[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
g73jkwy
Starting out
Posts: 15
Joined: Mon Dec 26, 2016 11:18 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by g73jkwy » Fri Jan 14, 2022 1:44 am

Anyone know how is it possible to correct the behaviour of the arrow keyboard keys in Putty?

I've connected to the NAS thorugh RAW connection.

"Initial state of cursor keys > Application" not working...

Lindwurm
New here
Posts: 3
Joined: Thu May 10, 2018 7:49 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Lindwurm » Fri Jan 14, 2022 4:06 am

g73jkwy wrote:
Fri Jan 14, 2022 1:44 am
Anyone know how is it possible to correct the behaviour of the arrow keyboard keys in Putty?

I've connected to the NAS thorugh RAW connection.

"Initial state of cursor keys > Application" not working...
Maybe it's disabled, you can check it on the setting 'Features'.

The QNAP-Support wrote that i have to restart the NAS... I'm not shure, should I do restart?

max_well
Starting out
Posts: 23
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well » Fri Jan 14, 2022 11:05 pm

I welcome me to this tread, as I just discovered that my unit was hacked too. The timestamps are from this Wednesday early morning local time when I was still asleep.

I yet have to read through the essential things what to do now, restoring from external back is the obvious thing however I already know that those top level directories (shares) which were encrypted are NOT on my external backup (lots-o-data, $$$, etc.) so I can't do that anyway.

Seems some folders with personal and important stuff were actually not encrypted and I'm not sure I need the other stuff, it's too much to look through quickly.

What's most important to me now: how to make the system secure again?

When I noticed the various QNAP messages recently, I installed the Security Counselor and followed all the steps immediately except: upgrading firmware. Because I once "broke" my NAS with that and it was a super PITA to get it working again, so I refrain from doing it too often, put it on the back burner, wait for the respective feedback in the forum topic to see if some users are burned or if its save and then eventually get over it and do it.

I noticed that Malware Scanner does not open, gives me a page "Not Found The requested URL was not found on this server.", yay.

Condolences to myself and all other affected ones, btw.

User avatar
dolbyman
Guru
Posts: 25337
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Fri Jan 14, 2022 11:12 pm

just read the thread

e.g
viewtopic.php?f=45&t=160849&start=705#p807158

Only way to secure your system..after that, never expose it again

max_well
Starting out
Posts: 23
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well » Sat Jan 15, 2022 3:02 am

dolbyman wrote:
Fri Jan 14, 2022 11:12 pm
just read the thread

e.g
viewtopic.php?f=45&t=160849&start=705#p807158

Only way to secure your system..after that, never expose it again
Thank you, got it!

--
I hope it's not too early to party for me, but I was browsing this thread and basically one of the messages on the first page viewtopic.php?f=45&t=160849#p786812 talks about extracting the password in case "proces is still running"
cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
This motivated me to regain hope and I enabled remote terminal access and logged in, and lo' and behold I found multiple 7z related processes STILL BEING ACTIVE. Couldn't believe my eyes.

I then followed the procedure and extracted the password successfully and confirmed it with a few samples, but until I've everything back it's not time to party yet.

Some things I observed:
  • I've multiple shares but only two were encrypted
  • the first one was completely encrypted but only had like 3 files or so
  • the second one was my "archive from the last century" stuff, even I don't know anymore what there is. But the number of files, big and small, is extremely high and this is the share were the encryption was still running
  • I've more shares, alphabetically following the first two, which are yet untouched
  • I now assume it's going through the shares alphabetically, first placing the README and then starting to encrypt stuff
  • which in my case made me lucky because the "stuff from last century" is less important than what I had on the other shares following
  • my best guess, based on the readme timestamp, is that it all started this Wednesday but due to the sheer number of files on the one share, it was still working on it
  • I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
  • seconds after that I got the password in the logfile: yugiohnl you're an unsung hero!
  • first decrypting via my OSX native zip did not accept the password so I thought this didn't work
  • had to download 7zip via homebrew, decryption worked!
I've now shutdown the NAS completely, pondering my next move and also planing for the future to avoid having this again.

