Disconnect your WD My Book Live or risk a full disk wipe
Backups are important, but what if your backup goes up in smoke inexplicably? Well that’s apparently an issue that several WD My Book Live users were facing. Customers of WD My Book Live devices were reporting that they found their disks wiped all of a sudden. Western Digital has not sent any updates to the drives since 2015, so it isn’t a wonky firmware update either.
The mysterious disk wipes were allegedly due to the drives being compromised by malicious software. The WD My Book Live were NAS devices that were connected via LAN, and thus most of them are also connected to the Internet via their routers, which allowed users to access their files from the web. However without any updates, there may have been some vulnerabilities that didn’t get patched, thus resulting in compromised WD My Book Live devices out there.
Western Digital has shared this update on their community:
Western Digital has determined that some WD My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The WD My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your WD My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.
Basically all you can do now is to disconnect your WD My Book Live from the Internet to avoid getting compromised. It isn’t clear if Western Digital will be releasing an update to patch the vulnerability. Some further sleuthing by users apparently discovered that WD may have been aware of the vulnerability, and it could be triggered by something as simple as knowing the IP address of the affected device.
On top of losing their data, users are also finding that they are unable to login to their WD WD My Book Live from the web dashboard. One thing worth noting is that this isn’t a ransom attack, as there has been no ransom demand yet. Instead it seems that someone just wanted to wreak havoc. Attackers apparently sent out a trojan file named “.nttpd,1-ppc-be-t1-z” that works on the My Book Live and Live Duo.
Currently it appears that affected users could recover most of their data with stuff like PhotoRec file recovery tool, which means that you should be able to see success with tools like EaseUS Recovery Wizard.
Pokdepinion: Now I have to do backups of backups?