[RANSOMWARE] Qlocker
-
- Easy as a breeze
- Posts: 271
- Joined: Mon Mar 13, 2017 3:33 pm
- Location: Sydney Oz
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Just checked the Ransome for me is $755 in Australian Dollars. No I didn't pay it.
Where does one go to see if any geniuses are trying to crack the Qlocker pwd code. Is theer a thread on Beep or some other place? Who knows they may crack it sooner than later. Anytime ins better than not at all.
Where does one go to see if any geniuses are trying to crack the Qlocker pwd code. Is theer a thread on Beep or some other place? Who knows they may crack it sooner than later. Anytime ins better than not at all.
Last edited by ozstar on Sat May 08, 2021 8:08 am, edited 1 time in total.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
- dolbyman
- Guru
- Posts: 35215
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
unless they keyserver get captured..doubt there is anything to "crack"
most systems have pretty solid rand generators...
most systems have pretty solid rand generators...
-
- Easy as a breeze
- Posts: 271
- Joined: Mon Mar 13, 2017 3:33 pm
- Location: Sydney Oz
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Thanks dolbyman,. Yes sadly you are correct. But one must have hope no matter how small it may be
For those who are interested..
I had success with PhotoRec but there was no folder structure or filenames just numbers. It's a great program but I want names if I can.
EaseUS grouped files in many ways, file extns, cameras, many image extns psd,jpg,png etc also some files names such as MP3s and some PDFs. I found this the better of the bunch I tried. At least some structure to piece them all together.
Stellar found them all however very few named and not as clearcut as EuseUS
GetBackData could not get from Linux drive even when connected by USB to PC
NasRecoveryData Just numbered files.
For those who are interested..
I had success with PhotoRec but there was no folder structure or filenames just numbers. It's a great program but I want names if I can.
EaseUS grouped files in many ways, file extns, cameras, many image extns psd,jpg,png etc also some files names such as MP3s and some PDFs. I found this the better of the bunch I tried. At least some structure to piece them all together.
Stellar found them all however very few named and not as clearcut as EuseUS
GetBackData could not get from Linux drive even when connected by USB to PC
NasRecoveryData Just numbered files.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
-
- Getting the hang of things
- Posts: 53
- Joined: Fri Jun 30, 2017 3:24 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi from Perth. That AUD ransom is brutal mate... I sympathise.ozstar wrote:... I want names if I can.
When these recovery programs scrape up image files, is the EXIF data no longer embedded?
Best of success recovering, Steve
-
- Easy as a breeze
- Posts: 271
- Joined: Mon Mar 13, 2017 3:33 pm
- Location: Sydney Oz
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Thank you Steve.
Did you get caught ?
It's a messy task trying to piece it all together!
These are the recovered deleted files that previously 7z'd.
At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.
With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.
Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.
EuseUS has separated the camera files into cameras company folders and they have the info.
Thanks again.
oz
Did you get caught ?
It's a messy task trying to piece it all together!
These are the recovered deleted files that previously 7z'd.
At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.
With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.
Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.
EuseUS has separated the camera files into cameras company folders and they have the info.
Thanks again.
oz
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
- Erik63
- Starting out
- Posts: 12
- Joined: Mon Nov 05, 2012 2:29 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Qlocker victim here as well. However, solid backups in place so I will not concede to the ransom. Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and [added] 'non-essential' [added] ports closed.
Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.
As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.
As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
Last edited by Erik63 on Mon May 10, 2021 1:43 am, edited 1 time in total.
-
- Know my way around
- Posts: 247
- Joined: Thu Feb 27, 2020 1:38 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.Erik63 wrote: ↑Sat May 08, 2021 7:58 pm Qlocker victim here as well. However, solid backups in place so I will not concede to the ransom. Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and closed ports.
Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.
As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)
WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)
WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
- Erik63
- Starting out
- Posts: 12
- Joined: Mon Nov 05, 2012 2:29 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
That's stating the obvious. What I meant to say was that the way they managed to access the system is quite unsettling, at least to me. Me being careful had no effect at all.
-
- Know my way around
- Posts: 247
- Joined: Thu Feb 27, 2020 1:38 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Not really obvious, the way you stated, it came across as if even with closed ports one could have been attacked successfully. There is already enough confusion on how to use a NAS and what internet security is.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)
WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)
WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
How do you know that all ports were closed?Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and closed ports.
You don't have to explicitly configure port forwarding on the router for inbound access to be possible.
It's very common for people to be caught out if UPnP is enabled on the router (often is by default) which then allows any device on the LAN to instruct the router to open up inbound access.
In addition to your careful checking of configurations, do an inbound access test with one of the various checking tools, for example Steve Gibson's ShieldsUp! :
https://www.grc.com/x/ne.dll?bh0bkyd2
Initially test 'All service ports' then 'Common ports' then a custom range that includes your QTS admin port - by default 8080.
You might find something that needs attention, such as the QNAPCloud configuration being enabled.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- First post
- Posts: 1
- Joined: Sun May 09, 2021 8:18 pm
Re: [RANSOMWARE] 4/20/2021 - new virus ?
Eternic wrote: ↑Thu Apr 22, 2021 2:18 am For anyone like me that is in the ** situation of deciding to pay up to get the 7z password, I've done so (luckily I already have a bitcoin wallet with enough) and I'm working through fixing my files now. If you're on Windows and accessing the files through explorer, the following is a batch script that I want it to be clear is not something I think you should use and if you do you should backup the folders before running it just in case. If you use this script correctly or incorrectly and have any data loss please do not blame me. Do not use it if you are going to be this person. If you don't know anything about batch files then don't use it. Also please created some test folders and 7z files and try it there first.
