[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] Qlocker

Post by Skwor »

P3R wrote: Mon Apr 11, 2022 8:20 am
Skwor wrote: Mon Apr 11, 2022 4:27 am As I recall since April 2021 they changed the advice, that is when they first started making strong recommendations to not expose the NAS to the internet...
Unfortunately it wasn't strong and that was my problem with it.

In the April 22, 2021 Security News named Response to Qlocker Ransomware Attacks they said that people should install Malware Remover, use strong passwords, keep their systems updated, avoid using standard ports and do backups. Do you find anything strong there? I find it ridiculous as a response to a huge ransomware attack affecting thousands of users.

The January 7th, 2022 statement is strong and more importantly, it wasn't disambiguous.

Unfortunately Qnap still have things like the schizophrenic and embarrasing security best practice page (last edited in March 2022) up.

Items 3 and 4 are actually the same message as is given in the January 7th statement. They say that people should stop using the Auto Router Configuration (UPnP) and stop exposing the system directly on the Internet but use myQNAPcloud Link or QVPN. Except for that I don't agree with the advice of using QVPN due to the awful breakins then had in it in December 2021, I think those are excellent advice.

The huge contradiction starts in item 5 though where they suddenly have forgotten all about what they wrote in items 3 and 4 so there they say "Change the System Port Number if NAS is directed connected to the Internet.".

You can't both take your NAS off the Internet and still expose it (even if they recommend a non default port)!
Definitely not going to argue with you there, you are spot on. My big point was only that QNAP has moved to a more aggressive posture and the advice given could have and likely would have prevented the second round of attacks.

But ya, they still have a long way to go with embracing and messaging a real security posture for their devices.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
eploft
First post
Posts: 1
Joined: Sat Feb 12, 2022 2:01 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by eploft »

jaergo wrote: Sat Jan 22, 2022 8:36 am Okay, my Photorec finished, recovered over 500k files. When I go to run the next step, the qrescue.sh, it says, "/share/rescue/qpkg/QRescue/bin/qrescue.sh: line 26: /share/rescue/qpkg/QRescue/python_armhf/bin/python3: No such file or directory"

I can see that exists, how do I get it to find it?
Hi, I have the same problem, did you found a way to solve it?

This is what I have in /share/rescue/qpkg/QRescue/python_armhf/

drwxr-xr-x 2 admin administ 4096 Jun 2 2021 ./
drwxr-xr-x 6 admin administ 4096 Jun 2 2021 ../
-rwxr-xr-x 1 admin administ 149 Jun 2 2021 2to3-3.7*
-rwxr-xr-x 1 admin administ 147 Jun 2 2021 idle3.7*
-rwxr-xr-x 1 admin administ 132 Jun 2 2021 pydoc3.7*
lrwxrwxrwx 1 admin administ 9 Apr 19 09:14 python -> python3.7*
lrwxrwxrwx 1 admin administ 9 Apr 19 09:14 python3 -> python3.7*
-rwxr-xr-x 1 admin administ 9546 Jun 2 2021 python3.7*
-rwxr-xr-x 1 admin administ 3153 Jun 2 2021 python3.7m-config*
-rwxr-xr-x 1 admin administ 489 Jun 2 2021 pyvenv-3.7*

and if I try to run python, python3 or python3.7 tha bash sais:
bash: ./python3.7: No such file or directory

I tried to reinstall Qrescue but it did not help.
chicken chicken
New here
Posts: 3
Joined: Sun Apr 10, 2022 1:41 am

Re: [RANSOMWARE] Qlocker

Post by chicken chicken »

I have just paid the ransom of 0.02BTC but the decrypt code is WRONG!!

is there anything I could do?? d a m n the hacker giving me a wrong code. I have paid but you are still playing on me.

is there any one could help??
You do not have the required permissions to view the files attached to this post.
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [RANSOMWARE] Qlocker

Post by Toxic17 »

chicken chicken wrote: Wed May 04, 2022 12:57 am is there anything I could do?? d a m n the hacker giving me a wrong code. I have paid but you are still playing on me.
the only thing the hacker is interested in, is your money. they dont care about your data.

cant believe a year on after QLOCKER was known to QNAP, people are still being infected. :roll: :-0

since the fix was to update HBS3 i take it your backups are also encrypted?
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Qlocker

Post by P3R »

Toxic17 wrote: Wed May 04, 2022 6:26 am cant believe a year on after QLOCKER was known to QNAP, people are still being infected. :roll: :-0
Qlocker2 probably started on one of the first days of 2022. As far as I understand Qlocker2 was using the same encryption engine but a different exploit than in the original Qlocker (the hardcoded HBS admin account). This made Qnap finally give up and post this "Security Advisory" that recommended users to stop exposing their systems on the internet.

