[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
rbharol
New here
Posts: 6
Joined: Wed Mar 07, 2018 11:29 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by rbharol »

Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.

https://github.com/rajeevbharol/Qlocker-Recovery
rbharol
New here
Posts: 6
Joined: Wed Mar 07, 2018 11:29 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by rbharol »

rbharol wrote: Mon Jan 17, 2022 5:33 pm Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.

https://github.com/rajeevbharol/Qlocker-Recovery
Here it is. You have to run it twice. I have a helper script named count7z.sh to count how many files are there or are left... See the readme file on github.

Code: Select all

#!/bin/bash

# PW variable contains the password to your 7z file. Replace this string with your password
PW=ZANwQKyHG482TFVjkcbYpPr5nz3DSCEe

CMD=/usr/local/sbin/7z

# Make a list of all directories under root and put in a file
file='all_dirs.txt'
find ./ -type d  > $file

# Go through all directories in that file

i=1
while read line;
    do
        #Reading each line
        #echo "Line No. $i : $line"

        search_dir=$line

        for the_file in "$search_dir"/*
            do
                #echo File : "$the_file"

                if [[ $the_file == *.7z ]];
                    then
                        echo "============> Found 7z file $the_file"

                        the_file_without_extn="${the_file%.*}"

                        echo "basename: $the_file_without_extn"

                        if [[ -f "$the_file_without_extn" ]];
                            then
                                echo "Deleting already extracted file $the_file"
                                rm -f "$the_file"
                            else
                                echo "Need to Extract File..trying"
                                $CMD e "$the_file" -o"$search_dir" -p$PW 1> /dev/null

                        fi
                 fi

                 if [[ $the_file == *!!!READ_ME.txt ]]
                     then
                         echo "Getting rid of hackers message"
                         rm -f $the_file
                 fi
            done
i=$((i+1))
done < $file
my6thsense
First post
Posts: 1
Joined: Tue Jan 18, 2022 3:44 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by my6thsense »

Hi guys,
Seems like I'm also a victim of the latest QNAP leak...What a disaster this company is....Anyway, I can't seem to connect with SSH even though it's activated in the settings. I tried different ports but connection keeps getting refused.
The Telnet connection is working however but I guess I need SSH to copy the scripts?
PropTop99
First post
Posts: 1
Joined: Thu Feb 18, 2016 12:17 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by PropTop99 »

max_well wrote: Sat Jan 15, 2022 3:02 am
dolbyman wrote: Fri Jan 14, 2022 11:12 pm just read the thread

e.g
viewtopic.php?f=45&t=160849&start=705#p807158

Only way to secure your system..after that, never expose it again
Thank you, got it!

--
I hope it's not too early to party for me, but I was browsing this thread and basically one of the messages on the first page viewtopic.php?f=45&t=160849#p786812 talks about extracting the password in case "proces is still running"
cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
This motivated me to regain hope and I enabled remote terminal access and logged in, and lo' and behold I found multiple 7z related processes STILL BEING ACTIVE. Couldn't believe my eyes.

I then followed the procedure and extracted the password successfully and confirmed it with a few samples, but until I've everything back it's not time to party yet.

Some things I observed:
  • I've multiple shares but only two were encrypted
  • the first one was completely encrypted but only had like 3 files or so
  • the second one was my "archive from the last century" stuff, even I don't know anymore what there is. But the number of files, big and small, is extremely high and this is the share were the encryption was still running
  • I've more shares, alphabetically following the first two, which are yet untouched
  • I now assume it's going through the shares alphabetically, first placing the README and then starting to encrypt stuff
  • which in my case made me lucky because the "stuff from last century" is less important than what I had on the other shares following
  • my best guess, based on the readme timestamp, is that it all started this Wednesday but due to the sheer number of files on the one share, it was still working on it
  • I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
  • seconds after that I got the password in the logfile: yugiohnl you're an unsung hero!
  • first decrypting via my OSX native zip did not accept the password so I thought this didn't work
  • had to download 7zip via homebrew, decryption worked!
I've now shutdown the NAS completely, pondering my next move and also planing for the future to avoid having this again.

I was not on the latest firmaware, but I did recently "harden" the system with the Counselor. But maybe this was during Wednesday and too late, I can't remember it exactly anymore. Not easy to remember everything next to work and kids. I'm probably a lucky SOB and don't deserve this.
[*]I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
I can see in the processes that it's 7z.orig as well but I'm not technowizardly enough to understand how the command line instructions should be changed to recover the key. Can someone help me out with that?
Also, by running commands indicated does it in any way affect whether or not other methods (like QRescue) would be able to function?

