QLocker batch decrypt command/script (I have the decrypt key)
-
- New here
- Posts: 5
- Joined: Tue Apr 27, 2021 9:20 pm
QLocker batch decrypt command/script (I have the decrypt key)
Hi guys - first post which is probably going to be common with the recent events.
Anyway I have the decrypt key but have over 20TB of data to get through. I don't have enough space to extract so was wondering if there is a batch command/script to decrypt everything instead. There is obviously a command to encrypt and not duplicate so hoping there is a reverse.
TIA
Anyway I have the decrypt key but have over 20TB of data to get through. I don't have enough space to extract so was wondering if there is a batch command/script to decrypt everything instead. There is obviously a command to encrypt and not duplicate so hoping there is a reverse.
TIA
- dolbyman
- Guru
- Posts: 35234
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QLocker batch decrypt command/script (I have the decrypt key)
buy enough external space to offload your data
you need to kill/redo your nas anyways..or do you trust the attackers to have gracefully left?
you need to kill/redo your nas anyways..or do you trust the attackers to have gracefully left?
-
- New here
- Posts: 5
- Joined: Tue Apr 27, 2021 9:20 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
Yeah, there is always that but I have blocked external access on the FW so there is no more connectivity to the internet.
If I need to do external, then it i s what it is
If I need to do external, then it i s what it is
- dolbyman
- Guru
- Posts: 35234
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QLocker batch decrypt command/script (I have the decrypt key)
The malware was already on your NAS blocking access now is a bit late
Software could have a little timer that just deletes all your files in a month from now ..no connection needed
Also if you had external backups, all of this wouldn't have been an issue anyways..so use this as an opportunity to start a backup scheme
Software could have a little timer that just deletes all your files in a month from now ..no connection needed
Also if you had external backups, all of this wouldn't have been an issue anyways..so use this as an opportunity to start a backup scheme
-
- New here
- Posts: 5
- Joined: Tue Apr 27, 2021 9:20 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
Yeah I don't think you're understanding what I'm on about...
Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.
Yes, there could be anything on there, that's true.
Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.
Anyway, here is the script I wanted incase anyone else needs it
How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.
SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.
Yes, there could be anything on there, that's true.
Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.
Anyway, here is the script I wanted incase anyone else needs it
How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.
SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
-
- New here
- Posts: 5
- Joined: Mon Oct 19, 2015 10:56 am
Re: QLocker batch decrypt command/script (I have the decrypt key)
Same boat here... External backups yes, but when running a lightroom database which can't be kept on the NAS, rebuilding after an event like this is a major undertaking. It will take me over a week just to move files between drives and who knows how long to unencrypt 80,000 out of the 400,000 files that were hit before I shut it down.dolbyman wrote: ↑Tue Apr 27, 2021 9:44 pm The malware was already on your NAS blocking access now is a bit late
Software could have a little timer that just deletes all your files in a month from now ..no connection needed
Also if you had external backups, all of this wouldn't have been an issue anyways..so use this as an opportunity to start a backup scheme
I don't understand how my NAS could encrypt 80K files in four days and the techs at QNAP can't write a script where I enter my new $500 password and reverse it?
-
- New here
- Posts: 5
- Joined: Mon Oct 19, 2015 10:56 am
Re: QLocker batch decrypt command/script (I have the decrypt key)
Have you tried this script? Do you run it on a windows command line or do you SSH into the QNAP and run it on the server? Does it do subfolders or just parents? I have folders nested up to 5 deep with at least 80K files encrypted mixed in some 400K of files since I was able to kill the process in the act.
Rocket_Rabbit wrote: ↑Wed Apr 28, 2021 7:52 pm Yeah I don't think you're understanding what I'm on about...
Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.
Yes, there could be anything on there, that's true.
Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.
Anyway, here is the script I wanted incase anyone else needs it
How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.
SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
- dolbyman
- Guru
- Posts: 35234
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QLocker batch decrypt command/script (I have the decrypt key)
So you had external backups but still paid the ransom ?
Most of the time it's easier to destroy than to rebuild.. hope lessons were learned and NAS units will never be exposed again
Most of the time it's easier to destroy than to rebuild.. hope lessons were learned and NAS units will never be exposed again
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
No I haven't tried it and I can't vouch for it.
You're supposed to run it from Windows command prompt (plain old cmd.exe, not PowerShell).
Yes it's supposed to work recursively in subfolders.
-
- New here
- Posts: 5
- Joined: Tue Apr 27, 2021 9:20 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
Yes because I like giving money away...
I had backups of my data, but there was my wife's photography business on there which accounted for about 18TB of the 20+TB we use. No backup of that so the decision was made to pay.
Yes - I will not be trusting QNAP and the device has been locked down to internal use only. A shame, but extremely necessary. Once the time comes to replace the drives, I'll move to a synology or something. Shame, QNAP did seem decent to use.
