If you’re the owner of a Western Digital My Book Live network-attached storage (NAS) device, then you should maybe definitely unplug it or risk losing all your data. The WD My Book is a NAS device, which means it’s an external hard drive that’s always on and connects to an internet-accessible network. Think of it as a personal cloud device and you’re most of the way there.
Bleeping Computer first reported that some device owners around the world have found theirs wiped clean. They also could not gain access to the device via online login.
“I have a WD My Book live connected to my home LAN and [it] worked fine for years. I have just found that somehow all the data on it is gone,” a WD My Book owner reported on the Western Digital Community Forums.
Western Digital asks to please stop shouting at them (probably)
Another user on the community forum posted their findings from the devices log file.
“I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
If that looks like a foreign language to you, all it shows is that this device was issued a remote factory reset command. Unlike other sorts of devices, the WD My Book is (supposedly) protected behind a firewall and use the My Book Live cloud service to allow users to connect.
If these servers were compromised it would explain how so many devices across the globe were affected but, so far, no one has received any kind of ransom note. So either the attacker (if there even is one) is new to this whole attacking thing and messed up, or they just want to watch the world burn.
Western Digital doesn’t believe that their servers were compromised. The company told Bleeping Computer that they were actively investigating the situation but did not believe the attacks occurred from an exploit on their servers, but rather that some users had their accounts compromised. The company has issued a statement about the occurrences.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.”
This statement doesn’t really help much. With no word yet on if user data will be recoverable — we highly doubt it — and no explanation as to how a piece of malware could affect so many different people all over the world at roughly the same time, WD seems to have a problem on their hands.
For now, it’s probably best to do what they say and unplug your device, because what else can you do? If we learn anything more on this we’ll be sure to update you.