[RANSOMWARE] >>READ 1st Post<< Deadbolt

[Hulli]

Hi There. Is there any way you can post a 'How To' for the actions you have taken. Many of us have no real experience, or limited with SSH and although I can get in that way, I dont know what to do once in. That is I dont know how to get into the file structure to find the files you found

Try to help a little bit...

If you use windows, install putty and add your nas IP address into putty with port 22.
The problem could be, if you have not enabled SSH in your NAS you could have problems, then you have to put a keyboard and a monitor to your nas and you are directly connected to the console port. These are the possiblities...

If you logged in via SSH to your nas you need only a bunch of additional unix commands:

e.g.

ll for list files
cd .. for change directory or
cd /mnt/HDA_ROOT/ for changing direct to the directory.
rm Filename for remove file.
type for seeing all active tasks
rf for task list
kill + PID Number for killing a running process

and you need an editor for the wrong index.html where you can see which file he use for encryption etc. and to find and kill the right process..

I know it is not easy for absolute beginners, but possible if you ask also google for help...


Hope this helps a little bit.


brgds

Frank

[pbch1]

I am also a victim!

I victim of myself (backup) and of QNAP.
All my files are encrypted *.deadbolt
Unfortunately my backup is not up-to-date. Yes... I know.

I really need the docuemts on my QNAP NAS. Is aynone here who paid and get at working key? Yes - i also know i should not do. But....

Does anyone know what is the right way? Should i update firmware on the NAS and restart or ist this a bad idea because - if a get the right key - the one will not work then? Or is the unlock-key already on the NAS or the files?

THANK YOU for any help!

Upate System or not is still also a question.
Does anyone know you can go to the NAS by using: http://yourNASIP:8080/cgi-bin/index.cgi Example: http://192.168.1.10:8080/cgi-bin/index.cgi

[Hulli]

Backup the file before deleting, maybe you need it for decryting reasons and also the wrong index.html???????

remove 11943

1. kill 11943
2. chattr -i 11943
3. rm 11943

that should work....

brgds

Hulli

Can someone please help with killing the process as above?

How to write kill PID 11943* properly as this doesnt work and I dont know enough programming?
thanks

using windows and this link h[url]ttps://www.qnap.com/en/how-to/knowledge-base/a ... -using-ssh[/url]

Code: Select all

cd /mnt/HDA_ROOT/
ls -alh


drwxr-xr-x  9 admin administrators 4.0K 2022-01-25 15:59 ./
drwxr-xr-x 10 admin administrators  220 2021-11-23 22:55 ../
-rwxr-xr-x  1 admin administrators 939K 2022-01-25 15:59 11943*
-rw-rw-rw-  1 admin administrators  280 2021-11-26 12:49 .conf
drwxr-xr-x 59 admin administrators  12K 2022-01-26 09:46 .config/
drwxrwxrwx  2 admin administrators 4.0K 2021-11-23 22:22 .inited/
drwxr-xr-x  9 admin administrators 4.0K 2022-01-26 13:10 .logs/
drwx------  2 admin administrators  16K 2018-01-11 17:25 lost+found/
-rw-r--r--  1 admin administrators    0 2021-07-19 12:13 .nfs_fix_check
-rw-r--r--  1 admin administrators    0 2018-01-11 17:28 .QTS.installed
-rw-r--r--  1 admin administrators    0 2018-01-11 17:28 .QTS.installed.notice
drwxr-xr-x  2 admin administrators 4.0K 2021-07-19 12:00 ssl_lib/
lrwxrwxrwx  1 admin administrators   24 2020-12-01 14:02 twonkymedia -> /mnt/ext  

[genmaitya]

Can someone please help with killing the process as above?

