[RANSOMWARE] Qlocker
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
What is the issue with hbs?
Do not forward any ports to your NAS and HBS is (and was) fine
Do not forward any ports to your NAS and HBS is (and was) fine
-
- Starting out
- Posts: 19
- Joined: Sun Mar 07, 2021 12:22 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I understand the ransomware used an exploit in HBS, isn't it?
https://www.bleepingcomputer.com/news/s ... r-account/
https://www.bleepingcomputer.com/news/s ... r-account/
-
- Easy as a breeze
- Posts: 413
- Joined: Sun Oct 20, 2013 11:45 pm
- Location: Premnitz, Germany
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
This correct, but this exploit needs an open port from your public IP ("outside" of your router) to the QNAP. If no portforwarding is active, it was and is safe to use HBS3.
NAS (production): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)
NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)
NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Yes..but without port forwards, there is no way to reach your NAS to exploit it..hence my advice
-
- Starting out
- Posts: 19
- Joined: Sun Mar 07, 2021 12:22 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
OK, I see. I think I don't have any port forwarding enabled, if so, I will turn it off.
I followed the suggestions in this QNAP article.
https://www.qnap.com/en/how-to/faq/arti ... s-security
Otherwise, why would I might need port forwarding for?
What services or use cases benefit from it?
I wanted to look into the guides to set up a VPN server so I can connet to my QNAP nas from elsewhere, but I didn't had the energy to look into it yet.
I followed the suggestions in this QNAP article.
https://www.qnap.com/en/how-to/faq/arti ... s-security
Otherwise, why would I might need port forwarding for?
What services or use cases benefit from it?
I wanted to look into the guides to set up a VPN server so I can connet to my QNAP nas from elsewhere, but I didn't had the energy to look into it yet.
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Portforwards are used to reach your NAS from WAN ...mist people use it for file sharing, video sharing, for devices advertised as "private cloud"
-
- First post
- Posts: 1
- Joined: Sun Jun 20, 2021 4:34 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi Guys,
Another victim here...
I was trying to use QRescue to recover my files, but QRescue now doesn't open. It show an error
First time I installed was working, but now show the error.. I even tried to reinstall without success.
Another victim here...
I was trying to use QRescue to recover my files, but QRescue now doesn't open. It show an error
Does anyone knows what might be the cause?Error
Page not found or the web server is currently unavailable. Please contact the website administrator for help.
First time I installed was working, but now show the error.. I even tried to reinstall without success.
You do not have the required permissions to view the files attached to this post.
-
- Easy as a breeze
- Posts: 413
- Joined: Sun Oct 20, 2013 11:45 pm
- Location: Premnitz, Germany
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
QNAP Support might be able to help out here, have you created as ticket?
NAS (production): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)
NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)
NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
-
- New here
- Posts: 2
- Joined: Fri Jul 16, 2010 3:42 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
It seems they're accepting ransom again? I had to disable the scriptblocker of TOR brower on the page where you have to enter your code, and then it moved to the payment page. Price went up to 0.05 BTC though... Can't pay that. Maybe QNAP can compensate by paying it for me?
You do not have the required permissions to view the files attached to this post.
-
- First post
- Posts: 1
- Joined: Thu Sep 12, 2019 1:51 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi is they are still accepting ransom now? And may I know how could we disable sscriptblocker on TOR browser? Thanks!zeverken wrote: ↑Wed Jun 23, 2021 5:22 pm It seems they're accepting ransom again? I had to disable the scriptblocker of TOR brower on the page where you have to enter your code, and then it moved to the payment page. Price went up to 0.05 BTC though... Can't pay that. Maybe QNAP can compensate by paying it for me?
-
- New here
- Posts: 3
- Joined: Fri Nov 01, 2019 7:10 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Here is an update on the efforts of the firm https://monstercloud.com/ to try unlocking the files.
We setup the 2 NAS devices that have QLocker on the clients files in a separate network, no anti-virus enabled and TeamViewer access. After a WEEK of trying the firm expert and his team were unable to unlock the files. They did refund all of the $20,000.00 as stated in their agreement to the client and they, in turn, returned it to the insurance company.
We are reaching out to any and all that may have found a way to unlock the files and of yet no success.
HINDSIGHT:
Since we had the attack very early in the cycle of this we found the Bleeping Computer post someone had posted and immediately tried it on one of the Qnap NAS's. Without any support from QNAP we did as instructed BUT we failed to know this. When the NAS was accessed via QFinder it said and updated firmware was available.
FIRST BIG MISTAKE: Since the client did not keep up with at least 3 new updates, we immediately updated to the latest firmware to stop any further attacks.
SECOND BIG MISTAKE: What does a new firmware do as part of it's update: RESTART
We have waited for any further information, guides or otherwise and currently have 4 hard drives full of data all locked with the QLocker.