I was not on the latest firmaware, but I did recently "harden" the system with the Counselor. But maybe this was during Wednesday and too late, I can't remember it exactly anymore. Not easy to remember everything next to work and kids. I'm probably a lucky SOB and don't deserve this.

User avatar
dolbyman
Guru
Posts: 25337
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Sat Jan 15, 2022 3:30 am

great that you could find the decryption password,

I'd go a see if it works with whatever you have in terms of crypted files, to decrypt them, if that works. Do a complete backup of all files (to be later decrypted) and kill the system to get rid of the maleware

DQv7Ct_un@MY
New here
Posts: 3
Joined: Sat Jan 15, 2022 7:17 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by DQv7Ct_un@MY » Sat Jan 15, 2022 7:38 am

Hi. I have just joined the forum because i have recently purchased a QNAP NAS. Had it about a month and was going through the setup to configure it how i wanted.
Yes i had disabled admin account, yes i had put in place very strong passwords, and yes i thought i had done what was required to secure it from attack - from a novices point of view.
Tonight i find that the QLocker has been busy - the QLocker ransom text file was created on the 12th (2 days ago) and now the majority of the files are encrypted.
Luckily, as i have only recently purchased the NAS my files are still on my external USB drives so will not be lost. This reinforces the idea of making editional backups and to not rely on the NAS.
On searching and reading articles, this QLocker ransomware was discovered March-21 as described in the QNAP security advisory QSA-21-13. Reading the note it appears that QNAP fixed the hole by the end of April-21
So if QNAP have fixed the venerability then why oh why has my NAS fallen victim? especially if the Malware Remover tool runs automatically every 24h?
Can you give some pointers about how i should secure the NAS when i come to restore the corrupted files?
Should i factory reset and start again with an empty NAS
If the QLocker task has executed, is it somewhere lurking to strike again?

User avatar
dolbyman
Guru
Posts: 25337
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Sat Jan 15, 2022 8:17 am

DQv7Ct_un@MY wrote:
Sat Jan 15, 2022 7:38 am
Hi. I have just joined the forum because i have recently purchased a QNAP NAS. Had it about a month and was going through the setup to configure it how i wanted.
[...]
see this (please just read the thread)

viewtopic.php?f=45&t=160849&start=735#p807610

and NEVER EVER expose your NAS again ...

Riverwave
First post
Posts: 1
Joined: Sun Jan 03, 2016 4:03 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Riverwave » Sat Jan 15, 2022 8:34 am

SOS!!!
What to do??? What to do ??
I found out that my QNAP451 was hit at Friday noon US Eastern time (6 hours ago). I found out files in a fold was encrypted 2 days ago and have to open by password.
Without knowing the issue, I shutdown my QNAP and open a ticket to QNAP. But it had already no customer service anymore for the weekend.
What to do next?

Some QNAP security advisory said DO NOT shut down and contact QNAP tech support. But I already shut down and Tech support is not available.

One document said to install QRescue to recover: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas

I am confused about what to do next. Wait for tech support to follow the QRescue?
Or Do I need to read through this 50-page thread and try to find out a solution?
Is there a summary somewhere? or an official solution?

Thx

DQv7Ct_un@MY
New here
Posts: 3
Joined: Sat Jan 15, 2022 7:17 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by DQv7Ct_un@MY » Sat Jan 15, 2022 3:18 pm

So what to do now...
I have backups of all the data elsewhere so nothing will be lost
Do I factory reset the NAS and setup again recreating the disks and shares?
or
Do I simply restore file from backups?
Obviously I will need to address how the NAS is exposed in the process....
Assuming that i address the vulnerabilities, and i simply restore files, is there anything left behind by QLocker on my NAS that will repeat the encryption process?

max_well
Starting out
Posts: 23
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well » Sat Jan 15, 2022 5:55 pm

FTR, my negligence I realized _so far_ was:
  • I had a firmware running from 2021-04-06; that was a few weeks before this thread was created. I guess something prompted me almost a year ago to upgrade and then not; no idea
  • The internal web UI https://<internal ip> was explicitly routed through from outside on my WI-FI router. This was my doing, many years ago, when I truly used to regularly connected to it from outside. Given that I'm almost 2 years in home office, this could have been avoided. I shut it down now.
Further it seems about 12k _folders_ where hit by the ransomware, counted by the fact that the place this README in every folder to perform this operation. So far all used the same password I already extracted, so my next step is to a) figure out if I still needed the data and if not, just deleted it and b) decrypt the rest.

