[RANSOMWARE] Qlocker
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Qlocker
Yes disk lables are not supported on old non HAL CAT1 devices
Another thread with this topic
viewtopic.php?t=166073&p=816536
Another thread with this topic
viewtopic.php?t=166073&p=816536
-
- Starting out
- Posts: 13
- Joined: Thu Dec 04, 2014 1:25 am
Re: [RANSOMWARE] Qlocker
Had a call with QNAP... and got some information.
/1/ The recovery tool does not decrypt anything... it simply looks thru your trashcan for old versions of things
/2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.
/1/ The recovery tool does not decrypt anything... it simply looks thru your trashcan for old versions of things
/2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.
- OneCD
- Guru
- Posts: 12155
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Qlocker
I'd like to know exactly how and why QNAP think this malware (that clearly has enough access to rewrite shared files) is completely incapable of writing elsewhere in the OS, including into persistent locations.arf1410 wrote: ↑Tue Nov 29, 2022 9:09 am /2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.
I accept: given the type of malware it is, it doesn't need to make itself locally persistent, but it's not possible to be absolutely certain of this without examining the malware source-code.
The safest way (as with any malware infection) is to burn it with fire, and start again.
-
- Starting out
- Posts: 13
- Joined: Thu Dec 04, 2014 1:25 am
Re: [RANSOMWARE] Qlocker
Well, it only encrypted a small % of my files, during a few hour window on one day in mid August. If it resided on the QNAP somewhere, why did it stop? and why didnt it do more at some later time / date?OneCD wrote: ↑Tue Nov 29, 2022 9:44 amI'd like to know exactly how and why QNAP think this malware (that clearly has enough access to rewrite shared files) is completely incapable of writing elsewhere in the OS, including into persistent locations.arf1410 wrote: ↑Tue Nov 29, 2022 9:09 am /2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.
I accept: given the type of malware it is, it doesn't need to make itself locally persistent, but it's not possible to be absolutely certain of this without examining the malware source-code.
The safest way (as with any malware infection) is to burn it with fire, and start again.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] Qlocker
Qnap up until January 2022 strongly recommended users to expose their systems on the internet despite thousands of their users already being victims of major breakins for at that time well over 2 years. Qnap have had so many disastrous security vulnerabilities in their software that it's impossible to keep track.
So Qnap have historically given very bad and insecure advice and obviously they've not been best in class at writing secure software. I don't understand why ransomware victims, despite that track record, still have blind trust in Qnap security advice.
Meanwhile several experienced forum participants here, incidentally the same people that now recommend clearing a compromised system completely, have for years recommended against the Qnap advice of internet exposure because they considered it insecure and expected that the inadequate Qnap security would eventually lead to disaster for Qnap customers...
Both you and Qnap talk specifically only about the QLocker code itself and totally ignore the possibility of these criminals also planting a dormant backdoor for future use in the system so that they could attack it at a later time, even if the user have been wise enough to not have it directly reachable from the internet any more.Well, it only encrypted a small % of my files, during a few hour window on one day in mid August. If it resided on the QNAP somewhere, why did it stop? and why didnt it do more at some later time / date?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Starting out
- Posts: 13
- Joined: Thu Dec 04, 2014 1:25 am
Re: [RANSOMWARE] Qlocker
For this reason, I just ordered a synology 220+, for $239 USD... though not sure any vendor is truly at zero risk of attack. Based on my limited understanding, this ransomware specifically targeted some vulnerability with the QNAP (access, operating system, etc), there is really no risk of me copying it onto the new NAS, and infecting things there also, is there?
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
-
- Starting out
- Posts: 13
- Joined: Thu Dec 04, 2014 1:25 am
Re: [RANSOMWARE] Qlocker
I know one way to isolate it from the WAN is to simply hardwire it to a single computer. However that defeats the purpose of having a NAS. It needs to be on my home network, so it can be accessed wired from the 2 PCs, or wirelessly, from a laptop.
Will there be a simple box to check to not allow access from the WWW? I asked that question to QNAP support, and they didnt give me a simple asnwer.
