[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
dolbyman
Guru
Posts: 23461
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Fri May 28, 2021 12:35 am

was already posted further up ....

User avatar
rafale
Easy as a breeze
Posts: 348
Joined: Tue May 12, 2015 1:53 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by rafale » Fri May 28, 2021 10:52 pm

In case you guys didn't see this yet...

https://www.bleepingcomputer.com/news/s ... r-account/
Server: TVS-872XT i9 9900 ES, 64GB DDR4 2666MHz, intel X550-T2, Asus RTX3070 Dual OC (On pico PSU), 2x Phison E12 1TB M.2, 4x Micron 5210 7.68TB, 4x WD Purple 4TB
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469

gnapfan111
Starting out
Posts: 19
Joined: Sun Mar 07, 2021 12:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by gnapfan111 » Thu Jun 17, 2021 8:22 pm

What happens with Hybrid Backup Sync now?

I wanted to use HBS to sync my OneDrive folders to the QNAP.

I hesitate to install it after this incident.

However, I didn't find other software that can be installed on the QNAP and could sync MS OneDrive.

Any ideas?

User avatar
dolbyman
Guru
Posts: 23461
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Thu Jun 17, 2021 9:15 pm

What is the issue with hbs?

Do not forward any ports to your NAS and HBS is (and was) fine

gnapfan111
Starting out
Posts: 19
Joined: Sun Mar 07, 2021 12:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by gnapfan111 » Thu Jun 17, 2021 10:06 pm

I understand the ransomware used an exploit in HBS, isn't it?

https://www.bleepingcomputer.com/news/s ... r-account/

holger_kuehn
Easy as a breeze
Posts: 294
Joined: Sun Oct 20, 2013 11:45 pm
Location: Premnitz, Germany

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by holger_kuehn » Thu Jun 17, 2021 10:13 pm

This correct, but this exploit needs an open port from your public IP ("outside" of your router) to the QNAP. If no portforwarding is active, it was and is safe to use HBS3.
NAS (production): TS-1635AX FW: 4.5.4.1723 build 20210708
NAS (backup): TS-1635AX FW: 4.5.4.1723 build 20210708
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 500GB Samsung Evo 860 Sata
Data (HDD): [RAID-6] 5 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock

NAS: TS-873U-RP FW: 4.5.3.1697 build 20210611
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 6.2.4.25556

User avatar
dolbyman
Guru
Posts: 23461
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Thu Jun 17, 2021 10:13 pm

Yes..but without port forwards, there is no way to reach your NAS to exploit it..hence my advice

gnapfan111
Starting out
Posts: 19
Joined: Sun Mar 07, 2021 12:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by gnapfan111 » Thu Jun 17, 2021 10:28 pm

OK, I see. I think I don't have any port forwarding enabled, if so, I will turn it off.

I followed the suggestions in this QNAP article.
https://www.qnap.com/en/how-to/faq/arti ... s-security

Otherwise, why would I might need port forwarding for?
What services or use cases benefit from it?

I wanted to look into the guides to set up a VPN server so I can connet to my QNAP nas from elsewhere, but I didn't had the energy to look into it yet.

User avatar
dolbyman
Guru
Posts: 23461
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Thu Jun 17, 2021 10:47 pm

Portforwards are used to reach your NAS from WAN ...mist people use it for file sharing, video sharing, for devices advertised as "private cloud"

luisfdgon
First post
Posts: 1
Joined: Sun Jun 20, 2021 4:34 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by luisfdgon » Sun Jun 20, 2021 4:46 am

Hi Guys,

Another victim here... :(

I was trying to use QRescue to recover my files, but QRescue now doesn't open. It show an error
Error
Page not found or the web server is currently unavailable. Please contact the website administrator for help.
Does anyone knows what might be the cause?

