[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Did anyone post QNAPS official response/statement yet ?

https://www.qnap.com/static/landing/202 ... sponse/en/
elvisimprsntr

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by elvisimprsntr »

dolbyman wrote:Did anyone post QNAPS official response/statement yet ?

https://www.qnap.com/static/landing/202 ... sponse/en/
I disagree with QNAP suggesting using myQNAPcloud. How do we know that is not another vulnerable attack surface?
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

QNAP is suggesting using myQNAPcloud Link, which is not at all the same as using myQNAPcloud DDNS + port forwarding. myQNAPcloud Link makes the NAS an HTTPS client instead of a multi-protocol server and as such doesn't need opening ports to the public network. In that regard myQNAPcloud Link is very much secure compared to port forwarding - it can't be attacked directly from the public network, it can't even be identified as a QNAP device.

One problem with VPN is that it provides indiscriminate network access to the NAS or to the LAN, depending on how the VPN access point is configured, to any authorized user. A VPN also requires special client software appropriately configured. Some corporate firewalls only allow HTTPS to pass through to the internet.

All of these characteristics are undesirable, especially for business users, for file-sharing on an ad-hoc basis with 3rd-parties or from some remote locations. On the other hand, myQNAPcloud Link allows access to specific resources by specific users simply from a web browser, via the myQNAPcloud portal or directly via so-called "Smart URLs".

In effect when used for file-sharing, myQNAPcloud Link is more or less equivalent to a file-sharing service such as Google OneDrive or Microsoft OneDrive, the main difference being that the data remains stored on the NAS rather than being copied to, and stored on, the fire-sharing service.

So one may want to use both: VPN for trusted members of the organization or family, and myQNAPcloud Link for other users or when VPN can't be used at remote location.

myQNAPcloud Link is not a panacea and is not guaranteed to be 100% secure. No solution is. It's definitely much more secure than port forwarding and easier to set up than VPN. There are downsides to myQNAPcloud Link: reduced throughput inadequate for large transfers, reliance on AWS infrastructure and QNAP software, among others. But, hey, it's free!

IMHO, ignoring the technical aspects, it comes down to a matter of trust: do you trust QNAP more than say, Microsoft or DropBox, for file-sharing services.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Moogle Stiltzkin »

just wondering, but did anyone who used vpn (state if you used vpn server running from router, or you use qvpn from nas, or if you use a different solution like a pivpn from rasberrypi) for remote access get hit by qlocker?

https://www.youtube.com/watch?v=PgielyUFGeQ
https://www.youtube.com/watch?v=zsN47t2r_WU


or anyone who only open port for plex only (nothing else e.g. 8080 qts admin page etc)
https://www.reddit.com/r/PleX/comments/ ... _external/

i'm assuming these cases weren't hit by qlocker, but i'm unsure so i am asking to find out :'


VPN & Remote Working - Computerphile
https://www.youtube.com/watch?v=1mtSNVdC7tM



for client devices like remote devices offsite that want to access the qnap, to setup client vpn is not particularly hard.

if your using openvpn, use a client vpn app (the default) or one that supports openvpn, then import the opvn file (that the qnap nas admin provides you), then input your credentials (username and password that was setup for this vpn user), click connect. and that's it. You are now connected to the same network where the QNAP nas is but from over the internet.

Then you just access the NAS as you would normally if you were on the same lan e.g. go to qts, open filestation, drag drop stuff, or just go windows explorer, browse to the nas share, copy/paste/delete etc.

The hard part about vpn is the initial setup for the VPN server where the nas is physicalled located. The usual recommendation is to setup the vpn server on the router. Lawrence's video provides the step by step for how to do this. It's hard if you don't know anything, but if you are following his guide, it's doable. But once setup, you still should be updating your router firmware, and just basic network admining to ensure nothing is wrong :'


qhora is the qnap router, which has qvpn on it. and the quwan software for making site to site vpn easier. i don't have one myself but looking at the videos, seems easy enough to setup :'
https://www.youtube.com/watch?v=zycw9qlb3tg
Last edited by Moogle Stiltzkin on Thu May 06, 2021 5:39 am, edited 2 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor »

