[RANSOMWARE] Qlocker
-
- Starting out
- Posts: 15
- Joined: Mon Dec 26, 2016 11:18 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Anyone know how is it possible to correct the behaviour of the arrow keyboard keys in Putty?
I've connected to the NAS thorugh RAW connection.
"Initial state of cursor keys > Application" not working...
I've connected to the NAS thorugh RAW connection.
"Initial state of cursor keys > Application" not working...
-
- New here
- Posts: 3
- Joined: Thu May 10, 2018 7:49 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Maybe it's disabled, you can check it on the setting 'Features'.
The QNAP-Support wrote that i have to restart the NAS... I'm not shure, should I do restart?
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I welcome me to this tread, as I just discovered that my unit was hacked too. The timestamps are from this Wednesday early morning local time when I was still asleep.
I yet have to read through the essential things what to do now, restoring from external back is the obvious thing however I already know that those top level directories (shares) which were encrypted are NOT on my external backup (lots-o-data, $$$, etc.) so I can't do that anyway.
Seems some folders with personal and important stuff were actually not encrypted and I'm not sure I need the other stuff, it's too much to look through quickly.
What's most important to me now: how to make the system secure again?
When I noticed the various QNAP messages recently, I installed the Security Counselor and followed all the steps immediately except: upgrading firmware. Because I once "broke" my NAS with that and it was a super PITA to get it working again, so I refrain from doing it too often, put it on the back burner, wait for the respective feedback in the forum topic to see if some users are burned or if its save and then eventually get over it and do it.
I noticed that Malware Scanner does not open, gives me a page "Not Found The requested URL was not found on this server.", yay.
Condolences to myself and all other affected ones, btw.
I yet have to read through the essential things what to do now, restoring from external back is the obvious thing however I already know that those top level directories (shares) which were encrypted are NOT on my external backup (lots-o-data, $$$, etc.) so I can't do that anyway.
Seems some folders with personal and important stuff were actually not encrypted and I'm not sure I need the other stuff, it's too much to look through quickly.
What's most important to me now: how to make the system secure again?
When I noticed the various QNAP messages recently, I installed the Security Counselor and followed all the steps immediately except: upgrading firmware. Because I once "broke" my NAS with that and it was a super PITA to get it working again, so I refrain from doing it too often, put it on the back burner, wait for the respective feedback in the forum topic to see if some users are burned or if its save and then eventually get over it and do it.
I noticed that Malware Scanner does not open, gives me a page "Not Found The requested URL was not found on this server.", yay.
Condolences to myself and all other affected ones, btw.
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
just read the thread
e.g
viewtopic.php?f=45&t=160849&start=705#p807158
Only way to secure your system..after that, never expose it again
e.g
viewtopic.php?f=45&t=160849&start=705#p807158
Only way to secure your system..after that, never expose it again
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Thank you, got it!dolbyman wrote: ↑Fri Jan 14, 2022 11:12 pm just read the thread
e.g
viewtopic.php?f=45&t=160849&start=705#p807158
Only way to secure your system..after that, never expose it again
--
I hope it's not too early to party for me, but I was browsing this thread and basically one of the messages on the first page viewtopic.php?f=45&t=160849#p786812 talks about extracting the password in case "proces is still running"
This motivated me to regain hope and I enabled remote terminal access and logged in, and lo' and behold I found multiple 7z related processes STILL BEING ACTIVE. Couldn't believe my eyes.cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
I then followed the procedure and extracted the password successfully and confirmed it with a few samples, but until I've everything back it's not time to party yet.
Some things I observed:
- I've multiple shares but only two were encrypted
- the first one was completely encrypted but only had like 3 files or so
- the second one was my "archive from the last century" stuff, even I don't know anymore what there is. But the number of files, big and small, is extremely high and this is the share were the encryption was still running
- I've more shares, alphabetically following the first two, which are yet untouched
- I now assume it's going through the shares alphabetically, first placing the README and then starting to encrypt stuff
- which in my case made me lucky because the "stuff from last century" is less important than what I had on the other shares following
- my best guess, based on the readme timestamp, is that it all started this Wednesday but due to the sheer number of files on the one share, it was still working on it
- I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
- seconds after that I got the password in the logfile: yugiohnl you're an unsung hero!
- first decrypting via my OSX native zip did not accept the password so I thought this didn't work
- had to download 7zip via homebrew, decryption worked!
I was not on the latest firmaware, but I did recently "harden" the system with the Counselor. But maybe this was during Wednesday and too late, I can't remember it exactly anymore. Not easy to remember everything next to work and kids. I'm probably a lucky SOB and don't deserve this.
