QLocker batch decrypt command/script (I have the decrypt key)

FTP Server, File Server, DDNS, SAMBA, AFP, NFS
Post Reply
Rocket_Rabbit
New here
Posts: 5
Joined: Tue Apr 27, 2021 9:20 pm

QLocker batch decrypt command/script (I have the decrypt key)

Post by Rocket_Rabbit »

Hi guys - first post which is probably going to be common with the recent events.

Anyway I have the decrypt key but have over 20TB of data to get through. I don't have enough space to extract so was wondering if there is a batch command/script to decrypt everything instead. There is obviously a command to encrypt and not duplicate so hoping there is a reverse.

TIA
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by dolbyman »

buy enough external space to offload your data

you need to kill/redo your nas anyways..or do you trust the attackers to have gracefully left?
Rocket_Rabbit
New here
Posts: 5
Joined: Tue Apr 27, 2021 9:20 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by Rocket_Rabbit »

Yeah, there is always that but I have blocked external access on the FW so there is no more connectivity to the internet.

If I need to do external, then it i s what it is :)
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by dolbyman »

The malware was already on your NAS blocking access now is a bit late

Software could have a little timer that just deletes all your files in a month from now ..no connection needed

Also if you had external backups, all of this wouldn't have been an issue anyways..so use this as an opportunity to start a backup scheme
Rocket_Rabbit
New here
Posts: 5
Joined: Tue Apr 27, 2021 9:20 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by Rocket_Rabbit »

Yeah I don't think you're understanding what I'm on about...

Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.

Yes, there could be anything on there, that's true.

Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.

Anyway, here is the script I wanted incase anyone else needs it :)

How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.

SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
davepix
New here
Posts: 5
Joined: Mon Oct 19, 2015 10:56 am

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by davepix »

dolbyman wrote: Tue Apr 27, 2021 9:44 pm The malware was already on your NAS blocking access now is a bit late

Software could have a little timer that just deletes all your files in a month from now ..no connection needed

Also if you had external backups, all of this wouldn't have been an issue anyways..so use this as an opportunity to start a backup scheme
Same boat here... External backups yes, but when running a lightroom database which can't be kept on the NAS, rebuilding after an event like this is a major undertaking. It will take me over a week just to move files between drives and who knows how long to unencrypt 80,000 out of the 400,000 files that were hit before I shut it down.

I don't understand how my NAS could encrypt 80K files in four days and the techs at QNAP can't write a script where I enter my new $500 password and reverse it?
davepix
New here
Posts: 5
Joined: Mon Oct 19, 2015 10:56 am

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by davepix »

Have you tried this script? Do you run it on a windows command line or do you SSH into the QNAP and run it on the server? Does it do subfolders or just parents? I have folders nested up to 5 deep with at least 80K files encrypted mixed in some 400K of files since I was able to kill the process in the act.


Rocket_Rabbit wrote: Wed Apr 28, 2021 7:52 pm Yeah I don't think you're understanding what I'm on about...

Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.

Yes, there could be anything on there, that's true.

Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.

Anyway, here is the script I wanted incase anyone else needs it :)

How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.

SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by dolbyman »

So you had external backups but still paid the ransom ?

Most of the time it's easier to destroy than to rebuild.. hope lessons were learned and NAS units will never be exposed again
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by Mousetick »

davepix wrote: Thu Apr 29, 2021 3:08 am Have you tried this script? Do you run it on a windows command line or do you SSH into the QNAP and run it on the server? Does it do subfolders or just parents?
No I haven't tried it and I can't vouch for it.
You're supposed to run it from Windows command prompt (plain old cmd.exe, not PowerShell).
Yes it's supposed to work recursively in subfolders.
Rocket_Rabbit
New here
Posts: 5
Joined: Tue Apr 27, 2021 9:20 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by Rocket_Rabbit »

dolbyman wrote: Thu Apr 29, 2021 3:10 am So you had external backups but still paid the ransom ?

Most of the time it's easier to destroy than to rebuild.. hope lessons were learned and NAS units will never be exposed again
Yes because I like giving money away... :lol:

I had backups of my data, but there was my wife's photography business on there which accounted for about 18TB of the 20+TB we use. No backup of that so the decision was made to pay.