Thanks,
g73jkwy
Starting out
Posts: 15
Joined: Mon Dec 26, 2016 11:18 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by g73jkwy »

PropTop99 wrote: Tue Jan 18, 2022 3:55 am
I can see in the processes that it's 7z.orig as well but I'm not technowizardly enough to understand how the command line instructions should be changed to recover the key. Can someone help me out with that?
Also, by running commands indicated does it in any way affect whether or not other methods (like QRescue) would be able to function?

Thanks,
+ 1
max_well
Starting out
Posts: 25
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well »

rbharol wrote: Mon Jan 17, 2022 5:33 pm Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.

https://github.com/rajeevbharol/Qlocker-Recovery
Hey there,
I'm not here to diss your efforts but after a quick look you did not properly quote filenames in all cases, which essential to handle things like spaces or other special characters properly.

I've just earlier posted viewtopic.php?p=807783#p807783 where I went to great length to avoid such issues, it's also "battle tested on 400k files or so without a hitch. Also my script a) does not need to run twice and b) can use multiple cores at once, speeding up the whole decryption process basically up to your number of cores.

HTH
nervoteso
Know my way around
Posts: 103
Joined: Mon Nov 24, 2008 9:11 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by nervoteso »

hu
just installed ts 253d, configured in raid 1. which is the faster way to copy my backup folders (i've created the multimedia folders) from external hhd, which usb port should i use, the frontal one?

i've left all the auto settings about volumes snapshot, thick etc, hope it's ok
jaergo
New here
Posts: 9
Joined: Wed Jan 19, 2022 5:37 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaergo »

Hi, all...

Just got hit with this a few days ago. I was able to stop the process, thankfully. I couldn't get Putty to connect for the life of me, so I couldn't get that password. Instead, I ordered a 2TB flash drive that will be here tomorrow.

I did read somewhere that as soon as I discovered this, to run the malware, update firmware, but don't turn it off. I did both, and didn't turn it off, but now QNAP support is telling me I may lose the map because I updated the firmware. Does this mean I'm screwed and I can't get my stuff back? I have a lifetime of pics on there.

Also, if I am able to do this, how long does this usually take? I have a little under 1 tb of stuff. Hours? Days? And then what's the best way to put it all back together? Sorry for so many questions, this is stressful and of course, surprising. Thanks in advance.
g73jkwy
Starting out
Posts: 15
Joined: Mon Dec 26, 2016 11:18 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by g73jkwy »

PropTop99 wrote: Tue Jan 18, 2022 3:55 am
max_well wrote: Sat Jan 15, 2022 3:02 am
dolbyman wrote: Fri Jan 14, 2022 11:12 pm just read the thread

e.g
viewtopic.php?f=45&t=160849&start=705#p807158

Only way to secure your system..after that, never expose it again
Thank you, got it!

--
I hope it's not too early to party for me, but I was browsing this thread and basically one of the messages on the first page viewtopic.php?f=45&t=160849#p786812 talks about extracting the password in case "proces is still running"
cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
This motivated me to regain hope and I enabled remote terminal access and logged in, and lo' and behold I found multiple 7z related processes STILL BEING ACTIVE. Couldn't believe my eyes.

I then followed the procedure and extracted the password successfully and confirmed it with a few samples, but until I've everything back it's not time to party yet.

Some things I observed:
  • I've multiple shares but only two were encrypted
  • the first one was completely encrypted but only had like 3 files or so
  • the second one was my "archive from the last century" stuff, even I don't know anymore what there is. But the number of files, big and small, is extremely high and this is the share were the encryption was still running
  • I've more shares, alphabetically following the first two, which are yet untouched
  • I now assume it's going through the shares alphabetically, first placing the README and then starting to encrypt stuff
  • which in my case made me lucky because the "stuff from last century" is less important than what I had on the other shares following
  • my best guess, based on the readme timestamp, is that it all started this Wednesday but due to the sheer number of files on the one share, it was still working on it
  • I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
  • seconds after that I got the password in the logfile: yugiohnl you're an unsung hero!
  • first decrypting via my OSX native zip did not accept the password so I thought this didn't work
  • had to download 7zip via homebrew, decryption worked!
I've now shutdown the NAS completely, pondering my next move and also planing for the future to avoid having this again.

