[RANSOMWARE] Qlocker
-
- New here
- Posts: 6
- Joined: Wed Mar 07, 2018 11:29 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.
https://github.com/rajeevbharol/Qlocker-Recovery
https://github.com/rajeevbharol/Qlocker-Recovery
-
- New here
- Posts: 6
- Joined: Wed Mar 07, 2018 11:29 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Here it is. You have to run it twice. I have a helper script named count7z.sh to count how many files are there or are left... See the readme file on github.rbharol wrote: ↑Mon Jan 17, 2022 5:33 pm Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.
https://github.com/rajeevbharol/Qlocker-Recovery
Code: Select all
#!/bin/bash
# PW variable contains the password to your 7z file. Replace this string with your password
PW=ZANwQKyHG482TFVjkcbYpPr5nz3DSCEe
CMD=/usr/local/sbin/7z
# Make a list of all directories under root and put in a file
file='all_dirs.txt'
find ./ -type d > $file
# Go through all directories in that file
i=1
while read line;
do
#Reading each line
#echo "Line No. $i : $line"
search_dir=$line
for the_file in "$search_dir"/*
do
#echo File : "$the_file"
if [[ $the_file == *.7z ]];
then
echo "============> Found 7z file $the_file"
the_file_without_extn="${the_file%.*}"
echo "basename: $the_file_without_extn"
if [[ -f "$the_file_without_extn" ]];
then
echo "Deleting already extracted file $the_file"
rm -f "$the_file"
else
echo "Need to Extract File..trying"
$CMD e "$the_file" -o"$search_dir" -p$PW 1> /dev/null
fi
fi
if [[ $the_file == *!!!READ_ME.txt ]]
then
echo "Getting rid of hackers message"
rm -f $the_file
fi
done
i=$((i+1))
done < $file
-
- First post
- Posts: 1
- Joined: Tue Jan 18, 2022 3:44 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi guys,
Seems like I'm also a victim of the latest QNAP leak...What a disaster this company is....Anyway, I can't seem to connect with SSH even though it's activated in the settings. I tried different ports but connection keeps getting refused.
The Telnet connection is working however but I guess I need SSH to copy the scripts?
Seems like I'm also a victim of the latest QNAP leak...What a disaster this company is....Anyway, I can't seem to connect with SSH even though it's activated in the settings. I tried different ports but connection keeps getting refused.
The Telnet connection is working however but I guess I need SSH to copy the scripts?
-
- First post
- Posts: 1
- Joined: Thu Feb 18, 2016 12:17 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
max_well wrote: ↑Sat Jan 15, 2022 3:02 amThank you, got it!dolbyman wrote: ↑Fri Jan 14, 2022 11:12 pm just read the thread
e.g
viewtopic.php?f=45&t=160849&start=705#p807158
Only way to secure your system..after that, never expose it again
--
I hope it's not too early to party for me, but I was browsing this thread and basically one of the messages on the first page viewtopic.php?f=45&t=160849#p786812 talks about extracting the password in case "proces is still running"This motivated me to regain hope and I enabled remote terminal access and logged in, and lo' and behold I found multiple 7z related processes STILL BEING ACTIVE. Couldn't believe my eyes.cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
I then followed the procedure and extracted the password successfully and confirmed it with a few samples, but until I've everything back it's not time to party yet.
Some things I observed:I've now shutdown the NAS completely, pondering my next move and also planing for the future to avoid having this again.
- I've multiple shares but only two were encrypted
- the first one was completely encrypted but only had like 3 files or so
- the second one was my "archive from the last century" stuff, even I don't know anymore what there is. But the number of files, big and small, is extremely high and this is the share were the encryption was still running
- I've more shares, alphabetically following the first two, which are yet untouched
- I now assume it's going through the shares alphabetically, first placing the README and then starting to encrypt stuff
- which in my case made me lucky because the "stuff from last century" is less important than what I had on the other shares following
- my best guess, based on the readme timestamp, is that it all started this Wednesday but due to the sheer number of files on the one share, it was still working on it
- I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
- seconds after that I got the password in the logfile: yugiohnl you're an unsung hero!
- first decrypting via my OSX native zip did not accept the password so I thought this didn't work
- had to download 7zip via homebrew, decryption worked!
I was not on the latest firmaware, but I did recently "harden" the system with the Counselor. But maybe this was during Wednesday and too late, I can't remember it exactly anymore. Not easy to remember everything next to work and kids. I'm probably a lucky SOB and don't deserve this.
I can see in the processes that it's 7z.orig as well but I'm not technowizardly enough to understand how the command line instructions should be changed to recover the key. Can someone help me out with that?[*]I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
Also, by running commands indicated does it in any way affect whether or not other methods (like QRescue) would be able to function?
