cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

router security after ransomware attack

whatsisname22
Dabbler
Posts: 13
Registered: ‎26-09-2019

router security after ransomware attack

‎26-09-2019 8:08 PM

hi all, I was hit by a phobos ransomware crypto virus yesterday, which I am pretty sure infiltrated a brute force attack thru a port forward instruction for a remote desktop connection, despite high level randomly generated password for that connection.

I am dealing with the infection itself separately, and obviously have now closed all the ports that were forwarded on the router. my question is, has the router itself been compromised? do I need to factory reset or change the login admin credentials?

w.
Message 1 of 24
(1,664 Views)
0 Thanks
23 REPLIES 23
Mads
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,873
Fixes: 79
Registered: ‎06-08-2018

Re: router security after ransomware attack

‎26-09-2019 8:30 PM

Hey @whatsisname22,

Thanks for getting in touch.

I'm really sorry to hear your router has been attacked by this virus.

I would suggest factory resetting the router for now, I've sent an email to our products team to find out more info if your router has been compromised and what the next steps would be.

 

Thanks.

Message 2 of 24
(1,652 Views)
0 Thanks
whatsisname22
Dabbler
Posts: 13
Registered: ‎26-09-2019

Re: router security after ransomware attack

‎26-09-2019 9:08 PM

hi mads, thanks for the reply. will I be able to speak to someone tomorrow about this? I'm reluctant to even use the router until I know the score.

if I do reset, what information will I need to get up and running again? just user name and password?
Message 3 of 24
(1,637 Views)
0 Thanks
Mads
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,873
Fixes: 79
Registered: ‎06-08-2018

Re: router security after ransomware attack

‎26-09-2019 9:16 PM

No worries @whatsisname22.

 

It can take up to 24-48 hours sometimes for a response, but I'll chase it for you tomorrow when I get in at 13:30.

 

That's correct.

 

Thanks.

 

 

Message 4 of 24
(1,631 Views)
0 Thanks
whatsisname22
Dabbler
Posts: 13
Registered: ‎26-09-2019

Re: router security after ransomware attack

‎26-09-2019 9:23 PM

ok great thanks mads.
Message 5 of 24
(1,627 Views)
0 Thanks
Menace65
Aspiring Pro
Posts: 199
Thanks: 38
Fixes: 4
Registered: ‎03-09-2018

Re: router security after ransomware attack

‎27-09-2019 1:03 AM

Turn off remote desktop connection.

 

 

Message 6 of 24
(1,592 Views)
0 Thanks
whatsisname22
Dabbler
Posts: 13
Registered: ‎26-09-2019

Re: router security after ransomware attack

‎27-09-2019 2:07 AM - edited ‎27-09-2019 2:10 AM

yes for sure will turn off remote desktop access from outside my home network. I access my media server machine via remote desktop from my android on my home lan as it's not got a monitor. using remote desktop in this way ie exclusively within the home lan should be ok shouldn't it?

I did have a port forward set up for remote desktop from outside the home lan, with a huge password created by a true random password generator. I though that was ok. clearly I was mistaken.
Message 7 of 24
(1,584 Views)
0 Thanks
Anonymous
Not applicable

Re: router security after ransomware attack

‎27-09-2019 7:16 AM

Out of curiosity @whatsisname22 what length of password were you using?

Message 8 of 24
(1,542 Views)
0 Thanks
Anonymous
Not applicable

Re: router security after ransomware attack

‎27-09-2019 8:42 AM

I suggest logging into the Plusnet "Member Centre" and then setting Plusnet's network level "Broadband Firewall" to the "High" setting,  to stop ALL externally initiated network sessions from reaching your WAN connection - at least until you are sure that your router is safe again.

 

I'd also ensure in your home router configuration that "UPnP" is DISABLED to prevent anything on your LAN silently opening any port forwards on your router's firewall.

Message 9 of 24
(1,520 Views)
0 Thanks
MasterOfReality
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,640
Fixes: 57
Registered: ‎26-03-2018

Re: router security after ransomware attack

‎27-09-2019 9:16 AM

Hi @whatsisname22 

 

I've managed to get in touch with one of the products team internally (though, it's just my luck the only one I managed to get hold of is a Fixed Line guru, rather than Router Security wizard). 

All the same, they have said that they are going to pass this across to the correct person to look into, so I would expect either someone to reply on here, or, to send me some info (in which case I will update thew thread again). 

Hold tight and I'm sure we will get back in touch soon. 

 

Thanks,

MoR

Message 10 of 24
(1,504 Views)
0 Thanks
MasterOfReality
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,640
Fixes: 57
Registered: ‎26-03-2018

Re: router security after ransomware attack

‎27-09-2019 10:44 AM

Hi @whatsisname22 

 

We have had this reply from Products:

 

"This customer’s router is highly unlikely to be compromised and any port forwarding/local network access the virus/malware was granted is likely to have been the result of UPnP rather than an explicit port forward.

 

A factory reset will wipe the memory/config and there’s no method I’m aware of that would result in anything nasty lingering after doing so.

 

All of this is irrelevant though if the customer still has infected machines that they plan on connecting to the router."

 

I hope it gives you some peace of mind - have you performed a reset as of yet? 

Thanks, 

MoR

Message 11 of 24
(1,482 Views)
0 Thanks
Baldrick1
Moderator
Moderator
Posts: 11,779
Thanks: 5,235
Fixes: 420
Registered: ‎30-06-2016

Re: router security after ransomware attack

‎27-09-2019 11:47 AM

@MasterOfReality 

Is the Hub One default condition for uPnP the same as for the Smarthub, that is set to On after a factory reset? If so should the OP (and in my opinion, every other user unless they really need it) be advised to turn it off?

Moderator and Customer
If this helped - select the Thumb
If it fixed it,  help others - select 'This Fixed My Problem'

Message 12 of 24
(1,472 Views)
0 Thanks
MasterOfReality
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,640
Fixes: 57
Registered: ‎26-03-2018

Re: router security after ransomware attack

‎27-09-2019 12:03 PM

Hi @Baldrick1 

 

I can't answer this right off the bat i'm afraid - I'll reply to products asking for clarity on whether uPnP is set to On after a reset. 

 

Thanks, 

MoR

Message 13 of 24
(1,466 Views)
MasterOfReality
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,640
Fixes: 57
Registered: ‎26-03-2018

Re: router security after ransomware attack

‎27-09-2019 12:13 PM

@Baldrick1 - I got a reply quick sharp 

 

"UPnP will be on by default with extended security enabled, and this is how I would recommend it is left for most customers"

 

Thanks, 

MoR

Message 14 of 24
(1,461 Views)
Baldrick1
Moderator
Moderator
Posts: 11,779
Thanks: 5,235
Fixes: 420
Registered: ‎30-06-2016

Re: router security after ransomware attack

‎27-09-2019 12:49 PM

I guess that this recommendation is to make the router as simple to use as possible for the average user. I will keep mine switched Off https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/

Moderator and Customer
If this helped - select the Thumb
If it fixed it,  help others - select 'This Fixed My Problem'

Message 15 of 24
(1,447 Views)
0 Thanks