I was not on the latest firmaware, but I did recently "harden" the system with the Counselor. But maybe this was during Wednesday and too late, I can't remember it exactly anymore. Not easy to remember everything next to work and kids. I'm probably a lucky SOB and don't deserve this.
[*]I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
I can see in the processes that it's 7z.orig as well but I'm not technowizardly enough to understand how the command line instructions should be changed to recover the key. Can someone help me out with that?
Also, by running commands indicated does it in any way affect whether or not other methods (like QRescue) would be able to function?

Thanks,
Is there anything interesting in the 7z.orig file? How can I open it via WSL?
max_well
Starting out
Posts: 25
Joined: Fri Apr 21, 2017 6:46 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by max_well »

g73jkwy wrote: Thu Jan 20, 2022 2:33 am Is there anything interesting in the 7z.orig file? How can I open it via WSL?
In the heat of the moment I may have misinterpreted these files TBH, I'm not sure.

It seems that the Malware scanner replaces the `/usr/local/sbin/7z` every time it runs with its `7z` which is a shell script and which then calls `7z.orig`.

Not sure if this is related to their defense regarding QLocker or not.

So in the end, nothing I saw/found was related to the attack itself it seems. But the process doing the encrypting was still running and invoking this command (I saw it via `ps`) and so I replaced it with a script on my own to log away the command line parameters which included the password.

I'm almost sure there was some `7z.sh` but now I really don't know anymore.

Sorry, I don't have more knowledge here.
jaergo
New here
Posts: 9
Joined: Wed Jan 19, 2022 5:37 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaergo »

So far, so good. Photorec's been running for about 20 hours, 10 more to go, showing lots of stuff being recovered, and I think I'll have enough space on my hard drive to do it.

I am curious, though, for those of you who've done this successfully... what should I expect in my directory once this is done? Are folder structures preserved? Or is it literally going to be me looking at random photo names and mp3's and trying to figure out where they belong? Any tips for doing this efficiently? I just want to be know what I'm in for, here. Thanks in advance.
miren2k
Starting out
Posts: 10
Joined: Fri Dec 06, 2019 9:23 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by miren2k »

P3R wrote: Mon Jan 10, 2022 12:56 am
nervoteso wrote: Mon Jan 10, 2022 12:47 am should i set a new default port ? not 8080?
No!
...also i set my port 8080 amd 9000 as port forwarding, should i close both?
YEEES, do it now!!!

That's how they attacked you!

Also disable UPnP as instructed in step 2 here.
Quick question, going through a list of security protocols on my qnap so this horrible experience doesn't repeat. Why are you not meant to change your default port from 8080?
:evil: Forever enraged.
miren2k
Starting out
Posts: 10
Joined: Fri Dec 06, 2019 9:23 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by miren2k »

jaergo wrote: Wed Jan 19, 2022 5:43 am Hi, all...

Just got hit with this a few days ago. I was able to stop the process, thankfully. I couldn't get Putty to connect for the life of me, so I couldn't get that password. Instead, I ordered a 2TB flash drive that will be here tomorrow.

I did read somewhere that as soon as I discovered this, to run the malware, update firmware, but don't turn it off. I did both, and didn't turn it off, but now QNAP support is telling me I may lose the map because I updated the firmware. Does this mean I'm screwed and I can't get my stuff back? I have a lifetime of pics on there.

Also, if I am able to do this, how long does this usually take? I have a little under 1 tb of stuff. Hours? Days? And then what's the best way to put it all back together? Sorry for so many questions, this is stressful and of course, surprising. Thanks in advance.
I don't for the life of me understand how people are still getting hit with this ransomware? Can someone explain??? It's kind of making me nervous again, I already got hit in april, all of my apps and firmware are up to date, could this still happen again ?
:evil: Forever enraged.
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

pretty easy .. people still expose their NAS units to WAN, as QNAP did and still does advertise these units as easy private clouds .. and *zapp* all data is gone ...

If you remove all port forwards to the NAS (and disable upnp) you will not be in trouble here
jaergo
New here
Posts: 9
Joined: Wed Jan 19, 2022 5:37 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaergo »

miren2k wrote: Sat Jan 22, 2022 6:03 am

I don't for the life of me understand how people are still getting hit with this ransomware? Can someone explain??? It's kind of making me nervous again, I already got hit in april, all of my apps and firmware are up to date, could this still happen again ?
To be honest, it's my fault. I pay a lot of attention to my security on my PC, but I've been super neglectful on the NAS, and it's biting me in the **, now. Of course, the fact that I didn't even know about it until it happened kind of ** me off, I think QNAP should have been much more engaged in all of this.

It won't happen again, I assure you.
Post Reply

Return to “Users' Corner”