Moogle Stiltzkin wrote: Thu May 06, 2021 4:46 am just wondering, but did anyone who used vpn (state if you used vpn server running from router, or you use qvpn from nas, or if you use a different solution like a pivpn from rasberrypi) for remote access get hit by qlocker?

https://www.youtube.com/watch?v=PgielyUFGeQ
https://www.youtube.com/watch?v=zsN47t2r_WU


or anyone who only open port for plex only (nothing else e.g. 8080 qts admin page etc)
https://www.reddit.com/r/PleX/comments/ ... _external/

i'm assuming these cases weren't hit by qlocker, but i'm unsure so i am asking to find out :'


VPN & Remote Working - Computerphile
https://www.youtube.com/watch?v=1mtSNVdC7tM
I use Plex and have to date had zero issues.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Moogle Stiltzkin »

Skwor wrote: Thu May 06, 2021 5:09 am I use Plex and have to date had zero issues.
ty.

thats what i thought.

plex port forward, safe.

QTS admin web page port forward default 8080 = do not do this :shock: (and especially if you got one of the station apps running on it as well)
https://www.shodan.io/search?query=qnap

here is an old hack (long since patched) how hackers use vulnerabilities to hack into qnap nas
https://www.youtube.com/watch?v=sNZOJI_gD48


if you use vpn i don't think they can do that ya? because they can't connect to you to begin with :'
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
Desperate-Paul
Getting the hang of things
Posts: 57
Joined: Tue Feb 05, 2013 9:40 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Desperate-Paul »

Hey all

Just in case anyone is searching for this and unsure wether to pay or not (I know I have..):
I have tried all ways known to date to get the password "for free", but I was just one of the stupid/naive/unlucky ones were no method worked;
(I had restarted, because how else can you update the NAS? Why did QNAP not tell me earlier NOT to do that?)

So I paid the ransom.

I was worried to get scammed twice, but feel happy to report that the password I got from the page actually worked.

FIRST IT DIDN'T! :-0 The archive utility app on my Mac just didn't accept the password (imagine my joy! :shock: )
However, I downloaded "the unarchiver" and that one was able to decrypt all files I tried with the password I got.

Overall I waited about 30 min for the website to accept my transaction ID and give me my password. In the meantime the website told me that two confirmations are needed and only 0 (or later 1) confirmation was provided.

For those of you who like a challenge I have uploaded a sample file (encrypted and decrypted), "my" !!!READ_ME.txt and the password I received. Had to zip it, otherwise the forum didn't accept it (no pun intended..)
I hope this will help someone either find a solution, a way to derive a generic password or eventually a way to find these SOBs;

My NAS is an offline-only now, I know how to trade Bitcoin, that Coinbase **, that a life-sync backup between two NAS did not save me from falling victim to this, that I need an additional offline backup and I will further learn how to scrip on my NAS to decrypt 24TB of pictures in thousands of folders (Juhu)

So overall a great lessons learned that I would rate with 3 stars (-1 one star for the price and -1 star for the missing manual)
You do not have the required permissions to view the files attached to this post.
nydirac
New here
Posts: 2
Joined: Thu Jul 19, 2018 4:18 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by nydirac »

Hi Paul,

if you need a quick&dirty script to extract all the files in-place you can use this directly on the NAS (via ssh):

viewtopic.php?f=185&t=161003#p789399

basically the script is this (i updated it to skip the deletion when a file cannot be decrypted):

Code: Select all

#!/bin/bash

find . -name "*.7z" -exec sh -c '
   for file do
     dir=${file%/*}
	 if 7z x -pYOUR_PASSWORD -aoa "$file" -o"$dir" ; then
	   rm -rf "$file"
	 fi
	 rm -rf "$dir/!!!READ_ME.txt"
   done' sh {} \;
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by spile »

Mousetick wrote: Thu May 06, 2021 4:35 am QNAP is suggesting using myQNAPcloud Link, which is not at all the same as using myQNAPcloud DDNS + port forwarding. myQNAPcloud Link makes the NAS an HTTPS client instead of a multi-protocol server and as such doesn't need opening ports to the public network. In that regard myQNAPcloud Link is very much secure compared to port forwarding - it can't be attacked directly from the public network, it can't even be identified as a QNAP device.