Thanks,
-
- Starting out
- Posts: 15
- Joined: Mon Dec 26, 2016 11:18 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
+ 1PropTop99 wrote: ↑Tue Jan 18, 2022 3:55 am
I can see in the processes that it's 7z.orig as well but I'm not technowizardly enough to understand how the command line instructions should be changed to recover the key. Can someone help me out with that?
Also, by running commands indicated does it in any way affect whether or not other methods (like QRescue) would be able to function?
Thanks,
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hey there,rbharol wrote: ↑Mon Jan 17, 2022 5:33 pm Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.
https://github.com/rajeevbharol/Qlocker-Recovery
I'm not here to diss your efforts but after a quick look you did not properly quote filenames in all cases, which essential to handle things like spaces or other special characters properly.
I've just earlier posted viewtopic.php?p=807783#p807783 where I went to great length to avoid such issues, it's also "battle tested on 400k files or so without a hitch. Also my script a) does not need to run twice and b) can use multiple cores at once, speeding up the whole decryption process basically up to your number of cores.
HTH
-
- Know my way around
- Posts: 103
- Joined: Mon Nov 24, 2008 9:11 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
hu
just installed ts 253d, configured in raid 1. which is the faster way to copy my backup folders (i've created the multimedia folders) from external hhd, which usb port should i use, the frontal one?
i've left all the auto settings about volumes snapshot, thick etc, hope it's ok
just installed ts 253d, configured in raid 1. which is the faster way to copy my backup folders (i've created the multimedia folders) from external hhd, which usb port should i use, the frontal one?
i've left all the auto settings about volumes snapshot, thick etc, hope it's ok
-
- New here
- Posts: 9
- Joined: Wed Jan 19, 2022 5:37 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi, all...
Just got hit with this a few days ago. I was able to stop the process, thankfully. I couldn't get Putty to connect for the life of me, so I couldn't get that password. Instead, I ordered a 2TB flash drive that will be here tomorrow.
I did read somewhere that as soon as I discovered this, to run the malware, update firmware, but don't turn it off. I did both, and didn't turn it off, but now QNAP support is telling me I may lose the map because I updated the firmware. Does this mean I'm screwed and I can't get my stuff back? I have a lifetime of pics on there.
Also, if I am able to do this, how long does this usually take? I have a little under 1 tb of stuff. Hours? Days? And then what's the best way to put it all back together? Sorry for so many questions, this is stressful and of course, surprising. Thanks in advance.
Just got hit with this a few days ago. I was able to stop the process, thankfully. I couldn't get Putty to connect for the life of me, so I couldn't get that password. Instead, I ordered a 2TB flash drive that will be here tomorrow.
I did read somewhere that as soon as I discovered this, to run the malware, update firmware, but don't turn it off. I did both, and didn't turn it off, but now QNAP support is telling me I may lose the map because I updated the firmware. Does this mean I'm screwed and I can't get my stuff back? I have a lifetime of pics on there.
Also, if I am able to do this, how long does this usually take? I have a little under 1 tb of stuff. Hours? Days? And then what's the best way to put it all back together? Sorry for so many questions, this is stressful and of course, surprising. Thanks in advance.
-
- Starting out
- Posts: 15
- Joined: Mon Dec 26, 2016 11:18 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Is there anything interesting in the 7z.orig file? How can I open it via WSL?PropTop99 wrote: ↑Tue Jan 18, 2022 3:55 ammax_well wrote: ↑Sat Jan 15, 2022 3:02 amThank you, got it!dolbyman wrote: ↑Fri Jan 14, 2022 11:12 pm just read the thread
e.g
viewtopic.php?f=45&t=160849&start=705#p807158
Only way to secure your system..after that, never expose it again
--
I hope it's not too early to party for me, but I was browsing this thread and basically one of the messages on the first page viewtopic.php?f=45&t=160849#p786812 talks about extracting the password in case "proces is still running"This motivated me to regain hope and I enabled remote terminal access and logged in, and lo' and behold I found multiple 7z related processes STILL BEING ACTIVE. Couldn't believe my eyes.cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
I then followed the procedure and extracted the password successfully and confirmed it with a few samples, but until I've everything back it's not time to party yet.
Some things I observed:I've now shutdown the NAS completely, pondering my next move and also planing for the future to avoid having this again.
- I've multiple shares but only two were encrypted
- the first one was completely encrypted but only had like 3 files or so
- the second one was my "archive from the last century" stuff, even I don't know anymore what there is. But the number of files, big and small, is extremely high and this is the share were the encryption was still running
- I've more shares, alphabetically following the first two, which are yet untouched
- I now assume it's going through the shares alphabetically, first placing the README and then starting to encrypt stuff
- which in my case made me lucky because the "stuff from last century" is less important than what I had on the other shares following
- my best guess, based on the readme timestamp, is that it all started this Wednesday but due to the sheer number of files on the one share, it was still working on it
- I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
- seconds after that I got the password in the logfile: yugiohnl you're an unsung hero!