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
great that you could find the decryption password,
I'd go a see if it works with whatever you have in terms of crypted files, to decrypt them, if that works. Do a complete backup of all files (to be later decrypted) and kill the system to get rid of the maleware
I'd go a see if it works with whatever you have in terms of crypted files, to decrypt them, if that works. Do a complete backup of all files (to be later decrypted) and kill the system to get rid of the maleware
-
- New here
- Posts: 3
- Joined: Sat Jan 15, 2022 7:17 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi. I have just joined the forum because i have recently purchased a QNAP NAS. Had it about a month and was going through the setup to configure it how i wanted.
Yes i had disabled admin account, yes i had put in place very strong passwords, and yes i thought i had done what was required to secure it from attack - from a novices point of view.
Tonight i find that the QLocker has been busy - the QLocker ransom text file was created on the 12th (2 days ago) and now the majority of the files are encrypted.
Luckily, as i have only recently purchased the NAS my files are still on my external USB drives so will not be lost. This reinforces the idea of making editional backups and to not rely on the NAS.
On searching and reading articles, this QLocker ransomware was discovered March-21 as described in the QNAP security advisory QSA-21-13. Reading the note it appears that QNAP fixed the hole by the end of April-21
So if QNAP have fixed the venerability then why oh why has my NAS fallen victim? especially if the Malware Remover tool runs automatically every 24h?
Can you give some pointers about how i should secure the NAS when i come to restore the corrupted files?
Should i factory reset and start again with an empty NAS
If the QLocker task has executed, is it somewhere lurking to strike again?
Yes i had disabled admin account, yes i had put in place very strong passwords, and yes i thought i had done what was required to secure it from attack - from a novices point of view.
Tonight i find that the QLocker has been busy - the QLocker ransom text file was created on the 12th (2 days ago) and now the majority of the files are encrypted.
Luckily, as i have only recently purchased the NAS my files are still on my external USB drives so will not be lost. This reinforces the idea of making editional backups and to not rely on the NAS.
On searching and reading articles, this QLocker ransomware was discovered March-21 as described in the QNAP security advisory QSA-21-13. Reading the note it appears that QNAP fixed the hole by the end of April-21
So if QNAP have fixed the venerability then why oh why has my NAS fallen victim? especially if the Malware Remover tool runs automatically every 24h?
Can you give some pointers about how i should secure the NAS when i come to restore the corrupted files?
Should i factory reset and start again with an empty NAS
If the QLocker task has executed, is it somewhere lurking to strike again?
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
see this (please just read the thread)DQv7Ct_un@MY wrote: ↑Sat Jan 15, 2022 7:38 am Hi. I have just joined the forum because i have recently purchased a QNAP NAS. Had it about a month and was going through the setup to configure it how i wanted.
[...]
viewtopic.php?f=45&t=160849&start=735#p807610
and NEVER EVER expose your NAS again ...
-
- New here
- Posts: 7
- Joined: Sun Jan 03, 2016 4:03 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
SOS!!!
What to do??? What to do ??
I found out that my QNAP451 was hit at Friday noon US Eastern time (6 hours ago). I found out files in a fold was encrypted 2 days ago and have to open by password.
Without knowing the issue, I shutdown my QNAP and open a ticket to QNAP. But it had already no customer service anymore for the weekend.
What to do next?
Some QNAP security advisory said DO NOT shut down and contact QNAP tech support. But I already shut down and Tech support is not available.
One document said to install QRescue to recover: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas
I am confused about what to do next. Wait for tech support to follow the QRescue?
Or Do I need to read through this 50-page thread and try to find out a solution?
Is there a summary somewhere? or an official solution?
Thx
What to do??? What to do ??
I found out that my QNAP451 was hit at Friday noon US Eastern time (6 hours ago). I found out files in a fold was encrypted 2 days ago and have to open by password.
Without knowing the issue, I shutdown my QNAP and open a ticket to QNAP. But it had already no customer service anymore for the weekend.
What to do next?
Some QNAP security advisory said DO NOT shut down and contact QNAP tech support. But I already shut down and Tech support is not available.
One document said to install QRescue to recover: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas
I am confused about what to do next. Wait for tech support to follow the QRescue?
Or Do I need to read through this 50-page thread and try to find out a solution?
Is there a summary somewhere? or an official solution?
Thx
-
- New here
- Posts: 3
- Joined: Sat Jan 15, 2022 7:17 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
So what to do now...
I have backups of all the data elsewhere so nothing will be lost
Do I factory reset the NAS and setup again recreating the disks and shares?
or
Do I simply restore file from backups?
