[HOW TO] Reset your NAS after ransomware

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
remainz
Starting out
Posts: 16
Joined: Tue Jan 22, 2019 8:17 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by remainz »

Dumb question but how? "0. Make sure, NAS is not accessable from internet if you do not want to do this at a regular schedule!!!"

Do I do this in my router?
Because I have to plug it into the Ethernet network to access it and thats online.
Do I just plug it in, turn it on, and then do this quickly in my router?
And is this MAC filtering?
Or is turning off UPnP on the router enough?

Ive been waiting all this time hoping for master key but Im now just going to wipe it.

thanks
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [HOW TO] Reset your NAS after ransomware

Post by dolbyman »

no upnp or manual port forwards on the router = no direct exposure of the NAS
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [HOW TO] Reset your NAS after ransomware

Post by FSC830 »

remainz wrote: Fri Jul 01, 2022 6:27 pm ...

Do I do this in my router?
Because I have to plug it into the Ethernet network to access it and thats online.
Do I just plug it in, turn it on, and then do this quickly in my router?
And is this MAC filtering?
Or is turning off UPnP on the router enough?

Ive been waiting all this time hoping for master key but Im now just going to wipe it.

thanks
If you want that someone is notified you need to quote :wink: (see also at "Notifications" in upper right corner).
As dolbyman said, no active port forwardings, no UPNP.
If access from remote is necessary, use VPN (no paid service, just a VPN server in your LAN)!
MAC filtering is just "security by obscurity", a MAC can be spoofed, so you enable it to protect against some kiddies playing around, but this does not prevent a skilled hacker.
Dont mistake outgoing and incoming directions! Exposing the NAS is always an incoming direction.

Regards
keiberg
New here
Posts: 5
Joined: Tue Apr 19, 2016 5:24 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by keiberg »

Hi,

Maybe stupid question but ok ...
I have 2 partitions: one is for my apps and one I only use to store data.
System was also impacted by deadbolt so I would like to reset my system or even reinitiate my system.
I have no issues to reinstaal my apps. I have snapshots from my data before the deadbolt attack but also backups but not from all the data.

Is it ok to only reinitiate the partition on which I have the applications?
I would like to keep the partition with my data and restore from snapshots where needed ...

Or could I take out the disks with the data partition and reinitiate my system and afterwards insert the data disks (raid 5 3 disks)

thanks
Philippe
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [HOW TO] Reset your NAS after ransomware

Post by FSC830 »

My guess: you do not have two partitions, but two volumes?

The procedure above describes to wipe all data from NAS disks!
This includes user data as well as the operating system!
No one can say today, which kind of backdoors may be installed/created by an infection (valid for all malware, not only Deadbolt)!

Snapshots and Deadbolt is a deadly combination, often said in Deadbolt thread.
I would never trust in a compromised NAS!

Your data - your decision!

Taking out the disks is useless, operating system is at the disks, not inside a "black box storage" in NAS! In NAS only a basic QTS is stored which allows to boot complete system from the disks.
So any reset without the inserted disks does ... nothing!

Regards
keiberg
New here
Posts: 5
Joined: Tue Apr 19, 2016 5:24 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by keiberg »

Hi,

Thanks for your reply.
It's indeed 2 storagepools and sepereate volumes.

What I means by taking out the disks:
I have 2 disks in raid1 that is having my App volume and 3 disks in raid5 that contains the data.
To make sure that, when I reinitiate the system, I thought to take out the 3 disks with the data volume and insert them back after that. QNAP will recognize this volume and these disks I would expect.

I am aware that there is a risk and that the malware might be on the datavolume.
That risk is on me ... and indeed my decision.

thanks,
Philippe
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [HOW TO] Reset your NAS after ransomware

Post by FSC830 »

QTS is desigend to recognize this disks afterwards yes,
But there is still a high risk, that this is not running smooth 8) .
People had reported a lot that such a task ends in a unmounted/inactive volume and that is was not as easy as expected to recover (if there was a chance at all).
So no matter what you decide, a backup is strongly recommended.

And as said before: QTS is spread about all disks, there is no separation from pools, volumes or whatever.

Regards
netlord
New here
Posts: 8
Joined: Wed Dec 07, 2016 9:27 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by netlord »

FSC830 wrote: Sun Jan 30, 2022 3:21 am Hi all, because in every thread caused by ransomware nearly every 2nd/3rd post is "how can I reset my NAS?".
Therefore here is a simple to do list!

Prerequisites: you need an actual backup of your data!

!!! IF YOU DO NOT HAVE AN ACTUAL AND CLEAN BACKUP, DO NOT FOLLOW THESE STEPS !!!

Addendum: if the encrypted data is not important for you, you can follow these advises to clean up the NAS. There will be no data recovered following this steps!

There are may be other procedures and if any malware resides in DOM these steps may be not efficient to clean up, depends to "how smart the malware" was done!
If you dont have a backup, I recommend to buy new disks and setup NAS with the new disks. Store infected disks in a safe please and wait, if any anti-malware process is available later (may be much later)!

