[RANSOMWARE] >>READ 1st Post<< Deadbolt

[FSC830]

1) You don't. I mean: reevaluate your use of QNAP to access files remotely. If it is just a small convenience, maybe it is not worth the risk.
2) You understand the risk but have have money to burn and don't mind paying ransoms (risky: unlocking may not always be an option).
3) You understand the risk but your data is disposable so you don't mind loosing it.
4) You understand the risk but have a solid backup strategy, and don't mind restoring from backups when needed.
5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.

OMG!

In my opinion only 1 and 5 are valid options.

2-4 are hugely irresponsible and I'm surprised to see anyone even suggest them. It's not only the data on the NAS that is at stake. Every time criminals own the system they can do anything. The criminals could plant a trojan on the NAS, they could use it as a relay in further criminal activities, they could use it as a foothold to attack other systems like the backups, a work laptop (so suddenly you're giving the intruder a foothold into your employers network), surveillance cameras to spy on you or anything else in the network.

This is true madness!

I have seen this post too, and I was rather sure that "options" 2, 3, 4" are only a sarcastic note, but note a real alternative. But I missed the <sarcasm> tags...

regards

[genmaitya]

Changing the port is meaningless if the server administrator is using myQNAPcloud with the default settings.

Another learning opportunity! Can you elaborate on this a little? Which default settings would needlessly expose the QNAP?
I do have myQNAPCloud enabled but:

- UPnP disabled
- myDDNS enabled
- don't have any services published
- do have the myQNAPcloud Link enabled with default UDP setting
- access control is set to private (me only)
- active SSL certificate

-Access control is private, so it seems safe.
-If the NAS name is NASxxxxxx, I think you need to change it to another name. (I think the xxxxxx part is 0x000000-0xffffff)
-I recommend that you use the 5-digit management port number.
-To access from the internet, you need to use a VPN.
-You need to check the port mapping of your router.
-It is also important to see the results of your security counselor.

[FSC830]

You're living with the risk for intrusions into a corporate network because you like the ease-of-use?

"Corporate network" is probably somewhat of a reach. This is literally a 2-Bay QNAP sitting in my house's electrical closet doing real-time and periodic backup (HBS3) to OneDrive over a residential DSL circuit

To be clear: my system is not infected, but following this thread with great interest because I'm looking to learn and improve. And prevent!

And yes, up until this moment in time, ease-of-use is an important factor for my users that needs to be part of the equation. If I lock it down too tightly and it becomes too tiresome to access, users will walk away.

Unbelievable! If your users (sorry to say) are to stupid to use an easy and secure option, kick them off!
Ease-of-use must not be an obstacle for security. If so, and ease-of-use is much more important than security, stop claiming about any intruders, malware, hackers immediately!

...
My use case is having a number of independent sales contractors (about 50 of them) needing to view and (more importantly) upload files from their tablets and smartphones while in the field.
...

For all of this staff an easy VPN client is available, i.e. StrongSwan, which offers a secure VPN connection with only one-click.
The only thing you need is to set up a proper VPN server at your end!
And there are much more VPN clients available which need no rocket-science!

Regards

[Comy86]

...
update!!
I deactivated the malware removal tool, and after about 5 minute, I managed to get the lockscreen back with the adress http://IP:8080//index.html (there are 2 "/" between the port and the index.html)
I entered the key and started decrypting the remaining files. After it finished decrypting, the lockscreen disappeared and i was again in the qnap gui

And how can you be sure that the malware did not put any backdoor to your system???
I would never - NEVER - trust an infected device, and much less the guys who press money from me!

Regards

After i finished the decryption process, i closed the NAS until later today when i can backup the files to an external HDD.
After the backup, I'll see what steps to take in regards to the NAS and the hard drives.

Honestly, right now I'm thinking about switching to Synology

[rsltaw]

Another recommendation that I always make together with the above, and makes the system practically free of infections, is to correctly configure the Firewall of the NAS or the Router that we put ahead, with something as simple as filtering the traffic that comes outside our country. 99% of malware of these attacks all come from the same countries, so unless you live in precisely one of those countries, filtering international traffic makes you pretty safe.

How can this be done ?

[FSC830]

I am using 8 QNAP devices (3 of them are OEM), the oldest is in service for about 10(?) years.
None of these NAS have ever been infected by any malware.
But to be honest: I use this devices as NAS, and not as a one-for-all high sophisticated server.
I have never used services/apps like myqnapcloud, photo-station, download-station or anything else. My network is secured (hopefully) by a dedicated firewall/router. The latest NAS TS-473A with QTS 5.0.0.1891 does not use QuFirewall or QVPN.
All of the NAS are not exposed in any way to the internet!

So QNAP can be safe to use, it depends from services and configuration you are using!

Regards

[P3R]

For practical and real purposes, and especially in "home" environments, simply changing the default ports reduces any problem to a minimum.

It only work until the low hanging fruit have all been compromised. The next step will be to search for the ones that try to hide...

Your advices are short-sighted and it confuses the message that is the only responsible one to send. Even Qnap have since the 7th of january changed their recommendation away from the insecure sh*t you're saying. You're part of the problem.

[R4VEN]

Hello

I was able to retrieve all my files thanks to snapshots, phew..

But now
1. How can i clean my NAS to make sure, that deadbolt is gone for good? Factory reset or something else?
2. Can someone please point out ALL nessesary steps/options/settings to change, to setup NAS to be less vulnerable in the future?
3. What Qnap programs you guys use/recommend to increase protection?
4. How can i have the access to my files over the internet, in a safest way possible?

Thanks in advance, and i hope you will all get you files back.

