[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
mjhfx1
New here
Posts: 5
Joined: Tue Dec 15, 2020 10:07 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by mjhfx1 » Sat May 08, 2021 1:59 am

Upon seeing my device was attacked, I panicked and shut down the device, not knowing Qnap's advisory (why doesn't it email the users? I am registered.)

Anyway, what to do now? I accept that my files have already been lost. I have changed UPnP settings, etc. Now the system is painfully slow. Can't open the App Center. Can I continue to use the system? How do I prevent further breaches? Your advice will be appreciated.

mjhfx1
New here
Posts: 5
Joined: Tue Dec 15, 2020 10:07 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by mjhfx1 » Sat May 08, 2021 2:07 am

I can't even seem to be able to pay the ransom. When I tried, a box pops out: Please login. When I click OK, the screen goes back to "Enter the appeared Client Key in the field below. If succeed, you'll be provided with a Bitcoin account to transfer payment. " An endless loop.

xtreme
Starting out
Posts: 33
Joined: Sun Aug 07, 2011 6:49 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by xtreme » Sat May 08, 2021 6:22 am

I feel sorry for you people who was hit by this QLOCKER.
Doing manual backups can be too hard and many people won't even do a single one. I use to buy CDs to backup, then DVDs, then Blurays, but I never kept up-to-date backups of the recent files and suddenly in one unlucky day both of my Maxtor HDDs broke and I lost literally everything from my early life. Nowadays I use Western Digital drives and they seem to last much longer but many have failed in my use.

These Ransomwares are becoming a bit creepy. Some (many?) people nowadays keep their Media files ONLY in the NAS.

I have an idea of an Automated backup (not the best but much better than no backups)

NAS: Automated Backups to (Network share) of the NAS
PC: Automated Archiving of the Backups from the (Network share) to HDD on the PC

What do you think?

ozstar
Know my way around
Posts: 195
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Sat May 08, 2021 7:51 am

Just checked the Ransome for me is $755 in Australian Dollars. No I didn't pay it.

Where does one go to see if any geniuses are trying to crack the Qlocker pwd code. Is theer a thread on Beep or some other place? Who knows they may crack it sooner than later. Anytime ins better than not at all.
Last edited by ozstar on Sat May 08, 2021 8:08 am, edited 1 time in total.

User avatar
dolbyman
Guru
Posts: 23168
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Sat May 08, 2021 8:00 am

unless they keyserver get captured..doubt there is anything to "crack"

most systems have pretty solid rand generators...

ozstar
Know my way around
Posts: 195
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Sat May 08, 2021 8:12 am

Thanks dolbyman,. Yes sadly you are correct. But one must have hope no matter how small it may be :-)

For those who are interested..

I had success with PhotoRec but there was no folder structure or filenames just numbers. It's a great program but I want names if I can.
EaseUS grouped files in many ways, file extns, cameras, many image extns psd,jpg,png etc also some files names such as MP3s and some PDFs. I found this the better of the bunch I tried. At least some structure to piece them all together.
Stellar found them all however very few named and not as clearcut as EuseUS
GetBackData could not get from Linux drive even when connected by USB to PC
NasRecoveryData Just numbered files.

Barboots
Getting the hang of things
Posts: 51
Joined: Fri Jun 30, 2017 3:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Barboots » Sat May 08, 2021 9:22 am

ozstar wrote:... I want names if I can.
Hi from Perth. That AUD ransom is brutal mate... I sympathise.

When these recovery programs scrape up image files, is the EXIF data no longer embedded?

Best of success recovering, Steve

ozstar
Know my way around
Posts: 195
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Sat May 08, 2021 10:08 am

Thank you Steve.

Did you get caught ?

It's a messy task trying to piece it all together!

These are the recovered deleted files that previously 7z'd.

At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.

With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.

Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.

EuseUS has separated the camera files into cameras company folders and they have the info.

Thanks again.

oz

User avatar
Erik63
Starting out
Posts: 12
Joined: Mon Nov 05, 2012 2:29 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Erik63 » Sat May 08, 2021 7:58 pm

Qlocker victim here as well. However, solid backups in place so I will not concede to the ransom. Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and [added] 'non-essential' [added] ports closed.

Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.

As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
Last edited by Erik63 on Mon May 10, 2021 1:43 am, edited 1 time in total.

Skwor
Know my way around
Posts: 159
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor » Sat May 08, 2021 11:33 pm

Erik63 wrote:
Sat May 08, 2021 7:58 pm
Qlocker victim here as well. However, solid backups in place so I will not concede to the ransom. Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and closed ports.

Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.

As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos

User avatar
Erik63
Starting out
Posts: 12
Joined: Mon Nov 05, 2012 2:29 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Erik63 » Sun May 09, 2021 1:06 am

Skwor wrote:
Sat May 08, 2021 11:33 pm
If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.
That's stating the obvious. What I meant to say was that the way they managed to access the system is quite unsettling, at least to me. Me being careful had no effect at all.

