QNAP-targeted ransomware is now a thing

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
OneCD
Ask me anything
Posts: 6236
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

QNAP-targeted ransomware is now a thing

Post by OneCD » Thu Jul 11, 2019 1:22 pm

Another first for QNAP. :(
The Hacker News wrote:A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News.

Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.

Dubbed "QNAPCrypt" by Intezer and "eCh0raix" by Anomali, the new ransomware is written in the Go programming language and encrypts files with targeted extensions using AES encryption and appends .encrypt extension to each.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.

...

As a reminder, we urge users not to, unknowingly or unnecessarily, connect their NAS devices directly to the Internet, and also enable automatic updates to keep firmware up-to-date.
SC wrote:The researchers said the threat actor appears to be scanning the internet for QNAP devices and then compromises those set up with weak passwords. The number of potentially vulnerable QNAP NAS drives is not known, Anomali said, adding the researchers have found samples compiled for ARM and Intel x86, leading us to believe it is present in both enterprise and home devices.

...

The ransomware code itself is very simple, containing just 400 lines and written in the Go programming language.

The ransomware reaches out to the URL http://192.99.206[.]61/d.php?s=started and then tells command and control server sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000 it is up and running.

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 7593
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin » Thu Jul 11, 2019 2:45 pm

time to enable reserved space for snapshots. and also don't portforward qnap to the internet.
Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.
these are the users that don't update qts at all, or have generally lax network security practices, like port forwarding the qnap or using upnp qnap+router, and poor passwords :S just a bunch of things that result in your network being compromised and the NAS easily targeted.

also if you're not actively using ssh, disable when not in use.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.
:shock:
Image


it's that or hillary or someone trying to frame them :lol:


⠀⠀⠀ ⠀⡠⠔⠒⠉⢉⣉⣙⣒⣠⣀
⠀⠀⠀⢠⠊⠐⡞⢩⣭⣭⣭⣀⡔⣒⡚⠇
⠀⠀⠠⠁⠀⠀⠉⢿⡘⠃⣸⠃⠓⠒⢦⠌⢦⡀
⠀⢀⠇⠀⠀⠀⠀⠠⢍⡉⠁⠐⠦⠤⠞⡀⠀⠀⢣
⠀⠘⠀⠀⠀⠀⠀⠀⠀⠈⠉⠙⠛⠉⠉⢳⠄⠀⠸⡆
⠀⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣐⠁⠀ ⠀⠀
⠀⡇⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠀⠹⡄⠀⠀⠀
⡠⡇⠀⠀⠀⠀⠀⠀⠀⢷⣄⣀⡴⣤⣀⠴⠁⠀⠀⡇
⢣⠘⠢⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀
⠀⠑⣄⠈⠢⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡠⠊⡰
⠀⠀⠈⠑⢄⡀⠁⠢⢄⡀⠀⠀⠀⠀⠀⢀⡠⠒⢁⠔
⠀⠀⠀⠀⠀⠈⠒⠤⣀⠀⠉⠒⡂⢤⡰⠫⣄⡰⠃
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠒⠼⠀⠠⡷⡀⠈
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

theincogtion
Starting out
Posts: 23
Joined: Mon Mar 28, 2016 9:56 pm

Re: QNAP-targeted ransomware is now a thing

Post by theincogtion » Thu Jul 11, 2019 9:39 pm

Just got a mail pointing to the new security advisory:
https://www.qnap.com/en/security-advisory/NAS-201907-11

My questions are:
To avoid infection, you must:

Update QTS to the latest version.
1. Which QTS version is insecure and which one is secure?
2. How can I find out if I am affected?
3. How does the malware gets on the system? About myqnapcloud?
4. What if my NAS is in a home network (secured by a router firewall)? Am I also affected?


As always the security advisory could give far more information....

dolbyman
Guru
Posts: 14311
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman » Thu Jul 11, 2019 9:45 pm

well there was synolocker a couple of years ago ...now with crypto coins going back up .. it was a matter of time

suprised we havent heard of this yet (via forum posts)

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 7593
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin » Thu Jul 11, 2019 10:53 pm

update

what to do
Recommendation
To avoid infection, you must:

Update QTS to the latest version.
Install and update Malware Remover to the latest version.
Use a stronger admin password.
Enable Network Access Protection to protect accounts from brute force attacks.
Disable SSH and Telnet services if you are not using them.
Avoid using default port numbers 443 and 8080.
https://www.qnap.com/en/security-advisory/nas-201907-11
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

