[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
ChiefORZ
Starting out
Posts: 17
Joined: Tue Apr 03, 2012 3:52 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ChiefORZ » Thu May 13, 2021 10:40 pm

I got attacked by those buggers too - but luckily could find out the password they used to encrypt my files.
Then i tried a bash script to decrypt all my files, but my script was unstable - so i wrote a Node.js script that decrypts all 7zip archives from an specific directory recursively.

1.) Install Node.js on your Qnap NAS (i did it through Qnapclub's QPKG Store https://qnapclub.eu/en/howto/1)
2.) ssh into your NAS
3.) create a folder somewhere (e.g. `mkdir /share/Public/recover-qlocker`)
4.) copy the files from this gist into the newly created folder (https://gist.github.com/ChiefORZ/4b0826 ... eb5b52f0e3)
5.) go to the folder and install the npm dependencies (`cd /share/Public/recover-qlocker; npm install;`)
6.) edit the .env and paste your 7zip password
7.) go to the folder, where you want to start the recovery (`cd /share/CACHEDEV3_DATA`)
8.) run the script (`node /share/Public/recover-qlocker`)
... by the way ... was someone hearing about a coming update to PHP ?

theincogtion
Starting out
Posts: 27
Joined: Mon Mar 28, 2016 9:56 pm

Attack vector upnp & HBS?

Post by theincogtion » Fri May 14, 2021 1:57 am

As QNAP is very silent about how the attacker could break into the NAS I have some questions to the community:
1. Was the attack possible due to activated UPNP?
1.1 Is any kind of UPNP enabled by default which could have allowed hackers to breach into my device?
2. Were all myQnapCloud users vulnerable to this attack?

P3R
Guru
Posts: 12661
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Attack vector upnp & HBS?

Post by P3R » Fri May 14, 2021 4:08 am

theincogtion wrote:
Fri May 14, 2021 1:57 am
As QNAP is very silent about how the attacker could break into the NAS I have some questions to the community:
They explained it more than a week ago.
1. Was the attack possible due to activated UPNP?
UPnP is one possibility but some users have probably opened the ports manually. I think that the overwhelming majority of users, even among those that used UPnP, was aware of their system being exposed on the internet. The problem is that inexperienced users blindly trusted their Qnap to be secure as Qnap didn't warn properly about the inherent risks with internet exposure.

Now Qnap are changing their recommendations to that Qnaps shouldn't be exposed on internet.
1.1 Is any kind of UPNP enabled by default which could have allowed hackers to breach into my device?
I think that UPnP is by default enabled, or at least that the configuration guide lead the user in that direction. But that's just part of the problem. Most home routers have UPnP enabled by default and both are required for it to work so both suppliers are to blame for having insecure defaults.
2. Were all myQnapCloud users vulnerable to this attack?
myQNAPcloud unlikely made any difference here. The real problem was the internet exposure in itself in combination with the vulnerability.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
ThatGuyInVegas
New here
Posts: 3
Joined: Mon May 17, 2021 2:19 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ThatGuyInVegas » Mon May 17, 2021 4:39 am

I stumbled on the topic of Qlocker from a YouTube video 2 days ago by some poor guy who got ravaged by this. The two predominant methods for getting nailed with Ransomware is:
  • A user gets fooled into clicking on a link that brings down the payload.
  • Ports are opened on a basic firewall (i.e., not a WAP), allowing the attacked to use methods like SQL injection.
Another newer possible method, given the SolarWinds attack, is to infect a legitimate system update or plug-in that pulls down the bad payload.

This particular Qlocker attack appears to result from open firewall ports allowing SQL injection to occur. https://threatpost.com/qnap-nas-devices ... ck/165165/
To a large degree, this is QNAP's fault; the features on their NAS advertise hosting numerous types of web services. Because of this, we can confidently assert the following:
  • QNAP should make sure out of the box; least privilege is the default security posture.
  • QNAP did not adequately run proper vulnerability scans or do dynamic or static code analysis before release. (SQL injection is an easy-to-find exploit).
Maybe it's because I work in cybersecurity and see what hits the defenses of the place I work; personally, I wouldn't open ports on my Soho firewall in today's world. Unless you can employ comprehensive protections around your web server and incorporate a defense-in-depth strategy, I would not (and do not) do it. Hackers are running attack playbooks that scour the Internet, looking for vulnerable systems to hit 24/7. Unless QNAP is ready to take on the challenges of better securing their NAS products against these aggressive bad actors, you're better off using a cloud solution to host whatever you want to host. Use QNAP as a storage device, and for internal development only, don't open ports on your firewall unless you can implement protections like:
  • Web Application Firewall (WAF)
  • Endpoint Detection & Response (EDR) - NOT just hueristic antivirus, sorry ClamAV doesn't cut it
  • Data Leak Prevention (DLP)
  • Enterprise Vulnerability Management (EVM)
  • Security Orchestration, Automation, and Response (SOAR)

That is a partial list; unless you can put protections like that in place, you are at risk and running in a highly reactive mode to threats. All that said, I patched my QNAP and locked it down hard despite the fact I don't have a port open on my home firewall.