As Deadbolt exploded about three weeks later, Qlocker2 sort of was forgotten and nobody cared to understand that it was a different exploit than in the original Qlocker attacks. With Deadbolt Qnap rewrote the previous Security Advisory slightly, this time naming the ransomware.

It appear that the QTS 5.0.0.1891 build 20211221 and the QTS 4.5.4.1892 build 20211223 resolved the exploits used by both Qlocker2 and Deadbolt but as Qnap is notoriously silent about exploits (the HBS admittance was the exception, probably becuase the word was already out), their users are kept in the dark about what exactly hit them.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [RANSOMWARE] Qlocker

Post by Toxic17 »

P3R wrote: Thu May 05, 2022 4:36 pm
Toxic17 wrote: Wed May 04, 2022 6:26 am cant believe a year on after QLOCKER was known to QNAP, people are still being infected. :roll: :-0
Qlocker2 probably started on one of the first days of 2022. As far as I understand Qlocker2 was using the same encryption engine but a different exploit than in the original Qlocker (the hardcoded HBS admin account). This made Qnap finally give up and post this "Security Advisory" that recommended users to stop exposing their systems on the internet.

As Deadbolt exploded about three weeks later, Qlocker2 sort of was forgotten and nobody cared to understand that it was a different exploit than in the original Qlocker attacks. With Deadbolt Qnap rewrote the previous Security Advisory slightly, this time naming the ransomware.

It appear that the QTS 5.0.0.1891 build 20211221 and the QTS 4.5.4.1892 build 20211223 resolved the exploits used by both Qlocker2 and Deadbolt but as Qnap is notoriously silent about exploits (the HBS admittance was the exception, probably becuase the word was already out), their users are kept in the dark about what exactly hit them.
thanks for the info.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Capoeirista
First post
Posts: 1
Joined: Tue May 17, 2022 6:55 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Capoeirista »

rbharol wrote: Mon Jan 17, 2022 5:36 pm
rbharol wrote: Mon Jan 17, 2022 5:33 pm Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.

https://github.com/rajeevbharol/Qlocker-Recovery
Here it is. You have to run it twice. I have a helper script named count7z.sh to count how many files are there or are left... See the readme file on github.

Code: Select all

#!/bin/bash

# PW variable contains the password to your 7z file. Replace this string with your password
PW=ZANwQKyHG482TFVjkcbYpPr5nz3DSCEe

CMD=/usr/local/sbin/7z

# Make a list of all directories under root and put in a file
file='all_dirs.txt'
find ./ -type d  > $file

# Go through all directories in that file

i=1
while read line;
    do
        #Reading each line
        #echo "Line No. $i : $line"

        search_dir=$line

        for the_file in "$search_dir"/*
            do
                #echo File : "$the_file"

                if [[ $the_file == *.7z ]];
                    then
                        echo "============> Found 7z file $the_file"

                        the_file_without_extn="${the_file%.*}"

                        echo "basename: $the_file_without_extn"

                        if [[ -f "$the_file_without_extn" ]];
                            then
                                echo "Deleting already extracted file $the_file"
                                rm -f "$the_file"
                            else
                                echo "Need to Extract File..trying"
                                $CMD e "$the_file" -o"$search_dir" -p$PW 1> /dev/null

                        fi
                 fi

                 if [[ $the_file == *!!!READ_ME.txt ]]
                     then
                         echo "Getting rid of hackers message"
                         rm -f $the_file
                 fi
            done
i=$((i+1))
done < $file
hi,
i don t get it?! - it s only possible to run it when u successful get access of the pw? right?
thx for a rply
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Qlocker

Post by dolbyman »

of course..the program is not magic..it still needs the password..it's right there in the code snippet
helloworld2022
New here
Posts: 3
Joined: Fri May 20, 2022 2:44 am

