[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
dolbyman
Guru
Posts: 35017
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

What is the issue with hbs?

Do not forward any ports to your NAS and HBS is (and was) fine
gnapfan111
Starting out
Posts: 19
Joined: Sun Mar 07, 2021 12:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by gnapfan111 »

I understand the ransomware used an exploit in HBS, isn't it?

https://www.bleepingcomputer.com/news/s ... r-account/
holger_kuehn
Easy as a breeze
Posts: 413
Joined: Sun Oct 20, 2013 11:45 pm
Location: Premnitz, Germany

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by holger_kuehn »

This correct, but this exploit needs an open port from your public IP ("outside" of your router) to the QNAP. If no portforwarding is active, it was and is safe to use HBS3.
NAS (production): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)

NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
User avatar
dolbyman
Guru
Posts: 35017
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Yes..but without port forwards, there is no way to reach your NAS to exploit it..hence my advice
gnapfan111
Starting out
Posts: 19
Joined: Sun Mar 07, 2021 12:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by gnapfan111 »

OK, I see. I think I don't have any port forwarding enabled, if so, I will turn it off.

I followed the suggestions in this QNAP article.
https://www.qnap.com/en/how-to/faq/arti ... s-security

Otherwise, why would I might need port forwarding for?
What services or use cases benefit from it?

I wanted to look into the guides to set up a VPN server so I can connet to my QNAP nas from elsewhere, but I didn't had the energy to look into it yet.
User avatar
dolbyman
Guru
Posts: 35017
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Portforwards are used to reach your NAS from WAN ...mist people use it for file sharing, video sharing, for devices advertised as "private cloud"
luisfdgon
First post
Posts: 1
Joined: Sun Jun 20, 2021 4:34 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by luisfdgon »

Hi Guys,

Another victim here... :(

I was trying to use QRescue to recover my files, but QRescue now doesn't open. It show an error
Error
Page not found or the web server is currently unavailable. Please contact the website administrator for help.
Does anyone knows what might be the cause?

First time I installed was working, but now show the error.. I even tried to reinstall without success.
Screenshot from 2021-06-19 21-42-32.png
You do not have the required permissions to view the files attached to this post.
holger_kuehn
Easy as a breeze
Posts: 413
Joined: Sun Oct 20, 2013 11:45 pm
Location: Premnitz, Germany

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by holger_kuehn »

QNAP Support might be able to help out here, have you created as ticket?
NAS (production): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)

NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
zeverken
New here
Posts: 2
Joined: Fri Jul 16, 2010 3:42 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by zeverken »

It seems they're accepting ransom again? I had to disable the scriptblocker of TOR brower on the page where you have to enter your code, and then it moved to the payment page. Price went up to 0.05 BTC though... Can't pay that. Maybe QNAP can compensate by paying it for me?
You do not have the required permissions to view the files attached to this post.
lichmatthew
First post
Posts: 1
Joined: Thu Sep 12, 2019 1:51 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by lichmatthew »

zeverken wrote: Wed Jun 23, 2021 5:22 pm It seems they're accepting ransom again? I had to disable the scriptblocker of TOR brower on the page where you have to enter your code, and then it moved to the payment page. Price went up to 0.05 BTC though... Can't pay that. Maybe QNAP can compensate by paying it for me?
Hi is they are still accepting ransom now? And may I know how could we disable sscriptblocker on TOR browser? Thanks!
livelynet
New here
Posts: 3
Joined: Fri Nov 01, 2019 7:10 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by livelynet »

Here is an update on the efforts of the firm https://monstercloud.com/ to try unlocking the files.

We setup the 2 NAS devices that have QLocker on the clients files in a separate network, no anti-virus enabled and TeamViewer access. After a WEEK of trying the firm expert and his team were unable to unlock the files. They did refund all of the $20,000.00 as stated in their agreement to the client and they, in turn, returned it to the insurance company.

We are reaching out to any and all that may have found a way to unlock the files and of yet no success. :(

HINDSIGHT:

Since we had the attack very early in the cycle of this we found the Bleeping Computer post someone had posted and immediately tried it on one of the Qnap NAS's. Without any support from QNAP we did as instructed BUT we failed to know this. When the NAS was accessed via QFinder it said and updated firmware was available.