Bschneider
First post
Posts: 1
Joined: Mon May 17, 2021 7:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Bschneider » Mon May 17, 2021 7:26 pm

For anyone that got hit recently can you post the new onion page please? The one that was in my Read_me file doesn't work and the one that was posted earlier stopped working last night. I got hit back on 04/21 and didn't realize it until this weekend. Thank you.

MWZotti
New here
Posts: 8
Joined: Mon Dec 29, 2014 2:15 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by MWZotti » Mon May 17, 2021 11:45 pm

I'm in the same boat. Went to the link and Onionsite not found.

What do I do now?

User avatar
dolbyman
Guru
Posts: 23165
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Tue May 18, 2021 12:02 am

Maybe they got busted or just shut down, either the authorities take over the server and might provide a tool (based on decryption databases) or the ransom guys pulled the plug (made enough money) and you are SOL

MWZotti
New here
Posts: 8
Joined: Mon Dec 29, 2014 2:15 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by MWZotti » Tue May 18, 2021 12:14 am

Guess i'm just SOL. Shame on me for not backing up. Were only certain file types affected? Most of my video files were untouched or maybe I inadvertently rebooted not knowing what was going on??? I only discovered the .7z files today.

Mousetick
Experience counts
Posts: 1044
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Tue May 18, 2021 9:38 am

MWZotti wrote:
Tue May 18, 2021 12:14 am
Guess i'm just SOL. Shame on me for not backing up. Were only certain file types affected? Most of my video files were untouched or maybe I inadvertently rebooted not knowing what was going on??? I only discovered the .7z files today.
Only small files were affected. If I read and remember correctly the reports, I think it was any file smaller than 20 MB.

MWZotti
New here
Posts: 8
Joined: Mon Dec 29, 2014 2:15 am

Post by MWZotti » Wed May 19, 2021 4:47 am

Question - Could the password have been moved somewhere since Malware remover found the malware and isolated it? This was on 4/23. When I logged into my nas on 5/1 I saw a firmware update was ready so I rebooted, there was no warning not to reboot for the firmware update and check for the malware. So is there a possibiliy that the password is in one of the renamed files that was part of the malware scanner? Or am I grasping at straws?

ozstar
Know my way around
Posts: 195
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Wed May 19, 2021 11:22 am

Hi,

You might like to look at this thread. Post by Mousetick on May 18

Great explanation of the log file.

viewtopic.php?f=185&t=161399&p=790655#p790655

Draknof
New here
Posts: 4
Joined: Sun Sep 27, 2015 4:33 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Draknof » Thu May 20, 2021 3:20 am

I followed these instructions: https://www.qnap.com/en-us/how-to/faq/a ... iles-by-7z

Code: Select all

[/usr/local/sbin] # ps | grep 7z            
25136 admin       536 S   grep 7z
Do I still have the virus running?

User avatar
OneCD
Ask me anything
Posts: 9058
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD » Thu May 20, 2021 4:10 am

Draknof wrote:
Thu May 20, 2021 3:20 am
Do I still have the virus running?
No. The result you're seeing is your original request. ;)

Use this instead:

Code: Select all

ps | grep 7z | grep -v grep

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

ozstar
Know my way around
Posts: 195
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Fri May 21, 2021 12:17 pm

I am trying to resolve the question of the 'File Not Found' error in the Filestore script which reassembles the mess caused by Qlocker.

Firstly, if the file is listed in NAS and it has a .7z added to it, means it must have existed, yes?

If it did exist, then it was supposedly deleted with all the other files the teh Qlocker deleted, Yes?

If it was deleted then it should be there still, like the other files that have been recovered, Yes?

If it is still there, then PhotoRec or EaseUS or whatever, would have brought to over with the rest of the recovered files. Yes?

So if it didn't arrive, it means it is not there, or for some reason it was not picked up by the Data recovery programs.

What are any other options for the 'File Not Found' message?

Just trying to get to the bottom of this. Have they been corrupted beyond recognition, or are they on a deeper layer or, or?

Thanks

oz

Mousetick
Experience counts
Posts: 1044
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Fri May 21, 2021 4:46 pm

ozstar wrote:
Fri May 21, 2021 12:17 pm
I am trying to resolve the question of the 'File Not Found' error in the Filestore script which reassembles the mess caused by Qlocker.
These questions are better asked in the QLocker thread and the dedicated recovery thread (by Xandl) on the Bleeping Computer forum where the scripts' authors may see them.
Firstly, if the file is listed in NAS and it has a .7z added to it, means it must have existed, yes?
Yes.
If it did exist, then it was supposedly deleted with all the other files the teh Qlocker deleted, Yes?
Yes.
If it was deleted then it should be there still, like the other files that have been recovered, Yes?
Should be "there" where? If you mean on the NAS, not necessarily. It may not be recoverable if it was overwritten by one or more other files. Each new .7z file that was created potentially overwrote part or whole of an original file that was previously deleted, making that deleted file unrecoverable.

Post Reply

Return to “Users' Corner”