I can't yet just delete/reset/format everything, the size of data of the NAS is so big I've nothing in my house to move this temporarily. So my only solution is to minimize the actual data I want before backing it up external and THEN factory reset it. During this process I'll have it physically disconnected from the internet in my household for now and I'm also constantly checking for signs of the ransomware, but none so far.

That the qlocker CVE says the vulnerability is in HBS 3 is absolutely ironic, as this is THE tool to have your data backed up in the cloud so for many like me it would be an easy made to decision to have running. The CVS also says it's fixed in "QTS 4.5.2: HBS 3 v16.0.0415 and later". I was running 4.5.2 but why HBS 3 was not the latest version I've no idea; I hesitate firmware upgrades but not app upgrades.

But now checking out the current list of CVEs at https://www.qnap.com/de-de/security-adv ... ry_details and seeing they released one on 2022-01-13 marked as HIGH with "If exploited, the vulnerability allows attackers to run arbitrary code in the system" a day after mine was hacked, gives me an idea what was going on. My system maybe was immune against the year old attack vector but not against this one? I since then upgraded to 5.0.0.1891.

As it was repeated many times, the only way to be sure is to not have it exposed to the internet. In my case I explicitly opened the door even, so... #LessonLearned
DQv7Ct_un@MY wrote:
Sat Jan 15, 2022 7:38 am
So if QNAP have fixed the venerability then why oh why has my NAS fallen victim? especially if the Malware Remover tool runs automatically every 24h?
I'm making this up by connecting the dots, but maybe this is the doing of https://www.qnap.com/de-de/security-advisory/qsa-21-57 to get into the system and then used the same ransomware method.

I'm pressing thumbs for anyone affected, this is super stressful.

P3R
Guru
Posts: 12791
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R » Sat Jan 15, 2022 7:10 pm

max_well wrote:
Sat Jan 15, 2022 5:55 pm
I'm making this up by connecting the dots, but maybe this is the doing of https://www.qnap.com/de-de/security-advisory/qsa-21-57 to get into the system and then used the same ransomware method.
That's my theory as well. As Qnap don't tell us we have to guess though.

Qnap most likely knew that this QLocker2 attack was happening and that's probably why they released this security statement a little more than a week ago hoping that users would end direct exposure of their Qnaps on the Internet.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

max_well
Starting out
Posts: 23
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well » Sat Jan 15, 2022 7:59 pm

Oh my. I DID get the news and did install the Counselor, but I missed that part. Because in the basic Counselor profile, this is NOT reported.

max_well
Starting out
Posts: 23
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well » Mon Jan 17, 2022 5:36 am

Disclaimer: it worked for me, YMMV, yada yada

I guess I can call myself a lucky SOB because indeed I was
  • able to uncover the password as the ransomware encryption was still ongoing
  • batch decrypted all encrypted files, nothing was lost
I found multiple people posting their solutions for decrypting once you had the password, but I was not satisfied and had to come up with my own:
  • bullet proof regarding file / path handling due to whitespaces, special characters etc.
  • I used https://www.shellcheck.net/ to make sure the script doesn't contain "stupid errors"
  • Don't want to unpack 7z files which were not part of the ransomware encryption, i.e. got many 7z files on my own which were _not_ encrypted
  • Parallelize the process: my NAS machine has 4 cores, the ransomware encryption was done in a single process but I wanted to use all resources to get them back ASAP
  • I wanted to run this thing natively on the NAS and not via any network share
Before I ventured out to write the script, I installed Entware and some basic "niceties" to make the process or writing and testing these scripts bearable: bash, findutils, htop, mc, mlocate, p7zip, tmux, vim-full. Most are not necessary but I'm used to use terminal multiplexers when working in the terminal.