Lets start over:

0. Make sure, NAS is not accessable from internet if you do not want to do this at a regular schedule!!!

1. If access to NAS is possible, write down your system settings/app settings.
2. Shutdown NAS
3. Remove all media (disks and - if installed NVMe devices)
4. Wipe all media at a PC. Usually it is sufficient to remove all partitions! If PC do not have a SATA connector, use an USB adapter instead.
5. Power on NAS
6. Use Qfinder tool to install latest firmware at NAS (yes, its possible without any media)
7. I
need a power off!
8. Setup NAS again following the wizard. Do not restore any settings if you made them in #1! If you backupped settings prior NAS was hacked, you can use it, but I recommend not to do so.
9. Check, if any unusual files, services are existing. Check autorun.sh for any strange entries. If you did not write anything in autostart.sh, the file should be empty.
If you find your NAS is clean, proceed.
10. Create your shared folders, install and configure apps.
11. Restore your data from backup
12. May be the most important: think, how you can secure the NAS/LAN to avoid an infection in future. VPN is a good advise!

All steps at your own risk!
If someone have another idea how to cleanup, go ahead... :DD
Why do I not try a cleanup without wiping all media?
No one can be safe if malware did install some more traps, we do not know.
This can be a backdoor to ease up subsequent access, a small code, which uses the NAS as "jumphost" to takeover access of clients.
So if your NAS was infected, check your clients too!

Recommendations: do not expose NAS to internet without a secure connection (VPN is the outstanding solution)!!! Expose means that the NAS or services can be reached FROM the internet, not that NAS is able to connect to internet for downloading firmware/apps.
Anyhow: I recommend to download newer version of firmware and apps to your client PC at first and then perform a manually triggered update. This can be done using the GUI, for the firmware in control panel, for apps in AppCenter.

Note: for last recent updates (not only QTS 5) a lot of users report that it is best choice to reboot the NAS twice right after the update, to ensure all services are running without issues!

If after step 9 you find your NAS is not clean, i.e. you will find some strange/cryptic code in autorun.sh a so-called DOM recovery may be is mandatory.
But if not done properly, this can brick your NAS!!!
So if you convinced after step 9 your NAS is still affected, please request help in forum or with an local IT professional (costs money).

Do not continue at your own if your are not familiar with that, what are you doing!!


Regards and good luck
Well I got "bolted" and I don't have a backup (I know I know...) kept delaying and got screwed.
I have a question, I already had the latest firmware (5.0.0.2131) and apps were updated when I received the attack.

4 I'm going to low level format the disks on a PC

What I'm not understanding very well, please have patience with me.
After step 7 and with the empty disks in the server do I have to go to Control panel, System, and restore factory settings? Or will it go directly to wizard configuration?
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [HOW TO] Reset your NAS after ransomware

Post by FSC830 »

After step 7 (there is an error in the quote, step 7 is:7. Insert media, for NVMe devices you need a power off!) there is no Control Panel because there is no login.
The first-install-wizard raises immediately.

Regards
netlord
New here
Posts: 8
Joined: Wed Dec 07, 2016 9:27 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by netlord »

FSC830 wrote: Tue Sep 06, 2022 9:33 pm After step 7 (there is an error in the quote, step 7 is:7. Insert media, for NVMe devices you need a power off!) there is no Control Panel because there is no login.
The first-install-wizard raises immediately.

Regards
Great thanks.
I'm assuming this should get rid of deadbolt in the system?
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [HOW TO] Reset your NAS after ransomware

Post by FSC830 »

There is no evidence that Deadbolt (or Qlocker and other malware) remains after such an initialization.
Prepare to not being hacked again: remove port forwardings, do not enable UPNP when asked during installation, dont use myqnapcloud, dont expose any services to internet.
Consider about a backup strategy!

Regards
netlord
New here
Posts: 8
Joined: Wed Dec 07, 2016 9:27 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by netlord »

FSC830 wrote: Tue Sep 06, 2022 9:55 pm There is no evidence that Deadbolt (or Qlocker and other malware) remains after such an initialization.
Prepare to not being hacked again: remove port forwardings, do not enable UPNP when asked during installation, dont use myqnapcloud, dont expose any services to internet.
Consider about a backup strategy!

Regards
I will, this is my first NAS, bought it in 2016, so it's been learning by trial and error (16TB of error... :S )
So first thing I'll do is setup the VPN etc etc. I'm going to follow all your recommendations.
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [HOW TO] Reset your NAS after ransomware

Post by FSC830 »

In that case I recommend to install the VPN at your router. Thats the best choice you can do.
If your router isnt able for VPN - replace it.

I know that there are some countries its mandatory to use the router delivered by the provider.
If provider does not offer a newer model/firmware with VPN capabilities consider to run a VPN server at a raspberry Pi or any other tiny computer. Thats the second best choice.

Regards
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [HOW TO] Reset your NAS after ransomware

Post by dosborne »

FSC830 wrote: Tue Sep 06, 2022 11:29 pm I know that there are some countries its mandatory to use the router delivered by the provider.
If provider does not offer a newer model/firmware with VPN capabilities consider to run a VPN server at a raspberry Pi or any other tiny computer. Thats the second best choice.
Or, double NAT. I've been running my LAN behind my own router for decades. I put the ISP router in front. Not only does it give an extra layer of protection, but when I move, switch providers, etc, your entire internal network is 100% unchanged.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
netlord
New here
Posts: 8
Joined: Wed Dec 07, 2016 9:27 pm

Re: [HOW TO] Reset your NAS after ransomware

Post by netlord »

FSC830 wrote: Tue Sep 06, 2022 11:29 pm In that case I recommend to install the VPN at your router. Thats the best choice you can do.
If your router isnt able for VPN - replace it.

I know that there are some countries its mandatory to use the router delivered by the provider.
If provider does not offer a newer model/firmware with VPN capabilities consider to run a VPN server at a raspberry Pi or any other tiny computer. Thats the second best choice.

Regards
So VPN with NordVPN on the server itself is a no-no?
Post Reply

Return to “Users' Corner”