Let us know if anyone has any clues to unlocking these files. \
Thank you.
We setup the 2 NAS devices that have QLocker on the clients files in a separate network, no anti-virus enabled and TeamViewer access. After a WEEK of trying the firm expert and his team were unable to unlock the files. They did refund all of the $20,000.00 as stated in their agreement to the client and they, in turn, returned it to the insurance company.
We are reaching out to any and all that may have found a way to unlock the files and of yet no success.
HINDSIGHT:
Since we had the attack very early in the cycle of this we found the Bleeping Computer post someone had posted and immediately tried it on one of the Qnap NAS's. Without any support from QNAP we did as instructed BUT we failed to know this. When the NAS was accessed via QFinder it said and updated firmware was available.
FIRST BIG MISTAKE: Since the client did not keep up with at least 3 new updates, we immediately updated to the latest firmware to stop any further attacks.
SECOND BIG MISTAKE: What does a new firmware do as part of it's update: RESTART
We have waited for any further information, guides or otherwise and currently have 4 hard drives full of data all locked with the QLocker.
Let us know if anyone has any clues to unlocking these files. \
Thank you.
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Interesting, but not surprising. So not only you or your clients fall victim to ransomware but to make matters worse you or your clients fall prey to snake oil merchants. You were lucky to be refunded. Did the firm charge a non-refundable assessment fee?livelynet wrote: ↑Sun Jul 04, 2021 9:07 pm Here is an update on the efforts of the firm https://monstercloud.com/ to try unlocking the files.
If you had done a little research you would know very well by now that there is no way to decrypt the files and that the so-called ransomware recovery firms are scams.We are reaching out to any and all that may have found a way to unlock the files and of yet no success.
This post on the Bleeping Computer forum sums it up:
In regards to data recovery services specifically, they typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here. Some data recovery services operate more like scammers while others like Fast Data Recovery have even been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services.
It's not possible to unlock the encrypted files, without the encryption key held by the cybercrooks. NO WAY.
If the storage volumes containing the encrypted files are still in the state they were shortly after the ransomware attack, and have not been moved or modified in any way since then, you can attempt to recover (some of) the original files that were deleted as a result of the encryption process. The procedure is implemented by QNAP and they can help you perform it. Go to https://service.qnap.com and click on the link 'Qlocker Data Recovery Service (QDRS)' displayed near the top of the page under the 'Latest News' heading.
Last edited by Mousetick on Sun Jul 04, 2021 10:40 pm, edited 1 time in total.
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
20k is also a great interest free short term loan ..great business model *sarcasm*
-
- Starting out
- Posts: 21
- Joined: Sat Jul 20, 2013 8:09 am
Re: [RANSOMWARE] 4/20/2021 - new virus ?
I don't know why it won't let me PM you so I'll ask here since you seem extremely knowledgeable and trustworthy when it comes to your personal choices.... So my question is, how are you liking the Asustors in your sig? I've been finger-on-trigger for almost 3 months now but haven't had the scale Tipped for me just yet by way of review or recommendation...the security issues SHOULD be what Tipped the scale but they're more a catalyst since I'm not desperate for a new unit, moreso just wanting an excuse for a new toy (and new brand relationship).jaysona wrote: ↑Wed Apr 21, 2021 11:41 pm Many (if not most) people seem to forget that the HelpDesk app was used as a vector in the past, and QNAP very quietly plugged that hole, could be another one was found again.
About a year ago, I had a fresh QTS install on a TS-853 Pro get compromised overnight, I have no port forwards on the particular LAN segment (I have four different ISP connections) I use for new machine builds, and the LAN segment only had the TS-853 Pro and a LiveCD laptop connected to it. The only QTS app the QNAP had was the HelpDesk, it was getting close to 4am, and I decided to pause the NAS build (it is now my seedbox) until the next day. When I picked up and continued the build, I noticed that the network activity was completely of of whack for what should be happening. The NAS had malware, and the only vector I can think of is HelpDesk, and I know that (at the time) the HelpDesk app (as well as others) does make outbound calls.
In any case, I always presume that QTS and its associated apps are just about as insecure as they possible can be, and manage the NAS accordingly.
Would love to hear your thoughts on those units and sorry for asking in this thread but I couldn't figure out any other way to communicate to you privately!
-
- Getting the hang of things
- Posts: 63
- Joined: Sun May 01, 2016 9:20 am
- Location: New Jersey, USA
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
roastedbagel. The PM system is disabled here.
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TVS-1282T QTS 4.5.4.2012- Static Vol 8 x 16TB Hdd Raid 6, Static Vol 4 X 8TB SSD Raid 5 Using 10GBE
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TVS-1282T QTS 4.5.4.2012- Static Vol 8 x 16TB Hdd Raid 6, Static Vol 4 X 8TB SSD Raid 5 Using 10GBE