I divided it into two scripts: one which scans the directories and only processes the ones containing the `!!!READ_ME.txt` files, the other one doing the actual decryption with some checks and for being easier to parallelize

These script are provided as is, use them at your own risk!

qlocker_decrypt_dir.sh
See the PARALLEL_PROCESSES to the number of cores your NAS has

Code: Select all

#!/usr/bin/env bash

# Number of cores of your system
PARALLEL_PROCESSES=4

if [[ ! -d "$1" ]]; then
    echo "Usage: $0 <directory>"
    exit 1
fi

find "$1" . -name '!!!READ_ME.txt' -print0 | while IFS= read -r -d '' readme; do
    # Get directory from readme file
    dir="${readme%/*}"

    # Count the number of 7z files
    count=$(find "$dir" -maxdepth 1 -name '*.7z' | wc -l)
    echo "Found $count 7z files in $dir"

    find "$dir" -maxdepth 1 -name '*.7z' -print0 | xargs -0 -n 1 -P $PARALLEL_PROCESSES ./qlocker_decrypt_file.sh

    # Count the number of 7z files again
    count=$(find "$dir" -maxdepth 1 -name '*.7z' | wc -l)
    # and delete the txt file if all are gone
    if [[ "$count" = "0" ]]; then
        rm "$readme"
    else
        echo "  WARNING: $count zipped files still in $dir"
    fi

    echo ""
done
qlocker_decrypt_file.sh
Adjust the PASSWORD variable to the one you uncovered.

Code: Select all

#!/usr/bin/env bash

PASSWORD="YOUR PASSWORD"

if [[ ! -f "$1" ]]; then
    echo "Usage: $0 <some file.7z>"
    exit 1
fi

zipped="$1"
dir="${zipped%/*}"
extension="${zipped##*.}"

echo "  Processing $zipped"

if [[ "$extension" != "7z" ]]; then
    echo "    ERROR: not a 7z file: $1"
    exit 1
fi


filename="${zipped%.*}"
if [[ -f "$filename" ]]; then
    echo "    ERROR: file $filename already exists, skipping"
    exit 1
fi

# Check if zipped file is encrypted
if ! 7z l -pyolo "$zipped" | grep 'Method = Copy 7zAES' > /dev/null; then
    echo "    ERROR: file $zipped not encrypted, skipping"
    exit 1
fi

7z e -p$PASSWORD -aos -bso2 -bse2 -bsp2 "$zipped" -o"$dir" && rm "$zipped"
I used the command like this, so I could alter review the stdout/stderr stuff for any problems:

Code: Select all

`time ./qlocker_decrypt_dir.sh "<your directory here" 2>> 7zip.stderr >> qlocker_decrypt.log`
It's advised to make a test run, e.g. make a copy of some encrypted directories and test out the script there first!

I did use Entwares `mlocate` to get a list of all files on all mounts so I could quickly iterate finding anything still containing the dreaded readme file and I did ran `updatedb` irregularly to track this.

I think the two biggest contributing factors I was able to pull myself out of this misery were:
  • Luck insofar that I discovered this "early on"
  • I've over 3 million files on my NAS and once I discovered the attack, ~400k were encrypted after roughly 3 full days and it was still ongoing because it took so long
With the above scripts I was unable to recover the files in approx. 24 hours, thanks to the 4 cores.

HTH!

User avatar
OneCD
Ask me anything
Posts: 9599
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD » Mon Jan 17, 2022 5:44 am

max_well wrote:
Mon Jan 17, 2022 5:36 am
I guess I can call myself a lucky SOB because indeed I was
  • able to uncover the password as the ransomware encryption was still ongoing
  • batch decrypted all encrypted files, nothing was lost
Good work! :)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Post Reply

Return to “Users' Corner”