[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Bob Zelin
Experience counts
Posts: 1370
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

[RANSOMWARE] Qlocker

Post by Bob Zelin »

Just saw this (client called me).
Client was using RTRR to customer in Washington DC. Port 8899 on router opened. I know nothing about the clients security.

Anyone see this yet (in every folder)?

Bob Zelin (and yes - this is what having Snapshots is all about) -

-
!!! All your files have been encrypted !!!

All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.

To purchase your key and decrypt your files, please follow these steps:

1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page".

2. Visit the following pages with the Tor Browser:

gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion

3. Enter your Client Key:

eaXHuUpkr+h4Z3oeHWVb/BEJfjEPckMEVJHYBp6+XYmtQaghA3xfQm9cpvdCLS1IWQhAXAMuiSyqc7+RyDACGWPVa2qJnHNjaFSNpzP7hrdHwqd5tcCBRjca1MSv907XaJtpPW5uZjBCSERfTKkL+ZhJjn5Tv6cj/VqUKAoOa6W9QrW8osEil7rMhSU0FGHD/nOocqPNqwrufBnh/qcRl0JgHpBTwA+OZE7Q/p99X8vA9iS8A1zTYkCzQ6GQk9Eo7rEdFdOCoNiof3xEly29qRgwHffQbrI1P4NPXZyDHue8MeGu6ZvHic66mTr0FVHbojBLulzA+Yp0ZYAApeIrSA==
Last edited by OneCD on Mon Mar 21, 2022 9:42 am, edited 3 times in total.
Reason: Fixed title
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: 4/20/2021 - new virus ?

Post by OneCD »

It got a mention here too: https://www.bleepingcomputer.com/forums ... ension-7z/

Seems it's called Qlocker.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
Bob Zelin
Experience counts
Posts: 1370
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

Re: 4/20/2021 - new virus ?

Post by Bob Zelin »

here we go again ......
bob
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: 4/20/2021 - Qlocker in the wild.

Post by jaysona »

The .onion site calls it Qlocker, and apparently the encrypted blob (appears to be 256 bytes base64 = RSA-2048) in the note is the password for the files.


qlocker.png
You do not have the required permissions to view the files attached to this post.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
netpol
First post
Posts: 1
Joined: Wed Apr 21, 2021 2:24 pm

Re: 4/20/2021 - new virus ?

Post by netpol »

The Question is WHAT NOW ? How can i get back my files !!!!
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: 4/20/2021 - new virus ?

Post by OneCD »

netpol wrote: Wed Apr 21, 2021 2:47 pm How can i get back my files !!!!
Restore them from your external backups. Simple.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
peelos
Been there, done that
Posts: 580
Joined: Sun Jun 26, 2016 9:28 pm

Re: 4/20/2021 - new virus ?

Post by peelos »

netpol wrote:The Question is WHAT NOW ? How can i get back my files !!!!
Which ports did you have open on the NAS / or which services were connected to the Internet?
NAS: TVS-1282-i7-7700-40G / 4 x 500GB SSD 2.5" RAID 10 / 2 x 500GB M.2 SSD / 8 x 12TB WD Whites 3.5" RAID 6 / Noctua L9x65 / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / Transmission / Sonarr / Radarr / Bazarr / Jackett / Tautulli / Home Assistant / Resilio Sync / Python / NetData / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / 1 x Netgear AC3200 R8000 Nighthawk / FreshTomato Firmware
User avatar
Toxic17
Ask me anything
Posts: 6468
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: 4/20/2021 - new virus ?

Post by Toxic17 »

Whoever is affected by this QLocker please submit your findings to the security team ASAP.

https://www.qnap.com/en-uk/security-adv ... #sa-report

if this is not addressed by QNAP soon, more will be vulnerable!
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Eternic
Starting out
Posts: 16
Joined: Sat Mar 16, 2019 9:53 pm

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by Eternic »

Same thing's happened to me. On my router I had ports 8080 opened (no idea why. I didn't realise this until I just checked) and also run RTorrent on the Nas and had port 3690 open for that. Unfortunately while I don't have much on there that's super important and unrecoverable, we do have a lot of family photos we'd just recently put on the nas and we don't have backups for a lot of those. Unfortunately I'll probably just pay the ransom.

