[RANSOMWARE] Qlocker

[dosborne]

the output look like the script can't handle ' ...the script would need adapting to unescape file names with apostrophes

That would be the prefered solution

An alternative would be to rename the files and remove or replace spaces. All depends on how many files are affected I guess (although you could also write a script to rename the files)

[helloworld2022]

the files can ONLY be recovered to an external location, changing or storing files on the infected volume, is sawing off the branch that you are sitting on

Unfortunately, I use the surveillance app actively on the NAS so the volume is always changing anyway as images gets stored. I sense that QRescue is decrypting one file at a time, so reducing the number of files might help in my recovery but it is a guess.

I managed to reduce the files to be recovered, QRescue ran a 2nd time on the reduce number of files with extension 7z and managed to recover more files.

[jerryjren]

Hi, another victim here. Stupid me, exposed it via WAN.

I have used Qrescue, only managed to recover 30% files. Had asked support to share code for Qrescue but got being told they can't, not open source.

Good luck guys

[subharmonic]

So I ran Photorec after finding qlocker on my Nas - but it didn't seem to produce any files - just loads of folders. So I foolishly (whilst in a rush) presumed it hadn't worked. Tried to run it again and this time it doesn't list "recup1" as a possible destination. So I hastily reformatted the destination drive again and now photorec can't see the destination drive. What do I do now? I've removed and reinstalled Qrescue a couple of times to no avail. Any ideas what to do?

[arf1410]

I have just discovered I was infected with Qlocker in August, as the date the files were locked, and the date of the !!!README was 17-August. All the encrypted files were in a single folder. No files in other folders encryped. I installed, and ran the QNAP Malware Remover. It did not find anything. So my question is, is QLOCKER still lurking on the NAS, or is it gone, and the only thing I need to worry about is those encrypted files?

Also, I tried to follow the QNAP procedure to recover the files, but I get stuck on formatting the external drive. It does not seem to allow me to rename the drive to "rescue"... or any way to change the label.

[dolbyman]

A once compromised system should not be trusted anymore..when you restored your files..kill it and start from scratch

-NEVER expose your NAS to WAN
-ALWAYS have external backups

[arf1410]

Is the ransomware hiding on one (or both) of the hard disks? or is it hiding in the QNAP RAM? In other words, would new hard drives, in the old QNAP guarantee I fixed the problem? Or a new NAS, and insert my old hard drives?

[dolbyman]

The QNAP OS is on the disks, you need to format the disks

see here
viewtopic.php?f=45&t=164887

[arf1410]

Only about 20 files, all in one folder, are encrypted. The other 99.999% of the files appear fine. If I copied all the files into a different hard drive on my windows PC, will that also copy the malware? or can I do that, wipe the infected disks, then copy the data back? or copy the data to brand new disks?

My QNAP 212P I think is 8-10 years old, and was thinking of updating in the next year, even before this problem. If the malware is specific to QNAP, can I take my disks, and simply put them in a new Synology NAS and not have a problem?

[dolbyman]

The files do not get infected, it's the system that is.

External backups should be done in any case (as mentioned above) so when you do a backup .. make this a regular practice

If you stick the 212P disks in a Syno NAS, they will be erased anyways, so the infection (and files) will not survive

[arf1410]

please forgive my (seemingly) repetitive questions. While you may be a Guru, I am the reciprocal of that. So to be clear, when I copied the files from my infected QNAP, into an internal hard drive on my PC, those files are all "clean" ... ie no risk that I have copied the malware also? The 99.99% of the files that are not encrypted are safe to use as is?

and the basic QNAP firmware update was not good enough to clean out the malware?

my QNAP 212P works fine, though transfer speeds seem slow. Not sure it that is the QNAP, the hard disks, or my network. As both disks (not NAS specific) and QNAP are 8+ years old, was thinking about upgrading disks or NAS, or possibly both. Is a synology TS220+ a noticable improvement? Is replacing the disks themselves more important?

[dolbyman]

As said, these malware programs do not infect the files, they get spread by/to web exposed systems, so all files have no virus payload or should be changed in any way (besides the changes done to the encrypted files)

If you have a Virus in your computer, would a windows update help to get rid of it?

I don't know the Syno 220, I never had a Syno device. I DO have an old 419p+ Kirkwood x19 (same processor and speed as your TS212p) and it still works fine (purchased in 2010). So I don't know if and how happy you would be with it.

[P3R]

my QNAP 212P works fine, though transfer speeds seem slow. Not sure it that is the QNAP, the hard disks, or my network. As both disks (not NAS specific) and QNAP are 8+ years old, was thinking about upgrading disks or NAS, or possibly both. Is a synology TS220+ a noticable improvement?

A Syno DS220+ have the same CPU (Intel Celeron J4125) as a Qnap TS-251D and I would expect that to perform noticeably better than an old TS-212P. That's in addition to having much more features, still receiving new current software releases and of course being fully supported.

A TS-251D cost less (at least in my market) than DS220+. Other advantages for the Qnap are that it support more RAM (8GB vs 6GB) and that it have a PCIe Gen 2 x4 slot.

Is replacing the disks themselves more important?

Yes buying replacements for 8-9 year old disks is more important than a new NAS if you need to choose between them. While new disks themselves will be faster than the old, you may not notice the difference in the TS-212P as the NAS is the main performance bottleneck.

[arf1410]

A TS-251D cost less (at least in my market) than DS220+. Other advantages for the Qnap are that it support more RAM (8GB vs 6GB) and that it have a PCIe Gen 2 x4 slot.

In my market (USA), the DS220 + is about $100 less than the QNAP 251D. Synology seems to get a bit better reviews... and too be honest, I am a bit annoyed with QNAP after this mess, though fortunately, my losses seem minor. All I really use my NAS for is common file storage between multiple computers in my house, and backup, so not sure that expandability or fancy features are that much benefit to me. What's important are reliability, simplicity, and ideally better transfer speeds than I get now. However, its possible the speed is a function of my network cabling?

Sort of related question... though data recovery may not be critical, I am attempting to follow the QNAP instructions. I get stuck on the fact that I cannot figure out how to rename me spare external hard drive to "rescue". Unlike the screenshots qnap provides, that is not an option for me! And when I pullup the external drive properties, I can select the label, but not change it... and therefore, the process does not work.

[P3R]

In my market (USA), the DS220 + is about $100 less than the QNAP 251D.

Wow! Amazing that it can be so different between markets but then the Syno sound like a much better deal for you.

I get stuck on the fact that I cannot figure out how to rename me spare external hard drive to "rescue". Unlike the screenshots qnap provides, that is not an option for me! And when I pullup the external drive properties, I can select the label, but not change it... and therefore, the process does not work.

I don't remember when and where labels were introduced but then it was probably after December 2017 when the TS-212P frooze in time feature-wise.