Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Google rolls out Privacy Sandbox to use Chrome browsing history for ads

Featured Deal: Get personalized language lessons for life for $200 in this Babbel deal

Latest Buyer's Guide:    Best VPNs for LG Smart TV in 2023

Generic User Avatar

HR (NAS) Ransomware (.hr; RANSOM_NOTE.txt) Support Topic

Started by fonotel , Mar 04 2020 09:01 AM

  • Please log in to reply
33 replies to this topic

#1 fonotel

fonotel

  • Avatar image
  • Members
  • 8 posts
  • OFFLINE
    •  
  • Local time:02:27 PM

Posted 04 March 2020 - 09:01 AM

Hi.

 

Anybody can help me. My device Zyxel Nas326. Extension .hr.hr.hr. I uploaded file and ransomnote. 

 

best regards 


BC AdBot (Login to Remove)

 

#2 fonotel

fonotel
  • Topic Starter

  • Avatar image
  • Members
  • 8 posts
  • OFFLINE
    •  
  • Local time:02:27 PM

Posted 04 March 2020 - 09:08 AM

My files : https://www102.zippyshare.com/v/0MPA6M2S/file.html


#3 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,136 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:27 AM

Posted 04 March 2020 - 10:47 AM

Please provide a link to the ID Ransomware results. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 (Michael Gillespie) to manually inspect the files and check for possible file markers.

 

Can you provide (copy & paste) the ransom note contents here?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Please attach in your next reply or upload the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) to the following third-party file hosting service and provide a link or send a PM with a link to Amigo-A (Andrew Ivanov) so he can manually inspect them.


JtnCRkN.png

It is best to compress large files before sharing. When the file has been uploaded, you will see a screen stating that the upload was successful. Right-click on the filename link, select Copy Shortcut and paste the link in your next reply.



 


.
.
Microsoft MVP Alumni 2023
Windows Insider MVP 2017-2020
Microsoft MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Metalheadx1982

Metalheadx1982

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:04:27 AM

Posted 04 March 2020 - 06:22 PM

Somehow this same ransomware hit my Zyxel NAS526 about 10:30 am this morning when I was at work. What is the best method to isolate, locate and remove this virus so it dosent get into any of my networked computers. Also however they got in they used unixuser/root account I am not sure how to remove this account as it is not a shown user in my nas user management console, any help would be greatly appreciated 


#5 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 2,996 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:03:27 PM

Posted 05 March 2020 - 01:21 AM

Metalheadx1982

Maybe this is NAS326?

 

---

fonotal,

Metalheadx1982,

 

You need to go to the support center of your device, check the status and updates.

https://www.zyxel.com/support/support_landing.shtml

https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-00038&md=NAS326

 

---

 

If I understood correctly, only your Zyxel NAS326 was attacked. This did not apply to a personal computer?
Are PCs and other devices connected to the Zyxel NAS326?

Edited by Amigo-A, 05 March 2020 - 10:30 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#6 fonotel

fonotel
  • Topic Starter

  • Avatar image
  • Members
  • 8 posts
  • OFFLINE
    •  
  • Local time:02:27 PM

Posted 05 March 2020 - 01:22 AM

Please provide a link to the ID Ransomware results. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 (Michael Gillespie) to manually inspect the files and check for possible file markers.

 

Can you provide (copy & paste) the ransom note contents here?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Please attach in your next reply or upload the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) to the following third-party file hosting service and provide a link or send a PM with a link to Amigo-A (Andrew Ivanov) so he can manually inspect them.


JtnCRkN.png

It is best to compress large files before sharing. When the file has been uploaded, you will see a screen stating that the upload was successful. Right-click on the filename link, select Copy Shortcut and paste the link in your next reply.



 

Hi.

 

ID Ransomware it says Kirk.  I searched kirk but my file extensions not a .kirk.

 

RANSOM_NOTE

 
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to letsgetyourfileback@protonmail.com .send this id as content of email : 1mk8hjkn2old3
   We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
   IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send "PAID" button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.
 
Email: letsgetyourfileback@protonmail.com
I sent to Amigo-A
 
Thanks for all

#7 fonotel

fonotel
  • Topic Starter

  • Avatar image
  • Members
  • 8 posts
  • OFFLINE
    •  
  • Local time:02:27 PM

Posted 05 March 2020 - 01:25 AM

 

You need to go to the support center of your device, check the status and updates.

https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-00038&md=NSA526

 

---

 

If I understood correctly, only your Zyxel NAS526 was attacked. This did not apply to a personal computer?
Are PCs and other devices connected to the Zyxel NAS526?

