[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

Mousetick wrote: Sun May 02, 2021 11:48 pm - It gives a lot of good advice for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).
Not all are good. Disabling SSH mean that the user have no options left when the web admin interface become unreachable for some reason. Disabling the admin account lead to that some features can't be used.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

P3R wrote: Mon May 03, 2021 8:18 am
Mousetick wrote: Sun May 02, 2021 11:48 pm - It gives a lot of good advice for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).
Not all are good. Disabling SSH mean that the user have no options left when the web admin interface become unreachable for some reason. Disabling the admin account lead to that some features can't be used.
You're right, that's true for you, and many others. But it's like the auto-update debate, you're an expert user: you don't need or want this kind of advice. It's not for you. You're not obligated to follow it. It's for the majority of users who don't know what to do with SSH when it's available, and it's dangerous to allow root login via SSH, not only for security reasons, especially if you don't know what you're doing.

I went back and edited my post:
"- It gives a lot of good advice to novice and non-technical users for securing QNAP NASes (except the bit about changing port numbers, that's bollocks)."
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD »

Mousetick wrote: Mon May 03, 2021 9:07 am I went back and edited my post:
"- It gives a lot of good advice to novice and non-technical users for securing QNAP NASes (except the bit about changing port numbers, that's bollocks)."
Agree. :)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
izjamest
New here
Posts: 5
Joined: Fri Mar 11, 2016 5:23 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by izjamest »

Got attacked by this last week. Both of my QNAP nases. Fortunately, most of it was video files that were not encrypted. All my music and photos and work documents were encrypted though so that's all gone. Lost all faith in QNAP. Didn't know they would be vulnerable to ransomware.

I've updated everything and deleted all the 7zip files.

Can someone please show or direct me step by step how to isolate my two NASes (251 and 451) from the internet? I only need it on my local network to stream videos, and it is currently plugged through my router.

Also I have run Malware Remover on both my NAS. Is there anything else I need to do to ensure that it is no longer infected?

Thanks!
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

Mousetick wrote: Mon May 03, 2021 9:07 am It's not for you.
Of course I'm not thinking about me. I'm thinking of it as advice for the inexperienced users.
It's for the majority of users who don't know what to do with SSH when it's available...
Systems can freeze up also for newbies (it even happen more often for the inexperienced) and sometimes advice to them offered here when they're in trouble will be to install PuTTY and enter this or that command.

I'd say that the main reason Qnap started to give the advice to shut down SSH was becuase of the stupidity they were doing, using UPnP to automatically expose services on the internet as well. SSH on the internet is crazy but the solution isn't to shut down the service completely.
and it's dangerous to allow root login via SSH, not only for security reasons, especially if you don't know what you're doing.
Trust me, the inexperenced users won't touch SSH until they absolutely need to. A very large majority don't even know how to access it and they're uncomfortable when at a prompt.

SSH is only a possible risk for the tinkerer that know a little but not enough to understand the dangers. They may shoot themselves in the foot but they will simply enable SSH and try it anyway so they won't be protected by this advice either.

If the bad guys have compromised the network and have a foothold on the inside, having SSH disabled won't protect the Qnap.

So no. SSH isn't inherently dangerous on a local network and shutting down the SSH service isn't a good securiy advice for anyone. It's only a possible limitation in the ability to manage the system in the future. It was advice rushed out in panic by Qnap when they have forwarded SSH out on the internet and now apparently nobody dare to question it.
Last edited by P3R on Mon May 03, 2021 7:32 pm, edited 3 times in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Barboots
Getting the hang of things
Posts: 53
Joined: Fri Jun 30, 2017 3:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Barboots »

Mousetick wrote:Saved for posterity:
qnaphbsqlocker.png
Image

Interesting. When they say "targeting QNAP NAS directly connected to the Internet with unpatched old versions of HBS", don't they really mean "targeting QNAP NAS directly connected to the internet, as we've never suggested not to or warned you about, running the last published and auto-updated version of HBS"???

Asking for a friend... Image
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

izjamest wrote: Mon May 03, 2021 3:10 pm All my music and photos and work documents were encrypted though so that's all gone.
If more disks than your RAID can manage had failed, if the NAS had been fried by a thunderstorm or if it had been stolen you would have lost all your files. The way to protect your data from all these and other threats (including ransomware) is to do external backup copies of the data.
Can someone please show or direct me step by step how to isolate my two NASes (251 and 451) from the internet? I only need it on my local network to stream videos, and it is currently plugged through my router.
  1. Stop using the DMZ feature in the router/firewall for the Qnap if you've been doing that.
  2. Remove any manual port forwarding in the router/firewall that points at the Qnap if you have done that.
  3. Go to the myQNAPcloud app in the web administration, click Auto Router Configuration and then disable UPnP port forwarding.
  4. If possible, disable UPnP port forwarding in your router/firewall as well.
  5. Reboot the router/firewall.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
byflash
New here
Posts: 5
Joined: Mon Apr 26, 2021 3:13 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by byflash »

