Although all machines are clean as determined by Eset NOD32, my NAS has many files encrypted and with this Qweuirtksd suffix, as well as a copy of the ransom note in each of the affected folders. Eset has since found no threats in the whole NAS (Connected locally, no external connection) despite all the encrypted files an ransom notes.

I’m not sure how this ‘worm’(?) gained access but it would seem that it was either a brute-force attack on one the remote logins before setting up a hidden user or a built-in back-door (a user ‘nobody’ is shown as file owner). The device is a D-link DNS-320, set up as RAID 1 with a pair of 2Tb Disks.

I’ve since set up MAC Address filtering on my router so in principle they shouldn’t be able to re-start the encryption process from an external machine.

Three questions really;

1. is decryption possible?
2. I can’t see an option on the NAS to exclude external access, have I done enough?
3. is it possible that the encryption ‘process’ is actually running on the NAS itself?

ID Ransomware >> https://id-ransomware.malwarehunterteam.com/

No More Ransome >> https://www.nomoreransom.org/no/index.html

1. You will have to wait for someone to make decryption tool.
2. I doubt it. However, it is possible that ransomware exploited security flaw in NAS firmware, but there would be at least one PC with encrypted files.