[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
jkelso_1
First post
Posts: 1
Joined: Tue Dec 04, 2018 9:06 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jkelso_1 »

Hello,

This might help. It is from Europol. You can submit samples and they will tell you which if any of the 121 decryption tools will help.

https://www.nomoreransom.org/crypto-sheriff.php?lang=en

https://www.europol.europa.eu/newsroom/ ... le-website
epafin
First post
Posts: 1
Joined: Tue Aug 10, 2021 1:15 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by epafin »

I performed Qrescue and all went great given the circumstances. I was able to recover some of the files. However, for some reason the qrescue.sh script did not work completely in the renaming process. I had about 500 .heic image files in the recup1 folder, which the Qrescue renaming script seems to have skipped even though the original .7z's are still in place. I reached out to QNAP support but they were next to useless, they only requested remote access to the NAS and did 'du -sh' in the recovery folders, and neglected the original issue completely.

So my question is, do you know if the qrescue-script is unable to resolve the filenames of recovered .heic files? Is there possibly an exception in the script to skip other than let's say jpg, png, and gif files? Can the script be edited to try to look at the .heic files also? I am not skilled with python or coding, but I am somewhat tech-savvy so I could possibly do the edits myself if someone points me where to look at :D
Gibbedy
New here
Posts: 5
Joined: Wed May 04, 2016 3:12 pm

Re: Attack vector upnp & HBS?

Post by Gibbedy »

...
2. Were all myQnapCloud users vulnerable to this attack?
myQNAPcloud unlikely made any difference here. The real problem was the internet exposure in itself in combination with the vulnerability.

Here is how I discoverd I'd been hit by this vulnerability.
Just randomly doing portscan of my network from internet side I notice a port that was open when there shouln't have been anything.
Check router and no port forwarding enabled, upnp disabled, no DMZ .. didn't make any sense. Checked qnap and upnp was enabled which I'm sure I disabled either way.. how is it forwarding.. back to my modem and after some time I think I'll just try enabling upnp checkbox, applying changes, then disabling upnp again... That was it. port no longer forwarded...
Then I think i better look at logs.. hmm no access logs since 20/04/21. ...
20/04/2021 7:45:41 admin 85.57.67.117 --- HTTP/HTTPS Administration
ip is from spain..... uh oh... :(
Check files
Home,Recordings,Download,Movies all encrypted.
Luckily i didn't have anything of value in there and all my files are in non default named folders.
So it seems 1 day after qnap release a patch i'm hit by an automated attack. The router setting bug is just bad luck, I have my suspicions upnp on qnap was anabled after a firmware update. Thats bad QNAP! but I do have a question.
I assume an attack like this couldn't happen through cloudlink? I mean I suppose my ports were scanned and I was targetted but todo the same thing with cloudlink wouldn't be possible?

Anyway passwords changed, firmware updated, think I'll try a different nas provider when it comes time to upgrade.
I do love qsync over cloudlink though..
bubo75
Starting out
Posts: 13
Joined: Tue Feb 21, 2017 6:45 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by bubo75 »

Hi, today I saw that I have a lot of encryption files with 7z.
What can I do? I opened the ticket and waited. :(
You do not have the required permissions to view the files attached to this post.
robryan29
First post
Posts: 1
Joined: Tue Nov 30, 2021 10:06 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by robryan29 »

Hi all. Qlocker victim here. I have my password to decrypt. I have a QNAP T-251/A and I'm an Apple user (iMac, to be exact). Is there a batch decrypt I can run using a different uncompression program? Ive confirmed tha password works with other programs (Keka, Stuff It, etc). Looking for alternatives to unziping files one by one on the drives. Any help is greatly appreciated, Thanks!
User avatar
TryWait
Starting out
Posts: 40
Joined: Sat Apr 03, 2010 12:26 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by TryWait »

What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.

The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
TS-419P , 4x WD 3TB Red NAS 3.5 Inch, WD30EFRX HD's RAID5 :: QNAP Firmware 4.3.3 (0378)
iMac 3.8 GHz Quad-Core Intel Core i5 . 32GB . OSX 10.15.7
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Toxic17 »

TryWait wrote: Thu Dec 23, 2021 9:52 am What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.

The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
Personally I would not trust anything on your NAS, you cannot guarantee what else the malware/ransomware has done to the system. you're better to wipe all contents by selecting "Reinitialize NAS" and then once your NAS is finalised, then restore your files from your backup.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaysona »

TryWait wrote: Thu Dec 23, 2021 9:52 am What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.

