[RANSOMWARE] Qlocker

[dolbyman]

Yes disk lables are not supported on old non HAL CAT1 devices

Another thread with this topic
viewtopic.php?t=166073&p=816536

[arf1410]

Had a call with QNAP... and got some information.

/1/ The recovery tool does not decrypt anything... it simply looks thru your trashcan for old versions of things

/2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.

[OneCD]

/2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.

I'd like to know exactly how and why QNAP think this malware (that clearly has enough access to rewrite shared files) is completely incapable of writing elsewhere in the OS, including into persistent locations.

I accept: given the type of malware it is, it doesn't need to make itself locally persistent, but it's not possible to be absolutely certain of this without examining the malware source-code.

The safest way (as with any malware infection) is to burn it with fire, and start again.

[arf1410]

/2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time. Thus the time stamp on all encrypted files is similar. Therefore, it is completely safe to use my QNAP as is, with current hard drives, though they recommend updating my NAS to a newer one, as mine is legacy (2014) and no firmware updates with better security.

I'd like to know exactly how and why QNAP think this malware (that clearly has enough access to rewrite shared files) is completely incapable of writing elsewhere in the OS, including into persistent locations.

I accept: given the type of malware it is, it doesn't need to make itself locally persistent, but it's not possible to be absolutely certain of this without examining the malware source-code.

The safest way (as with any malware infection) is to burn it with fire, and start again.

Well, it only encrypted a small % of my files, during a few hour window on one day in mid August. If it resided on the QNAP somewhere, why did it stop? and why didnt it do more at some later time / date?

[P3R]

/2/ qlocker does not reside on your qnap, or operating system, and there is no malware to remove. It acts, from the internet, in real time.

Qnap up until January 2022 strongly recommended users to expose their systems on the internet despite thousands of their users already being victims of major breakins for at that time well over 2 years. Qnap have had so many disastrous security vulnerabilities in their software that it's impossible to keep track.

So Qnap have historically given very bad and insecure advice and obviously they've not been best in class at writing secure software. I don't understand why ransomware victims, despite that track record, still have blind trust in Qnap security advice.

Meanwhile several experienced forum participants here, incidentally the same people that now recommend clearing a compromised system completely, have for years recommended against the Qnap advice of internet exposure because they considered it insecure and expected that the inadequate Qnap security would eventually lead to disaster for Qnap customers...

Well, it only encrypted a small % of my files, during a few hour window on one day in mid August. If it resided on the QNAP somewhere, why did it stop? and why didnt it do more at some later time / date?

Both you and Qnap talk specifically only about the QLocker code itself and totally ignore the possibility of these criminals also planting a dormant backdoor for future use in the system so that they could attack it at a later time, even if the user have been wise enough to not have it directly reachable from the internet any more.

[arf1410]

So Qnap have historically given very bad and insecure advice and obviously they've not been best in class at writing secure software. I don't understand why ransomware victims, despite that track record, still have blind trust in Qnap security advice.

For this reason, I just ordered a synology 220+, for $239 USD... though not sure any vendor is truly at zero risk of attack. Based on my limited understanding, this ransomware specifically targeted some vulnerability with the QNAP (access, operating system, etc), there is really no risk of me copying it onto the new NAS, and infecting things there also, is there?

[dolbyman]

The fact that the files do not get infected was already mentioned here

THIS ransomware was only for QNAP, deadbolt infected a couple of other manufacturers as well (e.g. Asustor)

So no matter what system you go with, do not expose it to WAN (like you did when you got Qlocker)

[arf1410]

So no matter what system you go with, do not expose it to WAN (like you did when you got Qlocker)

I know one way to isolate it from the WAN is to simply hardwire it to a single computer. However that defeats the purpose of having a NAS. It needs to be on my home network, so it can be accessed wired from the 2 PCs, or wirelessly, from a laptop.

Will there be a simple box to check to not allow access from the WWW? I asked that question to QNAP support, and they didnt give me a simple asnwer.

[dolbyman]

All these infection are happening from the NAS exposed to WAN, so there is ports forwarded from WAN to the NAS, that is not the same as your NAS reaching out TO WAN (via the gatway e.g. router)

If you want you can also completely isolate the device, many routers (even consumer ones) have a setting to isolate clients from accessing WAN, so even if that device is connected on your general network, it will not be able to reach WAN (you will have to disable online check on the QNAP to not have it complain about the lack of a connection)

[P3R]

Will there be a simple box to check to not allow access from the WWW?

Since there are several ways to expose the system and we don't know which one you've used, no there isn't one "simple box to check".

If you follow this list, I'm pretty sure that it would stop the exposure:

1. Stop using the DMZ feature in the router/firewall for the Qnap if you've been doing that.
2. Remove any manual port forwarding in the router/firewall that points to the Qnap if you have done that.
3. In the myQNAPcloud app in the web administration, disable Auto Router Configuration (a.k.a. UPnP port forwarding), disable myDDNS and myQNAPcloud Link.
4. If possible, disable UPnP port forwarding in your router/firewall as well.
5. Reboot the router/firewall.

[alama7]

Hi all,

Been dealing with the deadbolt, didn't realize qlocker infected me as well, major klutz here!

I went to the .onion site and its not working, does that mean they are closed for business?

I haven't tried all the scripts yet and recovery, however QNAP told me its probably not going to do anything as other stuff was written on your nas.

[phonitor]

Hi,
Sorry to hear about your infection with ransomware. Just wondering what firmware version your machine was set to. With implementation of backups and not exposing your machine to the internet, I am wondering if QNAP is making any progress against ransomware with recent firmware updates.
Thanks,
Rich

Hi all,

Been dealing with the deadbolt, didn't realize qlocker infected me as well, major klutz here!

I went to the .onion site and its not working, does that mean they are closed for business?

I haven't tried all the scripts yet and recovery, however QNAP told me its probably not going to do anything as other stuff was written on your nas.

[dolbyman]

with QNAP (in particular) after the exploit, is before the exploit

so don't worry about QNAP fixing anything..just never ever expose the NAS

[phonitor]

I anticipated this pathetic response and so added the phrase "With implementation of backups and not exposing your machine to the internet" to my post to avoid these kind of posts. You have posted this response so many times, likely over a hundred times. Anyways, I just want to know which recent firmware versions have been infected with ransomware, regardless if the nas was exposed to the internet. I you are unable to answer the question as listed, please refrain from your usual response.

[OneCD]

You have posted this response so many times, likely over a hundred times.

And it's been relevant every single time.

Anyways, I just want to know which recent firmware versions have been infected with ransomware, regardless if the nas was exposed to the internet.

NAS not exposed to the Internet do not get ransomwared. That's it. Done.

And that's how to avoid ransomware running on your NAS. It's a solution resulting from reading thousands of posts on this forum and others.

If you think it's safe to expose your NAS, then by all means: please do-so.