One problem with VPN is that it provides indiscriminate network access to the NAS or to the LAN, depending on how the VPN access point is configured, to any authorized user. A VPN also requires special client software appropriately configured. Some corporate firewalls only allow HTTPS to pass through to the internet.

All of these characteristics are undesirable, especially for business users, for file-sharing on an ad-hoc basis with 3rd-parties or from some remote locations. On the other hand, myQNAPcloud Link allows access to specific resources by specific users simply from a web browser, via the myQNAPcloud portal or directly via so-called "Smart URLs".

In effect when used for file-sharing, myQNAPcloud Link is more or less equivalent to a file-sharing service such as Google OneDrive or Microsoft OneDrive, the main difference being that the data remains stored on the NAS rather than being copied to, and stored on, the fire-sharing service.

So one may want to use both: VPN for trusted members of the organization or family, and myQNAPcloud Link for other users or when VPN can't be used at remote location.

myQNAPcloud Link is not a panacea and is not guaranteed to be 100% secure. No solution is. It's definitely much more secure than port forwarding and easier to set up than VPN. There are downsides to myQNAPcloud Link: reduced throughput inadequate for large transfers, reliance on AWS infrastructure and QNAP software, among others. But, hey, it's free!

IMHO, ignoring the technical aspects, it comes down to a matter of trust: do you trust QNAP more than say, Microsoft or DropBox, for file-sharing services.
That is pretty much my view. It didn’t help that Qnap used virtually the same brand for a product that uses port forwarding and one that doesn’t .
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by spile »

I have found Pivpn (I run Wireguard) on a Raspberry Pi secure, reliable and cost effective.
I have no intention of changing my router and I really do not want to place another service on my NAS. Having a separate appliance gives me a lot of flexibility and the RPI has a great user base.
AreBee
First post
Posts: 1
Joined: Fri May 07, 2021 5:50 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by AreBee »

icetealight wrote: Wed May 05, 2021 6:58 pm UPDATE 06.05.2021: Possibility tested -> failed

UPDATE

If you are obliged to make a payment on Wallet

3DhE1iZ5Ui6HALVKuuYXW52ArZPVJjUgJA

We can try to get your password - let me know
I have to make a payment on wallet 3BDr52JBkcwqFfupbSHKzgFKhtoMYqTxUn

Can you retrieve that password as well? I did not and will not pay.
User avatar
Briain
Experience counts
Posts: 1749
Joined: Tue Apr 20, 2010 11:56 pm
Location: Edinburgh (Scotland)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Briain »

Hi Folks

I've just read the entire thread and I've also been following all of this unfolding via other outlets. Firstly, I genuinely find it heart breaking to hear of all these poor people who've lost everything (like the chap in this video; what a terrible situation to find yourself in: https://www.youtube.com/watch?v=S_4p68lDWfA&t=4s). Having watched Steve Gibson's Security Now! podcasts for over a decade, I have lost count of the amount of devices that have been compromised via hard coded credentials being buried in the code, so I'd not single out Qnap in that regard, however, they have blotted their copybook by taking months to patch the two vulnerabilities reported to them by the white hat researchers a few months back and I hope that they pull their socks up and don't let that delay occur ever again.

As to apportioning blame, to me there's a bigger issue here and that is one of public education about the safety of exposing anything to the Internet. Okay, modern NAS units are sold with all such exciting features, but the NAS vendors should really be including a big, bold, red lettered warning notice about the potential dangers of actually using them (and routers should be sold with prominent warning notices about the dangers of enabling UPnP, or opening ports) but I think that in an ideal world, governments would now be pressing schools and media companies into educating the general public about Internet safety (e.g. if a big breech makes it to the public news broadcasts, perhaps they ought to add a few comments about not opening ports to the Internet, etc) otherwise I can see this sort of event being repeated ad infinitum.
Ericnepean wrote: Mon May 03, 2021 4:55 am
---cut---

You want to put your security features in something that ransomware developers isn't tied directly to QNAP. We all have a QNAP box. But some of us have Dlink routers, others Netgear, a few of us have Zyxel firewalls, others have pfSense. Undoubtly some ASUS, TPlink, Sonicwall and Linksys and probably a few that I missed.