 

Yes only Nas device.


#8 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 2,996 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:03:27 PM

Posted 05 March 2020 - 01:33 AM

So far this is the first attack of this ransomware. I can make a description according to your data. This will not solve the problem, but will redirect other victims in this topic.
 
 
You also need to send an application to Zyxel. They know their devices and their weaknesses.

Edited by Amigo-A, 05 March 2020 - 10:35 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#9 Metalheadx1982

Metalheadx1982

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:04:27 AM

Posted 05 March 2020 - 02:15 AM

 That is correct, as of now only my NAS has been affected. I am kinda curious how they were able to exploit and compromise my nas, especially using the root account as I didn't have oit enabled. 

 

 
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to letsgetyourfileback@protonmail.com .send this id as content of email : 1mk8hjkn2old3
   We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
   IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send "PAID" button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.
 

 

 

Somehow this same ransomware hit my Zyxel NAS526 about 10:30 am this morning when I was at work. What is the best method to isolate, locate and remove this virus so it dosent get into any of my networked computers. Also however they got in they used unixuser/root account I am not sure how to remove this account as it is not a shown user in my nas user management console, any help would be greatly appreciated 

 

 

You need to go to the support center of your device, check the status and updates.

https://www.zyxel.com/support/support_landing.shtml

https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-00038&md=NSA526

 

---

 

If I understood correctly, only your Zyxel NAS526 was attacked. This did not apply to a personal computer?
Are PCs and other devices connected to the Zyxel NAS526?

 


#10 BFAofSuspect

BFAofSuspect

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:11:27 AM

Posted 05 March 2020 - 03:13 AM

I have the same problem. My NAS326 was attacked through the web panel. It was possible becouse of a bug in Zyxel firmware (typying 2 special characters in login field was giving access without knowlege of username and password with root privileges).

I think it is a brand new ransomware (I haven't found any article about crypted files with .hr extension till yesterday). All files size is 77 bytes. So...the only thing we can do now is to wait (and prey) And believe in Amigo-A's skills :)  :)


Edited by BFAofSuspect, 05 March 2020 - 04:49 AM.

#11 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 2,996 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:03:27 PM

Posted 05 March 2020 - 08:49 AM

Metalheadx1982, 
BFAofSuspet, 
 
Topicstarter provided a file with three .hr extensions.
Do you have only one .hr extension?
Are there any differences in the note from the extortionists?

Edited by Amigo-A, 05 March 2020 - 10:32 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#12 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 2,996 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:03:27 PM

Posted 05 March 2020 - 10:15 AM

In a note, the extortionists admitted that they had already attacked these devices earlier when they said:
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#13 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 2,996 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:03:27 PM

Posted 05 March 2020 - 10:18 AM

On the forum, we have already seen several others ransomware for NAS devices. This recognition may link them directly or indirectly.


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#14 BFAofSuspect

BFAofSuspect

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:11:27 AM

Posted 05 March 2020 - 12:20 PM

 

Metalheadx1982, 
BFAofSuspet, 
 
Topicstarter provided a file with three .hr extensions.
Do you have only one .hr extension?
Are there any differences in the note from the extortionists?

 

 

I have single .hr after file name. And here is a printscreen of directory structure and attacker's message:

https://ibb.co/2M24qYg

 

And I'm angry of ZYXEL behaviour - they have their cloud users e-mail database and they did ABSOLUTELY NOTHING to inform users of their devices (one small e-mail would be enough) about absolutely CRITICAL 0-day vulnerability...


Edited by BFAofSuspect, 05 March 2020 - 01:13 PM.

#15 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 2,996 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:03:27 PM

Posted 05 March 2020 - 01:35 PM

ok. 

I compared three notes that different users uploaded here.

All have the same BTC wallet, sum 0.1130 and email-address and ID: 1mk8hjkn2old3

Presumably, this is no accident. How will they define whose information is where? No, not define.

If only at the network address of each device or otherwise.

 

HR Ransomware - my article in Digest

 

The first case has a date - March 4 at 4 a.m.


Edited by Amigo-A, 05 March 2020 - 02:03 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

Back to Ransomware Help & Tech Support


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·