User avatar
OneCD
Ask me anything
Posts: 6236
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QNAP-targeted ransomware is now a thing

Post by OneCD » Fri Jul 12, 2019 7:58 am

Moogle Stiltzkin wrote:
Thu Jul 11, 2019 2:45 pm
time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 7593
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin » Fri Jul 12, 2019 8:14 am

OneCD wrote:
Fri Jul 12, 2019 7:58 am
Moogle Stiltzkin wrote:
Thu Jul 11, 2019 2:45 pm
time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(
:shock: what!
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

User avatar
OneCD
Ask me anything
Posts: 6236
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QNAP-targeted ransomware is now a thing

Post by OneCD » Fri Jul 12, 2019 8:33 am

Yep, party’s over. ;)

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

dolbyman
Guru
Posts: 14311
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman » Fri Jul 12, 2019 9:37 am

Moogle Stiltzkin wrote:
Fri Jul 12, 2019 8:14 am
OneCD wrote:
Fri Jul 12, 2019 7:58 am
Moogle Stiltzkin wrote:
Thu Jul 11, 2019 2:45 pm
time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(

:shock: what!
thats why windows ransomware flushes/disables your shadowcopy service first (simmilar to snapshots)

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 7593
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin » Fri Jul 12, 2019 10:05 am

wow.... if thats the case then it's a waste i did snapshots on the raid1 ssd for my ts-877. next time i have a chance i'll just do a static vol next time.

i still use snapshots for the raid5 4x4tb just for convenience to rollback.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

dolbyman
Guru
Posts: 14311
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman » Fri Jul 12, 2019 10:14 am

snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected

User avatar
OneCD
Ask me anything
Posts: 6236
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QNAP-targeted ransomware is now a thing

Post by OneCD » Fri Jul 12, 2019 11:17 am

dolbyman wrote:
Fri Jul 12, 2019 10:14 am
snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected
... which I guess I should have made clearer. :geek:

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

umpa
Easy as a breeze
Posts: 340
Joined: Sat Feb 18, 2012 8:04 pm

Re: QNAP-targeted ransomware is now a thing

Post by umpa » Fri Jul 12, 2019 4:35 pm

I have just found out about this, I guess I live under a rock - lol. Some one has been trying to log in as administrator and the system added them to the ban list. It's something that happens from time to time - never really worried about it.

I tend to just let my Qnap's just get on with it, bad I know but I was so happy just to get them to work right security was not high on my list. Its been that way for years.

Most of mine are old legacy devices, that only get security updates & one of them is on 4.2.6 which the latest available to me as of today is QTS 4.2.6 build 20190629. The release notes don't say that this particular crypto issue is addressed in this released anyway.

I'm hesitant to install something into my NAS developed by a company who would rather me by a brand new one from them instead. I could be jumping out of the fire in to the frying pan, and I don't think Qnap would give two hoots if it all went pear shaped as a result of installing a new firmware.

That's how I feel about it anyway.
1x TS-412 3x WD2003YYS (Enterprise) 1x WD20EFRX (Green) [Raid 0]
1x TS-412 3x WDC ED30EFRX (Red) 1X ST3000VN007 (IronWolf) [Raid 5]
1x TS-412 2x WD20EZRX (GREEN) & 2x WD20EARS (Green) [Raid 5]
1x TS-859pro 4x WD30EFRX (RED) & 4X ST3000VN007 (IronWolf) [Raid 5]
1x TS-869pro 8X HGST HDS724040ALE640 - (DeskTop) [Raid 5]
1x WDSharespace 4xWDC WD2003YYS (Enterprise) [Raid 0] - The worst NAS I have ever owned.
5x WD MybookWorld White light Edition (Which are fitted with WD Green drives as standard) also rubbish

bapw@comcast.net
Getting the hang of things
Posts: 91
Joined: Tue Apr 25, 2017 2:15 am

Re: QNAP-targeted ransomware is now a thing

Post by bapw@comcast.net » Fri Jul 12, 2019 9:59 pm

I have not dealt with ports before so how does one find out about which ones to use. Any info would be so much appreciated. Thank you.

dolbyman
Guru
Posts: 14311
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman » Fri Jul 12, 2019 10:01 pm

best to use no portforwarding at all ... as those opens up the nas to attacks

Post Reply

Return to “Users' Corner”