- first decrypting via my OSX native zip did not accept the password so I thought this didn't work
- had to download 7zip via homebrew, decryption worked!
I was not on the latest firmaware, but I did recently "harden" the system with the Counselor. But maybe this was during Wednesday and too late, I can't remember it exactly anymore. Not easy to remember everything next to work and kids. I'm probably a lucky SOB and don't deserve this.I can see in the processes that it's 7z.orig as well but I'm not technowizardly enough to understand how the command line instructions should be changed to recover the key. Can someone help me out with that?[*]I basically followed the above linked guide but realized in my case the local 7 zip doing the work was named `7z.orig` and thus I had to adapt the file names
Also, by running commands indicated does it in any way affect whether or not other methods (like QRescue) would be able to function?
Thanks,
-
- Starting out
- Posts: 25
- Joined: Fri Apr 21, 2017 6:46 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
In the heat of the moment I may have misinterpreted these files TBH, I'm not sure.
It seems that the Malware scanner replaces the `/usr/local/sbin/7z` every time it runs with its `7z` which is a shell script and which then calls `7z.orig`.
Not sure if this is related to their defense regarding QLocker or not.
So in the end, nothing I saw/found was related to the attack itself it seems. But the process doing the encrypting was still running and invoking this command (I saw it via `ps`) and so I replaced it with a script on my own to log away the command line parameters which included the password.
I'm almost sure there was some `7z.sh` but now I really don't know anymore.
Sorry, I don't have more knowledge here.
-
- New here
- Posts: 9
- Joined: Wed Jan 19, 2022 5:37 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
So far, so good. Photorec's been running for about 20 hours, 10 more to go, showing lots of stuff being recovered, and I think I'll have enough space on my hard drive to do it.
I am curious, though, for those of you who've done this successfully... what should I expect in my directory once this is done? Are folder structures preserved? Or is it literally going to be me looking at random photo names and mp3's and trying to figure out where they belong? Any tips for doing this efficiently? I just want to be know what I'm in for, here. Thanks in advance.
I am curious, though, for those of you who've done this successfully... what should I expect in my directory once this is done? Are folder structures preserved? Or is it literally going to be me looking at random photo names and mp3's and trying to figure out where they belong? Any tips for doing this efficiently? I just want to be know what I'm in for, here. Thanks in advance.
-
- Starting out
- Posts: 10
- Joined: Fri Dec 06, 2019 9:23 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Quick question, going through a list of security protocols on my qnap so this horrible experience doesn't repeat. Why are you not meant to change your default port from 8080?
Forever enraged.
-
- Starting out
- Posts: 10
- Joined: Fri Dec 06, 2019 9:23 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I don't for the life of me understand how people are still getting hit with this ransomware? Can someone explain??? It's kind of making me nervous again, I already got hit in april, all of my apps and firmware are up to date, could this still happen again ?jaergo wrote: ↑Wed Jan 19, 2022 5:43 am Hi, all...
Just got hit with this a few days ago. I was able to stop the process, thankfully. I couldn't get Putty to connect for the life of me, so I couldn't get that password. Instead, I ordered a 2TB flash drive that will be here tomorrow.
I did read somewhere that as soon as I discovered this, to run the malware, update firmware, but don't turn it off. I did both, and didn't turn it off, but now QNAP support is telling me I may lose the map because I updated the firmware. Does this mean I'm screwed and I can't get my stuff back? I have a lifetime of pics on there.
Also, if I am able to do this, how long does this usually take? I have a little under 1 tb of stuff. Hours? Days? And then what's the best way to put it all back together? Sorry for so many questions, this is stressful and of course, surprising. Thanks in advance.
Forever enraged.
- dolbyman
- Guru
- Posts: 35032
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
pretty easy .. people still expose their NAS units to WAN, as QNAP did and still does advertise these units as easy private clouds .. and *zapp* all data is gone ...
If you remove all port forwards to the NAS (and disable upnp) you will not be in trouble here
If you remove all port forwards to the NAS (and disable upnp) you will not be in trouble here
-
- New here
- Posts: 9
- Joined: Wed Jan 19, 2022 5:37 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
To be honest, it's my fault. I pay a lot of attention to my security on my PC, but I've been super neglectful on the NAS, and it's biting me in the **, now. Of course, the fact that I didn't even know about it until it happened kind of ** me off, I think QNAP should have been much more engaged in all of this.
It won't happen again, I assure you.