[FSC830]

Would you please be so kind and read this thread from the very beginning?
The steps are listed more than once and is does not make the thread more readable, if every second or third post repeat it!

Regards

[genmaitya]

Hello

I was able to retrieve all my files thanks to snapshots, phew..

But now
1. How can i clean my NAS to make sure, that deadbolt is gone for good? Factory reset or something else?
2. Can someone please point out ALL nessesary steps/options/settings to change, to setup NAS to be less vulnerable in the future?
3. What Qnap programs you guys use/recommend to increase protection?
4. How can i have the access to my files over the internet, in a safest way possible?

Thanks in advance, and i hope you will all get you files back.

https://www.qnap.com/en/security-news/2 ... e-together
https://blog.qnap.com/nas-internet-connect-en/
In particular, it is important to use only a VPN when using from the internet.

[BlueSmurf]

Would you please be so kind and read this thread from the very beginning?
The steps are listed more than once and is does not make the thread more readable, if every second or third post repeat it!

Regards

Yes, that's technically a correct answer. But let's show some compassion for people who've been impacted with the ransomware and are desperate for some definitive and concise information on what to do immediately.

Telling someone to read 20 pages of forum chat that's responding to an emerging crisis lacks compassion.

The community/QNAP support needs to create and maintain a sticky to help those that are facing a crisis.

[Various6]

Unfortunetly 1 of 5 our qnap devices was affected by this sh** ransmware, obviously qnap support said they can do nothink and we can only recover files from snapshot so i did it, snapshot recovery took all night (1,3tb of data) but obsiously didnt recover all files that has to and deleted all fu****g snapshots from disk (almost 30 snapshots), obviously qnap turn off their support website and help desk app on device, anyone had the same problem and know how to recover files? I disconnected second disk that has mirror raid on it but without snapshots...

[R4VEN]

Would you please be so kind and read this thread from the very beginning?
The steps are listed more than once and is does not make the thread more readable, if every second or third post repeat it!

Regards

I am right now, taking my notes. Unfortunately i am not an expert. Sometimes i don't even know where to find proper option in the menu, to change settings that are mentioned in this topic.
Maybe it will be good to get those advises all together and put them at the start of this topic, in one place? Or in sticked, separated topic?
Sorry for my english, i hope you guys know what i mean.

Regards

https://www.qnap.com/en/security-news/2 ... e-together
https://blog.qnap.com/nas-internet-connect-en/
In particular, it is important to use only a VPN when using from the internet.

Thanks!

[nonojapan]

Hello

I was able to retrieve all my files thanks to snapshots, phew..

But now
1. How can i clean my NAS to make sure, that deadbolt is gone for good? Factory reset or something else?
2. Can someone please point out ALL nessesary steps/options/settings to change, to setup NAS to be less vulnerable in the future?
3. What Qnap programs you guys use/recommend to increase protection?
4. How can i have the access to my files over the internet, in a safest way possible?

Thanks in advance, and i hope you will all get you files back.

I think everybody is tired and on the edge. FSC830 kindly explained the process on Jan 27 (I think) . Here is what he advised:
Q5: A complete reset of the NAS can be done by:
a) pull all disks, connect the disks directly or via an USB adapter to a pc and delete all partitions, formatting is not necessary.
b) install FW using Qfinder to NAS
c) re-insert the disks, power on and follow the installation wizard
d) if NAS is up again, check autorun.sh if there is any cryptic or unknown code. Ususally autorun.sh is empty if YOU did not put any command there!

Q6:
depends on NAS: for old Cat1 models (so called legacy firmware) use a Linux PC and mount the correct partition. For windows, there are existing drivers for reading ext4 file system, but I do not know, how the are handle the partitions.
For newer Cat2 models with HAL firmware (ability to create pools) it is much more difficult, there is an additional LVM layer you need to address. No idea, how this is to be done.
There are several threads dealing with that, but I did not see a solution which fits one-for-all.

[Plecotus]

Unbelievable! If your users (sorry to say) are to stupid to use an easy and secure option, kick them off!
Ease-of-use must not be an obstacle for security. If so, and ease-of-use is much more important than security, stop claiming about any intruders, malware, hackers immediately!

Such a shame. No need to get worked up over my situation. Take a deep breath, go puch a boxing bag, release some of that bottled up frustration and anger. Life's too short to stress over other people's problems.
A large customer demographic of QNAP is indeed "stupid" in the sense that most end-users will be average Joe's or small business that are not (nor should expected to be) security guru's.
"Easy to use" is very subjective and you'll find a lot of people will have a very different opinion on what might be super obvious and easy to others.

Ease-of-use shouldn't be an obstalce, but there needs to be a balance. Security vs Workabilily/Operability. If the scales tips over toe far in favour of one or the other, it's bad for business. Either because of lacking security and its consequences, or because a drop in productivity.
I've worked for a big Fortune 500 (currently ranked top 70) tech company most of my career where at some point we saw a very steap shift towards added security by means of 2FA, Yubikeys, jump-hosts, VPN, etc ... to the point where even their own network support staff would start looking for workarounds because day-to-day support/work would just become unbearable. So what would you expect from non-technical staff/users?

I'm not on this forum to complain (at least I don't think I have?) but to tap into the experience/expertise of this community and figure out how I can find that balance for my specific case and users.

For all of this staff an easy VPN client is available, i.e. StrongSwan, which offers a secure VPN connection with only one-click.
The only thing you need is to set up a proper VPN server at your end!
And there are much more VPN clients available which need no rocket-science!

My Unify USG-3G support VPN I think. Don't currently use it, but will explore options to see if I can find an acceptably "easy" solution for my users going forward.