I have a qnap device with 2 hard drives. I use one of the disk for system and the other for backup. Is there an application that can encrypt the backup disk and back up only with a password?
User avatar
Ericnepean
Know my way around
Posts: 132
Joined: Mon Jul 02, 2012 4:35 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Ericnepean »

byflash wrote: Tue May 04, 2021 2:27 pm I have a qnap device with 2 hard drives. I use one of the disk for system and the other for backup. Is there an application that can encrypt the backup disk and back up only with a password?
What I do for back up is this:
I have a drive dock attached to the QNAP and three 3.5" hard drives, A,B,C.
About once every week or two (more often if there is new content), I copy all my user files to the next hard drive in the sequence - A-B-C-A-B-C-A....
Immediately after backup, I put the backup drive in the closet. In tornado season, one of the drives is kept at a friends house.

No encryption needed (I did try encrypting the drives, but Iost some data because I couldn't remember the password correctly)
No special SW needed.
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
User avatar
Razorblade
Starting out
Posts: 11
Joined: Thu Apr 22, 2021 7:14 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Razorblade »

Barboots wrote: Mon May 03, 2021 4:00 pm Interesting. When they say "targeting QNAP NAS directly connected to the Internet with unpatched old versions of HBS", don't they really mean "targeting QNAP NAS directly connected to the internet, as we've never suggested not to or warned you about, running the last published and auto-updated version of HBS"???
Totally agree. They know no sense of shame.
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

byflash wrote: Tue May 04, 2021 2:27 pm I have a qnap device with 2 hard drives. I use one of the disk for system and the other for backup.
Internal backups are unfortunately very ineffective, regardless if encrypted or not. Take for example a ransomware, it will easily encrypt both the original data and backup. They also offer no protection against anything that will take out the NAS like fire, flooding or theft. Also why encrypt the backup when a thief won't remove and steal only your backup disk? He will steal the whole NAS with both your main data and the backup.

It's better to remove the backup disk and use it in a USB-connected drive dock/enclosure. If not constantly powered on, it's at least a slightly better better protection than what you have now. Also it will be a nice single partition and not the multi-partition format of internal disks. Make sure that you can restore data from your backup disk when used separately, without the NAS. If not your internal backup disk will be useless when the NAS fail.

The next step up will be to have at least two backup disks used in a rotating scheme like Ericnepean describe, with at least one backup disk always stored off-site to protect against on-site disasters.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
byflash
New here
Posts: 5
Joined: Mon Apr 26, 2021 3:13 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by byflash »

Without a password, data cannot be saved on the backup disk. Write protected hard drive :)

The ransomware will not be able to encrypt the data on the backup disk, as it will not be able to enter the password.

I meant that.
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

byflash wrote: Tue May 04, 2021 4:51 pm Without a password, data cannot be saved on the backup disk.
Okay the volume encryption available in Qnap work the way you want it if you manually unlock it before and lock it after every backup.
The ransomware will not be able to encrypt the data on the backup disk, as it will not be able to enter the password.
Yes if you do volume encryption as suggested above instead of file encryption in the backup software but what you forget is that a ransomware can still easily destroy the backup, it doesn't have to encrypt it. When the ransomware is inside the system, as it is with Qlocker, it can do anything and all bets are off. That is one of several reasons why an internal backup is a bad idea. External backups offer much better protection and the more external the backups are, the better.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
icetealight
Starting out
Posts: 18
Joined: Thu Jun 23, 2011 5:34 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by icetealight »

UPDATE 06.05.2021: Possibility tested -> failed


Possible Solution <- needs check ->

Can Please somebody Reach out to me who has paid for the Service on this Wallet: 3EPBKN3bcax81U3MdKYUhMC1fzFEFGPC6E?


I might have a solution to this problem. but I need to double check if first.


Best would be: You paid the hackers - and you have extracted all your files already - so you are "already" off the hook.


So I can start to mess around with your TXID/ClientID.

If this works - we be able to steal passwords
Last edited by icetealight on Thu May 06, 2021 2:51 pm, edited 1 time in total.
icetealight
Starting out
Posts: 18
Joined: Thu Jun 23, 2011 5:34 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by icetealight »

UPDATE 06.05.2021: Possibility tested -> failed

UPDATE

If you are obliged to make a payment on Wallet

3DhE1iZ5Ui6HALVKuuYXW52ArZPVJjUgJA

We can try to get your password - let me know
Last edited by icetealight on Thu May 06, 2021 2:52 pm, edited 1 time in total.
Post Reply

Return to “Users' Corner”