-
- New here
- Posts: 5
- Joined: Tue Apr 27, 2021 9:20 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
Yes I have tried it and it works a treat (Does all sub-folders in the folder you specify). Alas it makes a copy of everything decrypted, but then I am using QFiling to move all files modified after the date of the ransomware and then deleting all those files once they are moved.davepix wrote: ↑Thu Apr 29, 2021 3:08 am Have you tried this script? Do you run it on a windows command line or do you SSH into the QNAP and run it on the server? Does it do subfolders or just parents? I have folders nested up to 5 deep with at least 80K files encrypted mixed in some 400K of files since I was able to kill the process in the act.
Rocket_Rabbit wrote: ↑Wed Apr 28, 2021 7:52 pm Yeah I don't think you're understanding what I'm on about...
Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.
Yes, there could be anything on there, that's true.
Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.
Anyway, here is the script I wanted incase anyone else needs it
How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.
SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
So I ran it as a batch file from the root of the QNAP drive volume. For example let's call it the 'Q' drive.
Obviously a batch file (xxx.bat) is a text file renamed .bat.
So my script looked like the following:
SET source=Q:\desired_folder
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pwhateverthepasswordyouweregivenorhaveis "%%~fF" -o"%%~pF\"
Save the batch file in the q:\ location. Double click on it and you're away
-
- New here
- Posts: 2
- Joined: Thu Jul 19, 2018 4:18 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
If anybody still need it and don't want to use Windows:
create the file decrypt.sh inside the folder you want to decrypt (example: /share/CACHEDEV1_DATA/, its going to extract everything recursively INSIDE this folder) with this script:
run
and then
this will:
a) extract the files "in-place"
b) delete the crypted .7z file (you can remove this step deleting rm -rf "$file" )
c) remove the "!!!READ_ME.txt" file inside the folders where the files were found.
The -aoa parameter will overwrite existing files with the same name, if you want to mantain multiple copies you can change it to -aou
This is a quick&dirty solution, i encurage everyone to backup evertything before doing this.
create the file decrypt.sh inside the folder you want to decrypt (example: /share/CACHEDEV1_DATA/, its going to extract everything recursively INSIDE this folder) with this script:
Code: Select all
#!/bin/bash
find . -name "*.7z" -exec sh -c '
for file do
dir=${file%/*}
7z x -pYOUR_PASSWORD -aoa "$file" -o"$dir"
rm -rf "$file"
rm -rf "$dir/!!!READ_ME.txt"
done' sh {} \;
Code: Select all
chmod +x decrypt.sh
Code: Select all
./decrypt.sh
a) extract the files "in-place"
b) delete the crypted .7z file (you can remove this step deleting rm -rf "$file" )
c) remove the "!!!READ_ME.txt" file inside the folders where the files were found.
The -aoa parameter will overwrite existing files with the same name, if you want to mantain multiple copies you can change it to -aou
This is a quick&dirty solution, i encurage everyone to backup evertything before doing this.
-
- Starting out
- Posts: 17
- Joined: Tue Apr 03, 2012 3:52 pm
Re: QLocker batch decrypt command/script (I have the decrypt key)
I got attacked by those buggers too - but luckily could find out the password they used to encrypt my files.
Then i tried a bash script to decrypt all my files, but my script was unstable - so i wrote a Node.js script that decrypts all 7zip archives from an specific directory recursively.
1.) Install Node.js on your Qnap NAS (i did it through Qnapclub's QPKG Store https://qnapclub.eu/en/howto/1)
2.) ssh into your NAS
3.) create a folder somewhere (e.g. `mkdir /share/Public/recover-qlocker`)
4.) copy the files from this gist into the newly created folder (https://gist.github.com/ChiefORZ/4b0826 ... eb5b52f0e3)
5.) go to the folder and install the npm dependencies (`cd /share/Public/recover-qlocker; npm install;`)
6.) edit the .env and paste your 7zip password
7.) go to the folder, where you want to start the recovery (`cd /share/CACHEDEV3_DATA`)
8.) run the script (`node /share/Public/recover-qlocker`)
Then i tried a bash script to decrypt all my files, but my script was unstable - so i wrote a Node.js script that decrypts all 7zip archives from an specific directory recursively.
1.) Install Node.js on your Qnap NAS (i did it through Qnapclub's QPKG Store https://qnapclub.eu/en/howto/1)
2.) ssh into your NAS
3.) create a folder somewhere (e.g. `mkdir /share/Public/recover-qlocker`)
4.) copy the files from this gist into the newly created folder (https://gist.github.com/ChiefORZ/4b0826 ... eb5b52f0e3)
5.) go to the folder and install the npm dependencies (`cd /share/Public/recover-qlocker; npm install;`)
6.) edit the .env and paste your 7zip password
7.) go to the folder, where you want to start the recovery (`cd /share/CACHEDEV3_DATA`)
8.) run the script (`node /share/Public/recover-qlocker`)
... by the way ... was someone hearing about a coming update to PHP ?