Obviously I will need to address how the NAS is exposed in the process....
Assuming that i address the vulnerabilities, and i simply restore files, is there anything left behind by QLocker on my NAS that will repeat the encryption process?
I have backups of all the data elsewhere so nothing will be lost
Do I factory reset the NAS and setup again recreating the disks and shares?
or
Do I simply restore file from backups?
Obviously I will need to address how the NAS is exposed in the process....
Assuming that i address the vulnerabilities, and i simply restore files, is there anything left behind by QLocker on my NAS that will repeat the encryption process?
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
FTR, my negligence I realized _so far_ was:
I can't yet just delete/reset/format everything, the size of data of the NAS is so big I've nothing in my house to move this temporarily. So my only solution is to minimize the actual data I want before backing it up external and THEN factory reset it. During this process I'll have it physically disconnected from the internet in my household for now and I'm also constantly checking for signs of the ransomware, but none so far.
That the qlocker CVE says the vulnerability is in HBS 3 is absolutely ironic, as this is THE tool to have your data backed up in the cloud so for many like me it would be an easy made to decision to have running. The CVS also says it's fixed in "QTS 4.5.2: HBS 3 v16.0.0415 and later". I was running 4.5.2 but why HBS 3 was not the latest version I've no idea; I hesitate firmware upgrades but not app upgrades.
But now checking out the current list of CVEs at https://www.qnap.com/de-de/security-adv ... ry_details and seeing they released one on 2022-01-13 marked as HIGH with "If exploited, the vulnerability allows attackers to run arbitrary code in the system" a day after mine was hacked, gives me an idea what was going on. My system maybe was immune against the year old attack vector but not against this one? I since then upgraded to 5.0.0.1891.
As it was repeated many times, the only way to be sure is to not have it exposed to the internet. In my case I explicitly opened the door even, so... #LessonLearned
I'm pressing thumbs for anyone affected, this is super stressful.
- I had a firmware running from 2021-04-06; that was a few weeks before this thread was created. I guess something prompted me almost a year ago to upgrade and then not; no idea
- The internal web UI https://<internal ip> was explicitly routed through from outside on my WI-FI router. This was my doing, many years ago, when I truly used to regularly connected to it from outside. Given that I'm almost 2 years in home office, this could have been avoided. I shut it down now.
I can't yet just delete/reset/format everything, the size of data of the NAS is so big I've nothing in my house to move this temporarily. So my only solution is to minimize the actual data I want before backing it up external and THEN factory reset it. During this process I'll have it physically disconnected from the internet in my household for now and I'm also constantly checking for signs of the ransomware, but none so far.
That the qlocker CVE says the vulnerability is in HBS 3 is absolutely ironic, as this is THE tool to have your data backed up in the cloud so for many like me it would be an easy made to decision to have running. The CVS also says it's fixed in "QTS 4.5.2: HBS 3 v16.0.0415 and later". I was running 4.5.2 but why HBS 3 was not the latest version I've no idea; I hesitate firmware upgrades but not app upgrades.
But now checking out the current list of CVEs at https://www.qnap.com/de-de/security-adv ... ry_details and seeing they released one on 2022-01-13 marked as HIGH with "If exploited, the vulnerability allows attackers to run arbitrary code in the system" a day after mine was hacked, gives me an idea what was going on. My system maybe was immune against the year old attack vector but not against this one? I since then upgraded to 5.0.0.1891.
As it was repeated many times, the only way to be sure is to not have it exposed to the internet. In my case I explicitly opened the door even, so... #LessonLearned
I'm making this up by connecting the dots, but maybe this is the doing of https://www.qnap.com/de-de/security-advisory/qsa-21-57 to get into the system and then used the same ransomware method.DQv7Ct_un@MY wrote: ↑Sat Jan 15, 2022 7:38 am So if QNAP have fixed the venerability then why oh why has my NAS fallen victim? especially if the Malware Remover tool runs automatically every 24h?
I'm pressing thumbs for anyone affected, this is super stressful.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
That's my theory as well. As Qnap don't tell us we have to guess though.max_well wrote: ↑Sat Jan 15, 2022 5:55 pm I'm making this up by connecting the dots, but maybe this is the doing of https://www.qnap.com/de-de/security-advisory/qsa-21-57 to get into the system and then used the same ransomware method.
Qnap most likely knew that this QLocker2 attack was happening and that's probably why they released this security statement a little more than a week ago hoping that users would end direct exposure of their Qnaps on the Internet.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Oh my. I DID get the news and did install the Counselor, but I missed that part. Because in the basic Counselor profile, this is NOT reported.