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Qlocker
All these infection are happening from the NAS exposed to WAN, so there is ports forwarded from WAN to the NAS, that is not the same as your NAS reaching out TO WAN (via the gatway e.g. router)
If you want you can also completely isolate the device, many routers (even consumer ones) have a setting to isolate clients from accessing WAN, so even if that device is connected on your general network, it will not be able to reach WAN (you will have to disable online check on the QNAP to not have it complain about the lack of a connection)
If you want you can also completely isolate the device, many routers (even consumer ones) have a setting to isolate clients from accessing WAN, so even if that device is connected on your general network, it will not be able to reach WAN (you will have to disable online check on the QNAP to not have it complain about the lack of a connection)
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] Qlocker
Since there are several ways to expose the system and we don't know which one you've used, no there isn't one "simple box to check".
If you follow this list, I'm pretty sure that it would stop the exposure:
- Stop using the DMZ feature in the router/firewall for the Qnap if you've been doing that.
- Remove any manual port forwarding in the router/firewall that points to the Qnap if you have done that.
- In the myQNAPcloud app in the web administration, disable Auto Router Configuration (a.k.a. UPnP port forwarding), disable myDDNS and myQNAPcloud Link.
- If possible, disable UPnP port forwarding in your router/firewall as well.
- Reboot the router/firewall.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- First post
- Posts: 1
- Joined: Thu Jan 12, 2023 10:11 pm
Re: [RANSOMWARE] Qlocker
Hi all,
Been dealing with the deadbolt, didn't realize qlocker infected me as well, major klutz here!
I went to the .onion site and its not working, does that mean they are closed for business?
I haven't tried all the scripts yet and recovery, however QNAP told me its probably not going to do anything as other stuff was written on your nas.
Been dealing with the deadbolt, didn't realize qlocker infected me as well, major klutz here!
I went to the .onion site and its not working, does that mean they are closed for business?
I haven't tried all the scripts yet and recovery, however QNAP told me its probably not going to do anything as other stuff was written on your nas.
-
- Getting the hang of things
- Posts: 62
- Joined: Mon Jan 14, 2019 9:46 pm
Re: [RANSOMWARE] Qlocker
Hi,
Sorry to hear about your infection with ransomware. Just wondering what firmware version your machine was set to. With implementation of backups and not exposing your machine to the internet, I am wondering if QNAP is making any progress against ransomware with recent firmware updates.
Thanks,
Rich
Sorry to hear about your infection with ransomware. Just wondering what firmware version your machine was set to. With implementation of backups and not exposing your machine to the internet, I am wondering if QNAP is making any progress against ransomware with recent firmware updates.
Thanks,
Rich
alama7 wrote: ↑Thu Jan 12, 2023 10:14 pm Hi all,
Been dealing with the deadbolt, didn't realize qlocker infected me as well, major klutz here!
I went to the .onion site and its not working, does that mean they are closed for business?
I haven't tried all the scripts yet and recovery, however QNAP told me its probably not going to do anything as other stuff was written on your nas.
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Qlocker
with QNAP (in particular) after the exploit, is before the exploit
so don't worry about QNAP fixing anything..just never ever expose the NAS
so don't worry about QNAP fixing anything..just never ever expose the NAS
-
- Getting the hang of things
- Posts: 62
- Joined: Mon Jan 14, 2019 9:46 pm
Re: [RANSOMWARE] Qlocker
I anticipated this pathetic response and so added the phrase "With implementation of backups and not exposing your machine to the internet" to my post to avoid these kind of posts. You have posted this response so many times, likely over a hundred times. Anyways, I just want to know which recent firmware versions have been infected with ransomware, regardless if the nas was exposed to the internet. I you are unable to answer the question as listed, please refrain from your usual response.
- OneCD
- Guru
- Posts: 12155
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Qlocker
And it's been relevant every single time.
NAS not exposed to the Internet do not get ransomwared. That's it. Done.
And that's how to avoid ransomware running on your NAS. It's a solution resulting from reading thousands of posts on this forum and others.
If you think it's safe to expose your NAS, then by all means: please do-so.