I'm not an expert on security for nas devices. Is it likely that port 8080 being open was the issue? I don't want to go pay and spend the time recovering the files only for it to possibly happen again. I'd also prefer not to have to stop using rtorrent on the nas, but I can't see myself trusting the nas going forward so I'll probably have to have it be entirely offline and switch anything that needs internet access over to a PC.
jacobite1
Easy as a breeze
Posts: 389
Joined: Fri Aug 07, 2015 7:02 pm
Location: London, England

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jacobite1 »

No one has any idea what the vector is right now. I've actually opted to shut my unit down because I don't need it for a few days (and haven't been affected so far). Hopefully there will be a better idea what the problem is by then!

Edit: some are suspecting qnapcloud/qnapcloudlink - a few victims had 'publish services' switched on so they were actually searchable through qnapcloud.
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!

Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
yugiohnl
New here
Posts: 2
Joined: Wed Apr 21, 2021 11:09 pm

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by yugiohnl »

if you are suffering from the encryption and the proces is still running you can still get the encryption key by running this command:

cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt

hopes this helps !!!
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jaysona »

Eternic wrote: Wed Apr 21, 2021 10:30 pm ...
I'm not an expert on security for nas devices. Is it likely that port 8080 being open was the issue? I don't want to go pay and spend the time recovering the files only for it to possibly happen again. I'd also prefer not to have to stop using rtorrent on the nas, but I can't see myself trusting the nas going forward so I'll probably have to have it be entirely offline and switch anything that needs internet access over to a PC.
QNAP has been shown to be extremely insecure numerous times when it comes t making the NAS Web admin page and thew various applications (Music Station, Video Station, Photo Station, File Station, etc) accessible from the Internet via port 8080/443.

There have been several QTS 0-day exploits in the past, and there will be more in the future. QTS is just a cluster-eff of a mess of PHP coding that have more holes in it than Swiss Cheese.

Just do not make the QTS Web Admin page and associated QTS applications accessible from the Internet.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
jacobite1
Easy as a breeze
Posts: 389
Joined: Fri Aug 07, 2015 7:02 pm
Location: London, England

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jacobite1 »

jaysona wrote: Wed Apr 21, 2021 11:16 pm There have been several QTS 0-day exploits in the past, and there will be more in the future. QTS is just a cluster-eff of a mess of PHP coding that have more holes in it than Swiss Cheese.

Just do not make the QTS Web Admin page and associated QTS applications accessible from the Internet.
Completely agree with you, and this is very good advice.

The issue is that in this case there are people on other forums swearing blindly that nothing was port forwarded or externally accessible. I guess it's possible nothing was port forwarded but they did, unknowingly have qnapcloudlink enabled?
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!

Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by Skwor »

jacobite1 wrote: Wed Apr 21, 2021 11:24 pm
jaysona wrote: Wed Apr 21, 2021 11:16 pm There have been several QTS 0-day exploits in the past, and there will be more in the future. QTS is just a cluster-eff of a mess of PHP coding that have more holes in it than Swiss Cheese.

Just do not make the QTS Web Admin page and associated QTS applications accessible from the Internet.
Completely agree with you, and this is very good advice.

The issue is that in this case there are people on other forums swearing blindly that nothing was port forwarded or externally accessible. I guess it's possible nothing was port forwarded but they did, unknowingly have qnapcloudlink enabled?
Ya, right now the reports of this are conflicting, they are not making sense as far as possible vectors.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jaysona »

Many (if not most) people seem to forget that the HelpDesk app was used as a vector in the past, and QNAP very quietly plugged that hole, could be another one was found again.

About a year ago, I had a fresh QTS install on a TS-853 Pro get compromised overnight, I have no port forwards on the particular LAN segment (I have four different ISP connections) I use for new machine builds, and the LAN segment only had the TS-853 Pro and a LiveCD laptop connected to it. The only QTS app the QNAP had was the HelpDesk, it was getting close to 4am, and I decided to pause the NAS build (it is now my seedbox) until the next day. When I picked up and continued the build, I noticed that the network activity was completely of of whack for what should be happening. The NAS had malware, and the only vector I can think of is HelpDesk, and I know that (at the time) the HelpDesk app (as well as others) does make outbound calls.

In any case, I always presume that QTS and its associated apps are just about as insecure as they possible can be, and manage the NAS accordingly.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
Post Reply

Return to “Users' Corner”