims have been successful with recovering some of their data with file recovery software, more often than not they are not successful. The use of file recovery software also sometimes works with partially encrypted files on certain ransomware infections but does not always work with those where the data has been overwritten.

Ok, I just didn't expect the software to find that many files, so I thought maybe in my case it's different.

Hopefully I'm lucky. It will take some time.

I'm not a ransomware forensic expert so I can't explain in more detail but I'm glad to hear that you are having success.