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Disclaimer: it worked for me, YMMV, yada yada
I guess I can call myself a lucky SOB because indeed I was
I divided it into two scripts: one which scans the directories and only processes the ones containing the `!!!READ_ME.txt` files, the other one doing the actual decryption with some checks and for being easier to parallelize
These script are provided as is, use them at your own risk!
qlocker_decrypt_dir.sh
See the PARALLEL_PROCESSES to the number of cores your NAS has
qlocker_decrypt_file.sh
Adjust the PASSWORD variable to the one you uncovered.
I used the command like this, so I could alter review the stdout/stderr stuff for any problems:
It's advised to make a test run, e.g. make a copy of some encrypted directories and test out the script there first!
I did use Entwares `mlocate` to get a list of all files on all mounts so I could quickly iterate finding anything still containing the dreaded readme file and I did ran `updatedb` irregularly to track this.
I think the two biggest contributing factors I was able to pull myself out of this misery were:
HTH!
I guess I can call myself a lucky SOB because indeed I was
- able to uncover the password as the ransomware encryption was still ongoing
- batch decrypted all encrypted files, nothing was lost
- bullet proof regarding file / path handling due to whitespaces, special characters etc.
- I used https://www.shellcheck.net/ to make sure the script doesn't contain "stupid errors"
- Don't want to unpack 7z files which were not part of the ransomware encryption, i.e. got many 7z files on my own which were _not_ encrypted
- Parallelize the process: my NAS machine has 4 cores, the ransomware encryption was done in a single process but I wanted to use all resources to get them back ASAP
- I wanted to run this thing natively on the NAS and not via any network share
I divided it into two scripts: one which scans the directories and only processes the ones containing the `!!!READ_ME.txt` files, the other one doing the actual decryption with some checks and for being easier to parallelize
These script are provided as is, use them at your own risk!
qlocker_decrypt_dir.sh
See the PARALLEL_PROCESSES to the number of cores your NAS has
Code: Select all
#!/usr/bin/env bash
# Number of cores of your system
PARALLEL_PROCESSES=4
if [[ ! -d "$1" ]]; then
echo "Usage: $0 <directory>"
exit 1
fi
find "$1" . -name '!!!READ_ME.txt' -print0 | while IFS= read -r -d '' readme; do
# Get directory from readme file
dir="${readme%/*}"
# Count the number of 7z files
count=$(find "$dir" -maxdepth 1 -name '*.7z' | wc -l)
echo "Found $count 7z files in $dir"
find "$dir" -maxdepth 1 -name '*.7z' -print0 | xargs -0 -n 1 -P $PARALLEL_PROCESSES ./qlocker_decrypt_file.sh
# Count the number of 7z files again
count=$(find "$dir" -maxdepth 1 -name '*.7z' | wc -l)
# and delete the txt file if all are gone
if [[ "$count" = "0" ]]; then
rm "$readme"
else
echo " WARNING: $count zipped files still in $dir"
fi
echo ""
done
Adjust the PASSWORD variable to the one you uncovered.
Code: Select all
#!/usr/bin/env bash
PASSWORD="YOUR PASSWORD"
if [[ ! -f "$1" ]]; then
echo "Usage: $0 <some file.7z>"
exit 1
fi
zipped="$1"
dir="${zipped%/*}"
extension="${zipped##*.}"
echo " Processing $zipped"
if [[ "$extension" != "7z" ]]; then
echo " ERROR: not a 7z file: $1"
exit 1
fi
filename="${zipped%.*}"
if [[ -f "$filename" ]]; then
echo " ERROR: file $filename already exists, skipping"
exit 1
fi
# Check if zipped file is encrypted
if ! 7z l -pyolo "$zipped" | grep 'Method = Copy 7zAES' > /dev/null; then
echo " ERROR: file $zipped not encrypted, skipping"
exit 1
fi
7z e -p$PASSWORD -aos -bso2 -bse2 -bsp2 "$zipped" -o"$dir" && rm "$zipped"
Code: Select all
`time ./qlocker_decrypt_dir.sh "<your directory here" 2>> 7zip.stderr >> qlocker_decrypt.log`
I did use Entwares `mlocate` to get a list of all files on all mounts so I could quickly iterate finding anything still containing the dreaded readme file and I did ran `updatedb` irregularly to track this.
I think the two biggest contributing factors I was able to pull myself out of this misery were:
- Luck insofar that I discovered this "early on"
- I've over 3 million files on my NAS and once I discovered the attack, ~400k were encrypted after roughly 3 full days and it was still ongoing because it took so long
HTH!
- OneCD
- Guru
- Posts: 12163
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Good work!