Yes - I will not be trusting QNAP and the device has been locked down to internal use only. A shame, but extremely necessary. Once the time comes to replace the drives, I'll move to a synology or something. Shame, QNAP did seem decent to use.
Rocket_Rabbit
New here
Posts: 5
Joined: Tue Apr 27, 2021 9:20 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by Rocket_Rabbit »

davepix wrote: Thu Apr 29, 2021 3:08 am Have you tried this script? Do you run it on a windows command line or do you SSH into the QNAP and run it on the server? Does it do subfolders or just parents? I have folders nested up to 5 deep with at least 80K files encrypted mixed in some 400K of files since I was able to kill the process in the act.


Rocket_Rabbit wrote: Wed Apr 28, 2021 7:52 pm Yeah I don't think you're understanding what I'm on about...

Yes, they have already done the work and performed the compromise. I reviewed the logs on my FW and NAS showing them accessing multiple times for cleanup (I assume). Removing connectivity takes away any chance of C&C so not doing it, even post incident, is a mistake.

Yes, there could be anything on there, that's true.

Backing up everything would to a separate drive would be cost prohibitive based on a 3 yr ROI for drives/NAS. It's one of the reasons we run RAID 5 to mitigate HW failure somewhat.

Anyway, here is the script I wanted incase anyone else needs it :)

How to decrypt multiple files at once
If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows.

SET source=C:\Users\thomb158\Downloads\5thKind\7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF\"
EXIT
In the above command, 'SET source=' is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.
Yes I have tried it and it works a treat (Does all sub-folders in the folder you specify). Alas it makes a copy of everything decrypted, but then I am using QFiling to move all files modified after the date of the ransomware and then deleting all those files once they are moved.

So I ran it as a batch file from the root of the QNAP drive volume. For example let's call it the 'Q' drive.

Obviously a batch file (xxx.bat) is a text file renamed .bat.

So my script looked like the following:

SET source=Q:\desired_folder
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%\*.7z"') DO "C:\Program Files\7-Zip\7z.exe" x -pwhateverthepasswordyouweregivenorhaveis "%%~fF" -o"%%~pF\"

Save the batch file in the q:\ location. Double click on it and you're away :)
nydirac
New here
Posts: 2
Joined: Thu Jul 19, 2018 4:18 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by nydirac »

If anybody still need it and don't want to use Windows:

create the file decrypt.sh inside the folder you want to decrypt (example: /share/CACHEDEV1_DATA/, its going to extract everything recursively INSIDE this folder) with this script:

Code: Select all

#!/bin/bash

find . -name "*.7z" -exec sh -c '
   for file do
     dir=${file%/*}
	 7z x -pYOUR_PASSWORD -aoa "$file" -o"$dir"
	 rm -rf "$file"
	 rm -rf "$dir/!!!READ_ME.txt"
   done' sh {} \;
run

Code: Select all

chmod +x decrypt.sh
and then

Code: Select all

./decrypt.sh
this will:
a) extract the files "in-place"
b) delete the crypted .7z file (you can remove this step deleting rm -rf "$file" )
c) remove the "!!!READ_ME.txt" file inside the folders where the files were found.

The -aoa parameter will overwrite existing files with the same name, if you want to mantain multiple copies you can change it to -aou

This is a quick&dirty solution, i encurage everyone to backup evertything before doing this.
ChiefORZ
Starting out
Posts: 17
Joined: Tue Apr 03, 2012 3:52 pm

Re: QLocker batch decrypt command/script (I have the decrypt key)

Post by ChiefORZ »

I got attacked by those buggers too - but luckily could find out the password they used to encrypt my files.
Then i tried a bash script to decrypt all my files, but my script was unstable - so i wrote a Node.js script that decrypts all 7zip archives from an specific directory recursively.

1.) Install Node.js on your Qnap NAS (i did it through Qnapclub's QPKG Store https://qnapclub.eu/en/howto/1)
2.) ssh into your NAS
3.) create a folder somewhere (e.g. `mkdir /share/Public/recover-qlocker`)
4.) copy the files from this gist into the newly created folder (https://gist.github.com/ChiefORZ/4b0826 ... eb5b52f0e3)
5.) go to the folder and install the npm dependencies (`cd /share/Public/recover-qlocker; npm install;`)
6.) edit the .env and paste your 7zip password
7.) go to the folder, where you want to start the recovery (`cd /share/CACHEDEV3_DATA`)
8.) run the script (`node /share/Public/recover-qlocker`)
... by the way ... was someone hearing about a coming update to PHP ?
Post Reply

Return to “File Sharing”