Re: [RANSOMWARE] Qlocker

Post by helloworld2022 »

Hi,
re QRescue. Will removing files zipped with 7z that I no longer require affect QRescue ? I had tried and only managed to partially recover some files, and suspect that the recovery process requires more than 2x of space occupied by my files on my NAS. I can't keep 2nd guessing the amount of drive space I need on the external drive. Appreciate if anyone who has faced similar issues on their recovery to assist me. Thank you.
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Qlocker

Post by dolbyman »

the files can ONLY be recovered to an external location, changing or storing files on the infected volume, is sawing off the branch that you are sitting on
helloworld2022
New here
Posts: 3
Joined: Fri May 20, 2022 2:44 am

Re: [RANSOMWARE] Qlocker

Post by helloworld2022 »

dolbyman wrote: Fri May 20, 2022 3:23 am the files can ONLY be recovered to an external location, changing or storing files on the infected volume, is sawing off the branch that you are sitting on
Unfortunately, I use the surveillance app actively on the NAS so the volume is always changing anyway as images gets stored. I sense that QRescue is decrypting one file at a time, so reducing the number of files might help in my recovery but it is a guess.
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Qlocker

Post by dolbyman »

if you have constant write activity on that volume, recovery is extremely unlikely
robincap
New here
Posts: 2
Joined: Sun May 22, 2022 10:30 pm

Re: [RANSOMWARE] Qlocker

Post by robincap »

Hi,

After i execute the Qrescue script, it shows remaining time to be 3240 hours. It's already been running for the past 1 week. I have 400 GB of data. I do not want to rescue all the files. Is there a way i specify the folders i want to be rescued? There are only couple of folders with kids photos i want.. rest I do not care much.
desmomax
Starting out
Posts: 12
Joined: Sun Feb 01, 2015 1:10 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by desmomax »

Capoeirista wrote: Tue May 17, 2022 7:02 pm
rbharol wrote: Mon Jan 17, 2022 5:36 pm
rbharol wrote: Mon Jan 17, 2022 5:33 pm Guys, I created this script that can recover your files. It worked for me so I hope it may help you as well. It is on github. There are two scripts one helps you count the files. It unlocks all files recursively starting from the root directory.

https://github.com/rajeevbharol/Qlocker-Recovery
Here it is. You have to run it twice. I have a helper script named count7z.sh to count how many files are there or are left... See the readme file on github.

Code: Select all

#!/bin/bash

# PW variable contains the password to your 7z file. Replace this string with your password
PW=ZANwQKyHG482TFVjkcbYpPr5nz3DSCEe

CMD=/usr/local/sbin/7z

# Make a list of all directories under root and put in a file
file='all_dirs.txt'
find ./ -type d  > $file

# Go through all directories in that file

i=1
while read line;
    do
        #Reading each line
        #echo "Line No. $i : $line"

        search_dir=$line

        for the_file in "$search_dir"/*
            do
                #echo File : "$the_file"

                if [[ $the_file == *.7z ]];
                    then
                        echo "============> Found 7z file $the_file"

                        the_file_without_extn="${the_file%.*}"

                        echo "basename: $the_file_without_extn"

                        if [[ -f "$the_file_without_extn" ]];
                            then
                                echo "Deleting already extracted file $the_file"
                                rm -f "$the_file"
                            else
                                echo "Need to Extract File..trying"
                                $CMD e "$the_file" -o"$search_dir" -p$PW 1> /dev/null

                        fi
                 fi

                 if [[ $the_file == *!!!READ_ME.txt ]]
                     then
                         echo "Getting rid of hackers message"
                         rm -f $the_file
                 fi
            done
i=$((i+1))
done < $file
hi,
i don t get it?! - it s only possible to run it when u successful get access of the pw? right?
thx for a rply

hy there

i have run the script by @rbharol and as my files zipped were not cripted it worked for most of files removing the password string .

I had some problems with music file names with spaces... also using the second unlocker script.
here the error i receive:


how can i fix it?

thanx
You do not have the required permissions to view the files attached to this post.
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Qlocker

Post by dolbyman »

the output look like the script can't handle ' ...the script would need adapting to unescape file names with apostrophes
Post Reply

Return to “Users' Corner”