FIRST BIG MISTAKE: Since the client did not keep up with at least 3 new updates, we immediately updated to the latest firmware to stop any further attacks.
SECOND BIG MISTAKE: What does a new firmware do as part of it's update: RESTART

We have waited for any further information, guides or otherwise and currently have 4 hard drives full of data all locked with the QLocker.

Let us know if anyone has any clues to unlocking these files. \

Thank you.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

livelynet wrote: Sun Jul 04, 2021 9:07 pm Here is an update on the efforts of the firm https://monstercloud.com/ to try unlocking the files.
Interesting, but not surprising. So not only you or your clients fall victim to ransomware but to make matters worse you or your clients fall prey to snake oil merchants. You were lucky to be refunded. Did the firm charge a non-refundable assessment fee?
We are reaching out to any and all that may have found a way to unlock the files and of yet no success. :(
If you had done a little research you would know very well by now that there is no way to decrypt the files and that the so-called ransomware recovery firms are scams.

This post on the Bleeping Computer forum sums it up:
In regards to data recovery services specifically, they typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here. Some data recovery services operate more like scammers while others like Fast Data Recovery have even been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services.
livelynet wrote: Sun Jul 04, 2021 9:07 pm Let us know if anyone has any clues to unlocking these files.
It's not possible to unlock the encrypted files, without the encryption key held by the cybercrooks. NO WAY.

If the storage volumes containing the encrypted files are still in the state they were shortly after the ransomware attack, and have not been moved or modified in any way since then, you can attempt to recover (some of) the original files that were deleted as a result of the encryption process. The procedure is implemented by QNAP and they can help you perform it. Go to https://service.qnap.com and click on the link 'Qlocker Data Recovery Service (QDRS)' displayed near the top of the page under the 'Latest News' heading.
Last edited by Mousetick on Sun Jul 04, 2021 10:40 pm, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 35017
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

20k is also a great interest free short term loan ..great business model *sarcasm*
roastedbagel
Starting out
Posts: 21
Joined: Sat Jul 20, 2013 8:09 am

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by roastedbagel »

jaysona wrote: Wed Apr 21, 2021 11:41 pm Many (if not most) people seem to forget that the HelpDesk app was used as a vector in the past, and QNAP very quietly plugged that hole, could be another one was found again.

About a year ago, I had a fresh QTS install on a TS-853 Pro get compromised overnight, I have no port forwards on the particular LAN segment (I have four different ISP connections) I use for new machine builds, and the LAN segment only had the TS-853 Pro and a LiveCD laptop connected to it. The only QTS app the QNAP had was the HelpDesk, it was getting close to 4am, and I decided to pause the NAS build (it is now my seedbox) until the next day. When I picked up and continued the build, I noticed that the network activity was completely of of whack for what should be happening. The NAS had malware, and the only vector I can think of is HelpDesk, and I know that (at the time) the HelpDesk app (as well as others) does make outbound calls.

In any case, I always presume that QTS and its associated apps are just about as insecure as they possible can be, and manage the NAS accordingly.
I don't know why it won't let me PM you so I'll ask here since you seem extremely knowledgeable and trustworthy when it comes to your personal choices.... So my question is, how are you liking the Asustors in your sig? I've been finger-on-trigger for almost 3 months now but haven't had the scale Tipped for me just yet by way of review or recommendation...the security issues SHOULD be what Tipped the scale but they're more a catalyst since I'm not desperate for a new unit, moreso just wanting an excuse for a new toy (and new brand relationship).

Would love to hear your thoughts on those units and sorry for asking in this thread but I couldn't figure out any other way to communicate to you privately!
dawsonkm
Getting the hang of things
Posts: 62
Joined: Sun May 01, 2016 9:20 am
Location: New Jersey, USA

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dawsonkm »

roastedbagel. The PM system is disabled here.
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TVS-1282T QTS 4.5.4.2012- Static Vol 8 x 16TB Hdd Raid 6, Static Vol 4 X 8TB SSD Raid 5 Using 10GBE
Post Reply

Return to “Users' Corner”