First time I installed was working, but now show the error.. I even tried to reinstall without success.
Screenshot from 2021-06-19 21-42-32.png
You do not have the required permissions to view the files attached to this post.

holger_kuehn
Easy as a breeze
Posts: 294
Joined: Sun Oct 20, 2013 11:45 pm
Location: Premnitz, Germany

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by holger_kuehn » Mon Jun 21, 2021 11:08 pm

QNAP Support might be able to help out here, have you created as ticket?
NAS (production): TS-1635AX FW: 4.5.4.1723 build 20210708
NAS (backup): TS-1635AX FW: 4.5.4.1723 build 20210708
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 500GB Samsung Evo 860 Sata
Data (HDD): [RAID-6] 5 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock

NAS: TS-873U-RP FW: 4.5.3.1697 build 20210611
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 6.2.4.25556

zeverken
New here
Posts: 2
Joined: Fri Jul 16, 2010 3:42 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by zeverken » Wed Jun 23, 2021 5:22 pm

It seems they're accepting ransom again? I had to disable the scriptblocker of TOR brower on the page where you have to enter your code, and then it moved to the payment page. Price went up to 0.05 BTC though... Can't pay that. Maybe QNAP can compensate by paying it for me?
You do not have the required permissions to view the files attached to this post.

lichmatthew
First post
Posts: 1
Joined: Thu Sep 12, 2019 1:51 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by lichmatthew » Sat Jul 03, 2021 11:35 pm

zeverken wrote:
Wed Jun 23, 2021 5:22 pm
It seems they're accepting ransom again? I had to disable the scriptblocker of TOR brower on the page where you have to enter your code, and then it moved to the payment page. Price went up to 0.05 BTC though... Can't pay that. Maybe QNAP can compensate by paying it for me?
Hi is they are still accepting ransom now? And may I know how could we disable sscriptblocker on TOR browser? Thanks!

livelynet
New here
Posts: 3
Joined: Fri Nov 01, 2019 7:10 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by livelynet » Sun Jul 04, 2021 9:07 pm

Here is an update on the efforts of the firm https://monstercloud.com/ to try unlocking the files.

We setup the 2 NAS devices that have QLocker on the clients files in a separate network, no anti-virus enabled and TeamViewer access. After a WEEK of trying the firm expert and his team were unable to unlock the files. They did refund all of the $20,000.00 as stated in their agreement to the client and they, in turn, returned it to the insurance company.

We are reaching out to any and all that may have found a way to unlock the files and of yet no success. :(

HINDSIGHT:

Since we had the attack very early in the cycle of this we found the Bleeping Computer post someone had posted and immediately tried it on one of the Qnap NAS's. Without any support from QNAP we did as instructed BUT we failed to know this. When the NAS was accessed via QFinder it said and updated firmware was available.

FIRST BIG MISTAKE: Since the client did not keep up with at least 3 new updates, we immediately updated to the latest firmware to stop any further attacks.
SECOND BIG MISTAKE: What does a new firmware do as part of it's update: RESTART

We have waited for any further information, guides or otherwise and currently have 4 hard drives full of data all locked with the QLocker.

Let us know if anyone has any clues to unlocking these files. \

Thank you.

Mousetick
Experience counts
Posts: 1082
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Sun Jul 04, 2021 9:51 pm

livelynet wrote:
Sun Jul 04, 2021 9:07 pm
Here is an update on the efforts of the firm https://monstercloud.com/ to try unlocking the files.
Interesting, but not surprising. So not only you or your clients fall victim to ransomware but to make matters worse you or your clients fall prey to snake oil merchants. You were lucky to be refunded. Did the firm charge a non-refundable assessment fee?
We are reaching out to any and all that may have found a way to unlock the files and of yet no success. :(
If you had done a little research you would know very well by now that there is no way to decrypt the files and that the so-called ransomware recovery firms are scams.

This post on the Bleeping Computer forum sums it up:
In regards to data recovery services specifically, they typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here. Some data recovery services operate more like scammers while others like Fast Data Recovery have even been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services.
livelynet wrote:
Sun Jul 04, 2021 9:07 pm
Let us know if anyone has any clues to unlocking these files.
It's not possible to unlock the encrypted files, without the encryption key held by the cybercrooks. NO WAY.

If the storage volumes containing the encrypted files are still in the state they were shortly after the ransomware attack, and have not been moved or modified in any way since then, you can attempt to recover (some of) the original files that were deleted as a result of the encryption process. The procedure is implemented by QNAP and they can help you perform it. Go to https://service.qnap.com and click on the link 'Qlocker Data Recovery Service (QDRS)' displayed near the top of the page under the 'Latest News' heading.
Last edited by Mousetick on Sun Jul 04, 2021 10:40 pm, edited 1 time in total.

Post Reply

Return to “Users' Corner”