[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
ThatGuyInVegas
New here
Posts: 3
Joined: Mon May 17, 2021 2:19 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ThatGuyInVegas »

I stumbled on the topic of Qlocker from a YouTube video 2 days ago by some poor guy who got ravaged by this. The two predominant methods for getting nailed with Ransomware is:
  • A user gets fooled into clicking on a link that brings down the payload.
  • Ports are opened on a basic firewall (i.e., not a WAP), allowing the attacked to use methods like SQL injection.
Another newer possible method, given the SolarWinds attack, is to infect a legitimate system update or plug-in that pulls down the bad payload.

This particular Qlocker attack appears to result from open firewall ports allowing SQL injection to occur. https://threatpost.com/qnap-nas-devices ... ck/165165/
To a large degree, this is QNAP's fault; the features on their NAS advertise hosting numerous types of web services. Because of this, we can confidently assert the following:
  • QNAP should make sure out of the box; least privilege is the default security posture.
  • QNAP did not adequately run proper vulnerability scans or do dynamic or static code analysis before release. (SQL injection is an easy-to-find exploit).
Maybe it's because I work in cybersecurity and see what hits the defenses of the place I work; personally, I wouldn't open ports on my Soho firewall in today's world. Unless you can employ comprehensive protections around your web server and incorporate a defense-in-depth strategy, I would not (and do not) do it. Hackers are running attack playbooks that scour the Internet, looking for vulnerable systems to hit 24/7. Unless QNAP is ready to take on the challenges of better securing their NAS products against these aggressive bad actors, you're better off using a cloud solution to host whatever you want to host. Use QNAP as a storage device, and for internal development only, don't open ports on your firewall unless you can implement protections like:
  • Web Application Firewall (WAF)
  • Endpoint Detection & Response (EDR) - NOT just hueristic antivirus, sorry ClamAV doesn't cut it
  • Data Leak Prevention (DLP)
  • Enterprise Vulnerability Management (EVM)
  • Security Orchestration, Automation, and Response (SOAR)

That is a partial list; unless you can put protections like that in place, you are at risk and running in a highly reactive mode to threats. All that said, I patched my QNAP and locked it down hard despite the fact I don't have a port open on my home firewall.
Bschneider
First post
Posts: 1
Joined: Mon May 17, 2021 7:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Bschneider »

For anyone that got hit recently can you post the new onion page please? The one that was in my Read_me file doesn't work and the one that was posted earlier stopped working last night. I got hit back on 04/21 and didn't realize it until this weekend. Thank you.
MWZotti
New here
Posts: 8
Joined: Mon Dec 29, 2014 2:15 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by MWZotti »

I'm in the same boat. Went to the link and Onionsite not found.

What do I do now?
User avatar
dolbyman
Guru
Posts: 35014
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Maybe they got busted or just shut down, either the authorities take over the server and might provide a tool (based on decryption databases) or the ransom guys pulled the plug (made enough money) and you are SOL
MWZotti
New here
Posts: 8
Joined: Mon Dec 29, 2014 2:15 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by MWZotti »

Guess i'm just SOL. Shame on me for not backing up. Were only certain file types affected? Most of my video files were untouched or maybe I inadvertently rebooted not knowing what was going on??? I only discovered the .7z files today.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

MWZotti wrote: Tue May 18, 2021 12:14 am Guess i'm just SOL. Shame on me for not backing up. Were only certain file types affected? Most of my video files were untouched or maybe I inadvertently rebooted not knowing what was going on??? I only discovered the .7z files today.
Only small files were affected. If I read and remember correctly the reports, I think it was any file smaller than 20 MB.
MWZotti
New here
Posts: 8
Joined: Mon Dec 29, 2014 2:15 am

Post by MWZotti »

Question - Could the password have been moved somewhere since Malware remover found the malware and isolated it? This was on 4/23. When I logged into my nas on 5/1 I saw a firmware update was ready so I rebooted, there was no warning not to reboot for the firmware update and check for the malware. So is there a possibiliy that the password is in one of the renamed files that was part of the malware scanner? Or am I grasping at straws?
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

Hi,

You might like to look at this thread. Post by Mousetick on May 18

Great explanation of the log file.

viewtopic.php?f=185&t=161399&p=790655#p790655
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
Draknof
New here
Posts: 7
Joined: Sun Sep 27, 2015 4:33 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Draknof »

I followed these instructions: https://www.qnap.com/en-us/how-to/faq/a ... iles-by-7z

Code: Select all

[/usr/local/sbin] # ps | grep 7z            
25136 admin       536 S   grep 7z
Do I still have the virus running?
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD »

Draknof wrote: Thu May 20, 2021 3:20 am Do I still have the virus running?
No. The result you're seeing is your original request. ;)

Use this instead:

Code: Select all

ps | grep 7z | grep -v grep

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

I am trying to resolve the question of the 'File Not Found' error in the Filestore script which reassembles the mess caused by Qlocker.

Firstly, if the file is listed in NAS and it has a .7z added to it, means it must have existed, yes?

If it did exist, then it was supposedly deleted with all the other files the teh Qlocker deleted, Yes?

If it was deleted then it should be there still, like the other files that have been recovered, Yes?

If it is still there, then PhotoRec or EaseUS or whatever, would have brought to over with the rest of the recovered files. Yes?

So if it didn't arrive, it means it is not there, or for some reason it was not picked up by the Data recovery programs.

What are any other options for the 'File Not Found' message?

Just trying to get to the bottom of this. Have they been corrupted beyond recognition, or are they on a deeper layer or, or?

Thanks

oz
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

ozstar wrote: Fri May 21, 2021 12:17 pm I am trying to resolve the question of the 'File Not Found' error in the Filestore script which reassembles the mess caused by Qlocker.
These questions are better asked in the QLocker thread and the dedicated recovery thread (by Xandl) on the Bleeping Computer forum where the scripts' authors may see them.
Firstly, if the file is listed in NAS and it has a .7z added to it, means it must have existed, yes?
Yes.
If it did exist, then it was supposedly deleted with all the other files the teh Qlocker deleted, Yes?
Yes.
If it was deleted then it should be there still, like the other files that have been recovered, Yes?
Should be "there" where? If you mean on the NAS, not necessarily. It may not be recoverable if it was overwritten by one or more other files. Each new .7z file that was created potentially overwrote part or whole of an original file that was previously deleted, making that deleted file unrecoverable.
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

Thank you. Yes that make sense now. Overwritten !
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
yahoogoogle
First post
Posts: 1
Joined: Tue May 25, 2021 11:55 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by yahoogoogle »

Hi everyone,

May I know if there is any way to access the onion page again or contact the hacker for paying the BTC for password? Thanks!!
MWZotti wrote: Mon May 17, 2021 11:45 pm I'm in the same boat. Went to the link and Onionsite not found.

What do I do now?
User avatar
dolbyman
Guru
Posts: 35014
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Post Reply

Return to “Users' Corner”