Skwor
Know my way around
Posts: 159
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor » Sun May 09, 2021 2:11 am

Erik63 wrote:
Sun May 09, 2021 1:06 am
Skwor wrote:
Sat May 08, 2021 11:33 pm
If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.
That's stating the obvious. What I meant to say was that the way they managed to access the system is quite unsettling, at least to me. Me being careful had no effect at all.
Not really obvious, the way you stated, it came across as if even with closed ports one could have been attacked successfully. There is already enough confusion on how to use a NAS and what internet security is.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos

AlastairStevenson
Experience counts
Posts: 2327
Joined: Wed Jan 08, 2014 10:34 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by AlastairStevenson » Sun May 09, 2021 5:15 pm

Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and closed ports.
How do you know that all ports were closed?
You don't have to explicitly configure port forwarding on the router for inbound access to be possible.
It's very common for people to be caught out if UPnP is enabled on the router (often is by default) which then allows any device on the LAN to instruct the router to open up inbound access.

In addition to your careful checking of configurations, do an inbound access test with one of the various checking tools, for example Steve Gibson's ShieldsUp! :
https://www.grc.com/x/ne.dll?bh0bkyd2

Initially test 'All service ports' then 'Common ports' then a custom range that includes your QTS admin port - by default 8080.
You might find something that needs attention, such as the QNAPCloud configuration being enabled.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.

elmaxlo
First post
Posts: 1
Joined: Sun May 09, 2021 8:18 pm

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by elmaxlo » Sun May 09, 2021 8:29 pm

Eternic wrote:
Thu Apr 22, 2021 2:18 am
For anyone like me that is in the ** situation of deciding to pay up to get the 7z password, I've done so (luckily I already have a bitcoin wallet with enough) and I'm working through fixing my files now. If you're on Windows and accessing the files through explorer, the following is a batch script that I want it to be clear is not something I think you should use and if you do you should backup the folders before running it just in case. If you use this script correctly or incorrectly and have any data loss please do not blame me. Do not use it if you are going to be this person. If you don't know anything about batch files then don't use it. Also please created some test folders and 7z files and try it there first.

In order for the script to work on a network folder you'll need to map that folder or a parent folder to a drive letter (e.g. Z:). Create a batch file (e.g. FixMyStuff.bat) and place it in the folder you want fixed. It will extract any 7z files in that folder and any child folders and then delete them. You can remove the 3rd line that deletes the 7z files if you choose. The script is:

Code: Select all

dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"
Note that this creates an allzips.txt that the script does not delete. This is what I want. You can add a line to delete allzips.txt at the end or you can rewrite the for loop to just do the (dir /s /b *.7z) internally. Where "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" is you will insert the password you get from giving the pieces of garbage your hard earned money because you were careless with your security and mistakenly trusted your NAS. You can also add lines to find and delete the !!!READ_ME.txt files, but I'll do that separately afterwards personally. You will also need to change the path to 7z.exe to wherever you have it installed.

Again, please do not use this unless you know what you are doing and take every precaution. I'm only posting it to save people some time in this ** situation and I don't want to make it worse for them if there are any issues with this script. I have not tested it on all my files yet but so far it has worked fine.

EDIT: Also note that if you have legitimate 7z files this will extract and delete them. You can separate the first line into a separate batch file and remove any 7z files you want left untouched from the allzips.txt and then run a second batch file that does the loops. You could probably also write something better that checks file modification times and only extracts files modified after a time you specify relevant to when you were hit.



Hello,

Thanks for your script. I have a server with very important data that is completely encrypted. We paid and received the code to unzip.

The script seems to work but asks me each time to validate the overwrite or rename for each files.

Is it possible to introduce adapting the script or some other solution so that everything is done at once?

thank you in advance
You do not have the required permissions to view the files attached to this post.

Barboots
Getting the hang of things
Posts: 51
Joined: Fri Jun 30, 2017 3:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Barboots » Sun May 09, 2021 11:12 pm

ozstar wrote:Thank you Steve.

Did you get caught ?

It's a messy task trying to piece it all together!

These are the recovered deleted files that previously 7z'd.

At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.

With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.

Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.

EuseUS has separated the camera files into cameras company folders and they have the info.

Thanks again.

oz
Fortunately Oz, and honestly with an element of luck, no. My Asus router has flashing yellow text on the home page of the interface warning of UPNP being enabled. I know this, as a while back... in an frustrated effort to get some stuff working, I turned it on... and forgot to disable it afterwards. I was reminded next time I logged in to the router. I'm lucky this previous oversight didn't take place during the outbreak. Of course UPNP was enabled on the NAS (default???), so I would definitely have been in the same boat Image Or perhaps not, as I had disabled HBS along with a load of schnik-schnak apps. I think that was as a result of some warning I'd caught online which reduced my confidence in Qnap security. Luck at play again.

I use a VPN for remote access and have untrustworthy devices isolated. I've received the security lecture on a surveillance forum and have "done the needful". Still, a couple of clicks trying to sort out a network issue can bring all good efforts undone.

Probably my main remnant mistake following current review is that nearly all my backups were online (during extended working hours) on the network. My previous offsite became a non-option 18 months ago Image

I really feel for everyone affected. My position is that this equipment should be better, with audits and warnings regarding loose security. I certainly don't lay blame on the user... these are consumer products.

I hope you can get back to where you were, or near enough to be OK with it.

Cheers, Steve

Post Reply

Return to “Users' Corner”