Getting Your Asustor NAS System Up and Running Again After Ransomware Attack
It has now been a few days since the initial attack of Asustor NAS systems by the deadbolt ransomware attack and although full recovery is still not a complete option for a lot of users (without having to take the agonizing step of paying the group for an encryption key – gah!), there have been steps by users, the linux community and Asustor to mitigate some of the damage for some and for those unaffected, allow them to use their systems with a little more confidence and comfort. Below are some instructions that will be of use to users who are currently in the following situations with their Asustor NAS:
- When the encryption/attack first started (or you first noticed the NAS activity) you powered down your system abruptly and your NAS now shows as Uninitialized’
- You Have the Asustor NAS working, but are being greeted by the black deadbolt threat screen that you want to navigate around WITHOUT using SSH/Command line
- You are in either of the above two positions AND you have snapshots or a MyArchive routine setup on your NAS
If any of those three setups are how you would describe the position that you/your Asustor NAS is currently in, then you may well find this guide useful. However, DO remember that you are still dealing with your data and although this guide has been provided for the most part by the band themselves (with additions by myself – Robbie), you should immediately have a backup of your data (even if it’s encrypted in case of a system failure etc) and/or an external drive ready to move any/all data over too. If you caught the ransomware encryption early, then you might still have a good % of your data still ok. Observing numerous affected machines have shown us that the encryption/changes begin at the system level (ie so it can change the index screen and renaming, etc), so in some cases, some people have reported that they caught it in time for some data to have been RENAMED (i.e the .deadbolt prefix that is affecting access or older structure in some cases) but not actually encrypted. So, this guide is about getting you into a position to access your Asustor NAS GUI and whatever the state of your data is. After that, you may still have no option but to format your system, wait for any kind of brand/community recovery method or (and I do not say this lightly, as the thought of continuing this kind of behaviour is disgusting) pay the ransom to get your data back. I appreciate that this is S&!T but some business users might have little choice. Let’s discuss access recovery options. If you are unaware of everything that has occurred to asustor and the deadbolt ransomware, you can use the attached video below:
Asustor NAS – How to Get Your NAS Running Again If It Is Saying Uninitialized
If you powered down your NAS abruptly when you saw the black threat screen OR unusual activity on your NAS (either by pulling the power cord or holding the power button for 5-10 seconds), then chances are that as the encryption hits the system files first and was in progress, that your NAS is not showing as ‘uninitialized’. This is because the system software is no corrupted. Yesterday Asustor released a new firmware update that closed the vulnerability (they claim, I have not verified personally yet). So, the following steps in the guide using the client desktop software Control Center and an internet connection (can be just on your PC/Mac and you directly connect with your Asustor if you choose) will allow you to access your NAS login GUI.
If you have shut down before, please connect to a network. If you enter the initialization page, please follow the instructions below to update your NAS:
- If you enter the initialization page and have an Internet connection, please press Next.
- Please click Live update and then click Next.
- If you’re on the initialization screen and not connected to the Internet, please download ADM from ASUSTOR Downloads to your computer.
- Once done, manually update ADM by uploading the ADM image file from your computer as shown below.
- Please press Next.
- After the update has completed, you’ll be able to return to ADM.
Asustor NAS – If You Are Still Seeing the Black Threat Deadbolt Ransomware Screen
If you have access to your NAS drive BUT are faced with the black threat login screen replacement that replaced the previous one AND have followed the previous steps to install the latest firmware, the next three steps should allow your to navigate AROUND this and remove it entirely.
If the ransomware page remains after you connect to a network:
- Please turn off your NAS, remove all hard drives and reboot.
- When the initialization page appears, reinsert the hard drives.
- Please follow the instructions above to update your NAS.
Asustor NAS – How to Restore Data with Snapshots, MyArchive Backups or Mirrored Volumes
Now, the next step is not going to be an option for everyone. Once you have logged in and accessed the extent of the file damage by encryption (eg, % of files affected, are they encrypted completely OR just renamed? etc). The following steps will be of use to those of you who are running a BTRFS setup and setup snapshots and/or the MyArchive backup/sync storage service. This part of the guide also includes the means to install a ransomware tool that (I know, ANNOYINGLY) gain access BACK to the black encryption entry screen. So if you have no choice (I am not judging you, the importance of your data is your call) and are going to choose to pay the ransom as it is going to cost you less than not retrieving your data, then you can use this ‘ransomware status’ tool to gain access back to the payment screen, encryption key window and ultimately allows you to pay the hackers. Again, it’s your call.
If you want to restore data and you have more than one volume installed on your NAS, use MyArchive drives, or have previously made Btrfs snapshots, please refer to the following instructions below. Restore all backups that you may have. Alternatively, if you have Btrfs snapshots, use Snapshot Center to restore previous versions of files and erase changes done by ransomware.
If regular backups were not kept and you want to enter the decryption key to retrieve lost data:
- Please download and install Ransomware Status by sideloading it into App Central.
- Confirm details and press Install.
- Wait for installation to complete.
- Reload the webpage to enter the ransomware screen again. You’ll be able to enter the decryption key.
- If you want to return to ADM, you can do this in one of three ways. You can add backup.cgi after/portal/ in the address bar of your browser, you can hold the power button for three seconds to shut your NAS down and turn it on again or you may use ASUSTOR Control Center or AiMaster to restart your NAS.
- Afterwards, it is imperative to uninstall Ransomware Status from App Central.
📧 LET ME KNOW ABOUT NEW POSTS 🔔
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below