The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
The malware developers are anything but inept cretins. Their goal is to exploit a vulnerability and hold data ransom, seems like they succeeded in their goal.

The QNAP malware remover is a purposely (by QNAP) opaque black box that logs next to nothing, what little logging that is performed is purposely vague and meaningful to the end user.

If you can, I would even re-flash the DOM using the Firmware recovery procedure, instructions here: https://wiki.qnap.com/wiki/Firmware_Recovery
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

TryWait wrote: Thu Dec 23, 2021 9:52 am The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files.
That's entirely by design and it did what it was created to do. They didn't want to spend much time on encrypting very large files as that would have increased the risk for being discovered before the encryption mission was completed. Therefore they had a size cut-off where they only encrypted smaller files. Smaller files like documents and photos (that may be unique family photos) are typically much more valuable to users than huge video files that often can be reaccuired from the same sources they came from in the first place. They're criminals but they're clever and competent.

Stop exposing your Qnap directly on the Internet as it simply isn't secure enough for that is the lesson to be learned here, And no, using strong passwords, 2FA, other than default ports, disabling the admin account and all those other things suggested by Qnap doesn't make it secure. It's just lipstick on the pig.

If remote access is required then use a remote access VPN installed on the Internet-facing router/firewall or on a separate device but not the Qnap.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Jonnie1
Starting out
Posts: 32
Joined: Sun Mar 22, 2020 1:53 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Jonnie1 »

jaysona wrote: Thu Dec 23, 2021 11:09 am
TryWait wrote: Thu Dec 23, 2021 9:52 am What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.

The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
The malware developers are anything but inept cretins. Their goal is to exploit a vulnerability and hold data ransom, seems like they succeeded in their goal.

The QNAP malware remover is a purposely (by QNAP) opaque black box that logs next to nothing, what little logging that is performed is purposely vague and meaningful to the end user.

If you can, I would even re-flash the DOM using the Firmware recovery procedure, instructions here: https://wiki.qnap.com/wiki/Firmware_Recovery
This site does not include instructions or a firmware file for the TS-251D. Would I use the file and instructions for the TS-253D?
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaysona »

Jonnie1 wrote: Thu Dec 23, 2021 11:35 pm This site does not include instructions or a firmware file for the TS-251D. Would I use the file and instructions for the TS-253D?
I have not worked with either of those two NAS models, so I can not comment - I typically only comment based on experience.

I have tried messing around with using similar model recovery firmware on a different model in the past, and results were varied, in some cases the NAS would boot with numerous errors, in other cases the NAS would never progress past displaying the message "Decompressing Linux......." or something similar to that message.

That said, and quick search reveals that the TS-251D is an Intel Celeron based NAS with a HMDI video output, so I would presume that the instructions for any similar Intel based NAS with a HDMI video output would work.

I would open a ticket with QNAP tech support to get have them provide you with the specific instructions and recovery firmware for your model of NAS.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
g73jkwy
Starting out
Posts: 15
Joined: Mon Dec 26, 2016 11:18 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by g73jkwy »

Hi, i'm from Italy.

From yesterday i'm under attack: my NAS was unreachable, so i restart it.

Then all my files are being crypted. I'm trying to save more files i can do.

I don't know how i can resolve... This is a disaster
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dosborne »

g73jkwy wrote: Fri Jan 07, 2022 9:41 pm Then all my files are being crypted. I'm trying to save more files i can do.
I don't know how i can resolve... This is a disaster
Start by reading this entire thread as there is a lot of good information.

Enter a helpdesk ticket with QNAP to see if they can help.
Reinitialize and restore your files from backup should hopefully also be an option.
Be sure to never expose your NAS directly to the internet in the future and follow the security hardening steps such as disabling UPNP and services that you do not require.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

And stop using the NAS immediately, if anything can be recovered via tools, using the NAS will destroy your chances
g73jkwy
Starting out
Posts: 15
Joined: Mon Dec 26, 2016 11:18 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by g73jkwy »

It was impossibile to connect to NAS via SSH. Malware Remover unavailable. Failed to install QRescue. Now i've disconnected NAS from internet and local LAN.
Infection in 06/01/2022. Latest available firmware on TS112P.

From https://id-ransomware.malwarehunterteam.com
1 Result
Qlocker
This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

ransomnote_filename: !!!READ_ME.txt
Post Reply

Return to “Users' Corner”