In order for the script to work on a network folder you'll need to map that folder or a parent folder to a drive letter (e.g. Z:). Create a batch file (e.g. FixMyStuff.bat) and place it in the folder you want fixed. It will extract any 7z files in that folder and any child folders and then delete them. You can remove the 3rd line that deletes the 7z files if you choose. The script is:
Note that this creates an allzips.txt that the script does not delete. This is what I want. You can add a line to delete allzips.txt at the end or you can rewrite the for loop to just do the (dir /s /b *.7z) internally. Where "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" is you will insert the password you get from giving the pieces of garbage your hard earned money because you were careless with your security and mistakenly trusted your NAS. You can also add lines to find and delete the !!!READ_ME.txt files, but I'll do that separately afterwards personally. You will also need to change the path to 7z.exe to wherever you have it installed.Code: Select all
dir /s /b *.7z > allzips.txt for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x") for /F "delims=" %%x in (allzips.txt) do del "%%x"
Again, please do not use this unless you know what you are doing and take every precaution. I'm only posting it to save people some time in this ** situation and I don't want to make it worse for them if there are any issues with this script. I have not tested it on all my files yet but so far it has worked fine.
EDIT: Also note that if you have legitimate 7z files this will extract and delete them. You can separate the first line into a separate batch file and remove any 7z files you want left untouched from the allzips.txt and then run a second batch file that does the loops. You could probably also write something better that checks file modification times and only extracts files modified after a time you specify relevant to when you were hit.
Hello,
Thanks for your script. I have a server with very important data that is completely encrypted. We paid and received the code to unzip.
The script seems to work but asks me each time to validate the overwrite or rename for each files.
Is it possible to introduce adapting the script or some other solution so that everything is done at once?
thank you in advance
You do not have the required permissions to view the files attached to this post.
-
- Getting the hang of things
- Posts: 53
- Joined: Fri Jun 30, 2017 3:24 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Fortunately Oz, and honestly with an element of luck, no. My Asus router has flashing yellow text on the home page of the interface warning of UPNP being enabled. I know this, as a while back... in an frustrated effort to get some stuff working, I turned it on... and forgot to disable it afterwards. I was reminded next time I logged in to the router. I'm lucky this previous oversight didn't take place during the outbreak. Of course UPNP was enabled on the NAS (default???), so I would definitely have been in the same boat Or perhaps not, as I had disabled HBS along with a load of schnik-schnak apps. I think that was as a result of some warning I'd caught online which reduced my confidence in Qnap security. Luck at play again.ozstar wrote:Thank you Steve.
Did you get caught ?
It's a messy task trying to piece it all together!
These are the recovered deleted files that previously 7z'd.
At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.
With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.
Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.
EuseUS has separated the camera files into cameras company folders and they have the info.
Thanks again.
oz
I use a VPN for remote access and have untrustworthy devices isolated. I've received the security lecture on a surveillance forum and have "done the needful". Still, a couple of clicks trying to sort out a network issue can bring all good efforts undone.
Probably my main remnant mistake following current review is that nearly all my backups were online (during extended working hours) on the network. My previous offsite became a non-option 18 months ago
I really feel for everyone affected. My position is that this equipment should be better, with audits and warnings regarding loose security. I certainly don't lay blame on the user... these are consumer products.
I hope you can get back to where you were, or near enough to be OK with it.
Cheers, Steve
-
- First post
- Posts: 1
- Joined: Sun Oct 25, 2020 1:34 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I never played with BC, any good guide or way on how to transfer BC to these hackers?
Thoughts? Is there a possibility that after sometime they dismantle this hackers group and folks who did not pay, may not be able to get password even if they want it then? or once they collect enough $ they may just release password for all users online?
Like many users, i also had UPnP enabled on router however no specific port forward. I think my system was compromosed on 4/22 and when i logged in around 5/4, system popped me to reload and apply new firmware...i blindly did that and reloaded system. I think QNAP is at big fault here.. they should have copied password that was saved in system before reload and firmware update.. afterall it came through their app too.
Thoughts? Is there a possibility that after sometime they dismantle this hackers group and folks who did not pay, may not be able to get password even if they want it then? or once they collect enough $ they may just release password for all users online?
Like many users, i also had UPnP enabled on router however no specific port forward. I think my system was compromosed on 4/22 and when i logged in around 5/4, system popped me to reload and apply new firmware...i blindly did that and reloaded system. I think QNAP is at big fault here.. they should have copied password that was saved in system before reload and firmware update.. afterall it came through their app too.
-
- Starting out
- Posts: 10
- Joined: Sat Sep 05, 2015 6:58 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Qnap knew about these vulnerabilities used by the qlocker for a long time...
https://securingsam.com/new-vulnerabili ... -takeover/
https://securingsam.com/new-vulnerabili ... -takeover/
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
More evidence supporting my decision to never ever buy a QNAP product again and why I am actively migrating my existing QNAP NAS units to TrueNAS. The entire QNAP company from leadership to software engineering are run by a bunch of inept people who could care less about customers once they get their money from the initial purchase. Anyone who still works for them should be disgraced.Napo67 wrote:Qnap knew about these vulnerabilities used by the qlocker for a long time...
https://securingsam.com/new-vulnerabili ... -takeover/