[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay » Fri Apr 23, 2021 3:41 am

Fly100 wrote:
Fri Apr 23, 2021 3:22 am
dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"

A guy earlier in the the thread wrote this Gem, Thank you Sir :-) well played. Could anyone offer advise on it please I can only get it to work if I put the Bat file in the same DIR as the the 7z files, it wont then do any of the sub Dir's in the main dir.

Thank you again to the gent that wrote it.

Hero.

FLY
Yes It would be good to get a script that will do everything. Also if you could specify which folder to run the script from?

Cheers

User avatar
McBride
Know my way around
Posts: 105
Joined: Fri Jun 07, 2013 3:00 pm
Location: Vienna

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by McBride » Fri Apr 23, 2021 3:49 am

FYI, I filed a ticket for an EOL NAS. And now we wait.


Austria est imperare orbi universo

jonezed7
New here
Posts: 5
Joined: Fri Apr 23, 2021 3:25 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jonezed7 » Fri Apr 23, 2021 3:57 am

Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.

saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay » Fri Apr 23, 2021 4:03 am

jonezed7 wrote:
Fri Apr 23, 2021 3:57 am
Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.
i doubt it mate, things like that are a 1 time thing. Its like a dos prompt, I dont think it gets stored.

Fly100
Getting the hang of things
Posts: 86
Joined: Fri Dec 26, 2008 4:07 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Fly100 » Fri Apr 23, 2021 4:04 am

saturdaynightyay wrote:
Fri Apr 23, 2021 3:41 am
Fly100 wrote:
Fri Apr 23, 2021 3:22 am
dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"

A guy earlier in the the thread wrote this Gem, Thank you Sir :-) well played. Could anyone offer advise on it please I can only get it to work if I put the Bat file in the same DIR as the the 7z files, it wont then do any of the sub Dir's in the main dir.

Thank you again to the gent that wrote it.

Hero.

FLY
Yes It would be good to get a script that will do everything. Also if you could specify which folder to run the script from?

Cheers
Well, i have no idea why but its now working. Must be my end. Doh.

saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay » Fri Apr 23, 2021 4:17 am

fly100, so you log on to ssh and type those 3 commands (1 for each line) in order ?

after entering line 1 i get:

-sh: dir: command not found :ashamed:

Ah it looks like its a dos command, I should try it from PC

Cheers

User avatar
jaysona
Been there, done that
Posts: 662
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaysona » Fri Apr 23, 2021 4:29 am

McBride wrote:
Fri Apr 23, 2021 3:30 am
That’s called gross negligence and can have legal consequences.


Austria est imperare orbi universo
You would think so, but that is not the case. Read the software license and usage agreement you accept when you use the NAS. You effectively agree to an as-is use of the software and QNAP provides no guarantees about its software.

I have had numerous "discussions" with "software engineers" that I know and have told more than a few that if they were civil engineers, they would be in jail for gross negligence. The issue is that software people (aside from certain Aerospace applications) have absolutely no legal obligations whatsoever when it comes to software code robustness.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Felgenklarlack
First post
Posts: 1
Joined: Wed Mar 12, 2014 6:03 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Felgenklarlack » Fri Apr 23, 2021 4:32 am

Same Problem here :-(

jonezed7
New here
Posts: 5
Joined: Fri Apr 23, 2021 3:25 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jonezed7 » Fri Apr 23, 2021 4:34 am

saturdaynightyay wrote:
Fri Apr 23, 2021 4:03 am
jonezed7 wrote:
Fri Apr 23, 2021 3:57 am
Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.
i doubt it mate, things like that are a 1 time thing. Its like a dos prompt, I dont think it gets stored.
I'm still getting login attempts every 5 minutes. I never saw a successful login that wasn't my IP though. Was it back doored through the qsync or whatever? I'm just confused.

saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay » Fri Apr 23, 2021 4:35 am

in control panel then security you can set it to block them after X number of failed login attempts.

phr34k
Starting out
Posts: 26
Joined: Wed Dec 09, 2015 2:59 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by phr34k » Fri Apr 23, 2021 4:37 am

So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(

User avatar
jaysona
Been there, done that
Posts: 662
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaysona » Fri Apr 23, 2021 4:38 am

jonezed7 wrote:
Fri Apr 23, 2021 4:34 am

I'm still getting login attempts every 5 minutes. I never saw a successful login that wasn't my IP though. Was it back doored through the qsync or whatever? I'm just confused.
Time to disable port forwarding to the QTS admin webpage your NAS, it will eventually get compromised.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay » Fri Apr 23, 2021 4:47 am

phr34k wrote:
Fri Apr 23, 2021 4:37 am
So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
password is 32 characters. I am guessing brute force would take forever.

Try this (from another website - i have not tried it):
Hey guys,

unfortunately, my NAS was also affected. But don't worry, I have a solution. ;)

You can use the following software to restore your data from the disks.

https://www.cgsecurity.org/wiki/TestDisk_Download

First you have to connect via ssh to your NAS and you have to install the tool from the link, it's called PhotoRec. Then you have to mount a local disk from your machine, you can use Samba to mount a disk from Windows to the NAS.

Supported file systems:
FAT, NTFS, exFAT, ext, HFS+

How it works?
The tool can restore deleted files from the disk. All deleted files are still present, but the location of the first data block is removed. The tool can scan all sectors of the disk and can restore a lot of files. With a little bit luck the tool can restore all files.

My program is still running since one hour, and I restored 18k files already. :) A lot of my vacation pictures are already back.

If you have any technical questions you can contact me here in the forum or also via mail at security@received.eu.

It is not the best soultion, but with luck you can restore your files and you have to pay nothing.

Regards and good luck,
MAI2VIN
Last edited by saturdaynightyay on Fri Apr 23, 2021 4:50 am, edited 1 time in total.

User avatar
dolbyman
Guru
Posts: 22760
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Fri Apr 23, 2021 4:49 am

phr34k wrote:
Fri Apr 23, 2021 4:37 am
So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
For a bruteforce attack you looking at some very bleak numbers
time_calc .png
You can either wait for an exploit attack or if anyone captures the key server.. if the server gets taken down and passwords are not made public you go back to the above calculation chart
You do not have the required permissions to view the files attached to this post.

phr34k
Starting out
Posts: 26
Joined: Wed Dec 09, 2015 2:59 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by phr34k » Fri Apr 23, 2021 4:49 am

saturdaynightyay wrote:
Fri Apr 23, 2021 4:47 am
phr34k wrote:
Fri Apr 23, 2021 4:37 am
So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
if process has finished then just pay the ransom, password is 32 characters. I am guessing brute force would take forever.
Im defintly thinking about paying but i dont know wich Bitcoin service to use so i can "send" them their money. I have never delt with BTC and i tried Revolut but they dont allow me to send money to an adress

Post Reply

Return to “Users' Corner”