How to write kill PID 11943* properly as this doesnt work and I dont know enough programming?
thanks

using windows and this link h[url]ttps://www.qnap.com/en/how-to/knowledge-base/a ... -using-ssh[/url]

Code: Select all

cd /mnt/HDA_ROOT/
ls -alh


drwxr-xr-x  9 admin administrators 4.0K 2022-01-25 15:59 ./
drwxr-xr-x 10 admin administrators  220 2021-11-23 22:55 ../
-rwxr-xr-x  1 admin administrators 939K 2022-01-25 15:59 11943*
-rw-rw-rw-  1 admin administrators  280 2021-11-26 12:49 .conf
drwxr-xr-x 59 admin administrators  12K 2022-01-26 09:46 .config/
drwxrwxrwx  2 admin administrators 4.0K 2021-11-23 22:22 .inited/
drwxr-xr-x  9 admin administrators 4.0K 2022-01-26 13:10 .logs/
drwx------  2 admin administrators  16K 2018-01-11 17:25 lost+found/
-rw-r--r--  1 admin administrators    0 2021-07-19 12:13 .nfs_fix_check
-rw-r--r--  1 admin administrators    0 2018-01-11 17:28 .QTS.installed
-rw-r--r--  1 admin administrators    0 2018-01-11 17:28 .QTS.installed.notice
drwxr-xr-x  2 admin administrators 4.0K 2021-07-19 12:00 ssl_lib/
lrwxrwxrwx  1 admin administrators   24 2020-12-01 14:02 twonkymedia -> /mnt/ext  

$ ps | grep 11943 | grep -v grep
123456 admin ........................... "123456" is PID
$

$ kill 123456
$ ps | grep 11943 | grep -v grep
$(Nothing is displayed)

[CHRISTIAN1975]

sorry for my ignorance. A few months ago I was attacked by crypto loker and I lost everything.
luckily I had an 18 month old backup. . .
But if I disable all the services but leave only the possibility to access via Qfile or via myqnap cloud active, do I still run the risk of a new attack ??

[trap.rigoroso]

scusate,
è successo anche un mio cliente,
come avvisare qnap o garante privacy?
Grazie.

[Chadw1701a]

I pulled the drives that were not encrypted by the malware. Is there any way to get the data off of them with Windows or Linux?

[CHRISTIAN1975]

scusate,
è successo anche un mio cliente,
come avvisare qnap o garante privacy?
Grazie.

purtroppo al mio precedente attacco Qnap non ha potuto fare nulla. . . hanno cercato di decriptare alcuni miei file senza successo. . .

[genmaitya]

sorry for my ignorance. A few months ago I was attacked by crypto loker and I lost everything.
luckily I had an 18 month old backup. . .
But if I disable all the services but leave only the possibility to access via Qfile or via myqnap cloud active, do I still run the risk of a new attack ??

I think myqnapcloud needs to stop.

[luckydekko]

Any one receive anything more than an automatic response from qnap support yet?

I opened a ticket yesterday and still nothing…

[nonojapan]

Nothing for me either, Opened ticket both in US and Japanese qnap 12hours ago. Nothing...

[chumbo]

Same here...no response from QNAP!!
Are Synology NAS more secure?
I certainly hope QNAP will do the right thing here and pay up for the sake of its customers!

[dolbyman]

So you actually believe QNAP is gonna pay 2 million bucks ransom?...riiight

[alexhjones]

Any one receive anything more than an automatic response from qnap support yet?

I opened a ticket yesterday and still nothing…

Yup, I got a reply from customer support to my online ticket within 4 hours. No fix but at least they acknowledged it and are replying to follow up questions.

[remainz]

I got this from QNAP

Thanks for contacting QNAP support, I'm sorry you have been hit with ransomware. As you can understand this is very new and we are currently looking into it. If you have backup then the quickest method would be to wipe the NAS and restore from a backup. If you do not have a backup we are still gathering information on this, we are asking for remote access and logging it with our R&D to analyse further. If you can't connect to the web admin page please add /cgi-bin/index.cgi at the end of URL like http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. If you would like me to send this to our Head office for further analysis then please let me know.