Put your security in your firewall or router appliance. Perhaps get an even better router or firewall that will support VPNs. There's no 100% guarantee of safety, but this will at at least make it more difficult for them.
I totally agree with your thoughts and just by means of an example, below illustrates the lengths that I have gone to regarding segmenting networks and backing up my main NAS:

Network
For my small business customers I always chuck away their ISP supplied router (I've encountered a few 'disasters' in IPS router firmwares) and replace it with a Draytek (anyone can make mistakes, but I trust them far more than I'd trust an ISP to get things right). For my home, I've been using Sophos UTM for years (with https inspection and AV at my network boundary) and a bunch of VLANs to separate different trust groups (so my TV and streaming box is on one subnet; my NAS and PCs are on another subnet, all these with my CA installed; I have one subnet containing only a device which collects Ubiquiti WAP heartbeats; I have another siubnet dedicated to a public facing device, which has been hardened and is also pumped via a reverse proxy; yet another subnet is used for IoT devices (they also hide behind a second router as Sophos UTM home is limited to 50 IP addresses). I'm uncertain of the longevity of UTM, but when it does eventually get wound down, I'll certainly be moving over to pFsense, but whatever the 'router' choice, I now see network segmentation as being a key requirement for home networks (at least two, just to give you separation between trusted and untrusted devices). Of course, I've been on this forum for a few years and I'd never dream of opening ports to my Qnap and as illustrated above, I'd not let any untrusted devices sit on the same subnet as my Qnap; the cost of failure is simply too high!

NAS Backup
As to backups (and the need for same) I run 3 Qnaps; my main one and two mirrors of that (and I have an off-site backup, but Covid has kept me from accessing it, so it's way out of date). These 2 local mirrors are only powered up only when I wish to make a backup and in addition, the smallest of these (an old TS-219P) is normally left (disconnected) in a bag which resides at my bedroom door, so if there is a fire, hopefully I can quickly grab it on the way out. I should add that all of the above network and backup complexity is a lot of work and that I am the sole occupant of this building, but for many years I've been convinces that what I do - basically running an enterprise type network and lots of backups - is necessary and these days, I believe it to be even more necessary than it ever was.

What I've been wishing (for the past few years) that Qnap would do:
Back to Qnap and one thing I'd love to see from Qnap would be a supported basic build (preferably a Debian build) containing the basic essentials for a business user who only wishes a robust file store. By that, I mean it should contain the drivers for the LED and disk lights, a basic and easy to use local share-share backup utility, simple and customer friendly RAID and disk failure management and that's about it (in my case, I'd want to install a couple of other things - like JRE and MinimServer - so a minimalist Debian build would be ideal for me). Where I would agree with that poor, unfortunate chap (as in the one I linked to in my first paragraph) is that the Qnap interface now looks more like an iPad and that people like him (and indeed myself) simply don't need nor want all that stuff; we're looking for a nice, robust file store to sit on our LANs and that's it. Of course, this is not a Qnap problem; all these NAS vendors keep bundling complexity to keep up with each other and the more complexity you add the more of a potential attack surface you create (not to mention the more chances of bugs in the code).

Anyhow, that's my thoughts for the day.
All the best to all and I hope y'all have a nice weekend,
Briain
TS-119, 1 X Seagate ~~ TS-219, 2 X Seagate (R1) ~~ TS-453A, 2 X 3 TB WD Red (R1) ~~ TS-659, 5 X 1 TB Hitachi Enterprise (R6)
APC Smart-UPS 750
mjhfx1
New here
Posts: 5
Joined: Tue Dec 15, 2020 10:07 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by mjhfx1 »

Upon seeing my device was attacked, I panicked and shut down the device, not knowing Qnap's advisory (why doesn't it email the users? I am registered.)

Anyway, what to do now? I accept that my files have already been lost. I have changed UPnP settings, etc. Now the system is painfully slow. Can't open the App Center. Can I continue to use the system? How do I prevent further breaches? Your advice will be appreciated.
mjhfx1
New here
Posts: 5
Joined: Tue Dec 15, 2020 10:07 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by mjhfx1 »

I can't even seem to be able to pay the ransom. When I tried, a box pops out: Please login. When I click OK, the screen goes back to "Enter the appeared Client Key in the field below. If succeed, you'll be provided with a Bitcoin account to transfer payment. " An endless loop.
xtreme
Starting out
Posts: 39
Joined: Sun Aug 07, 2011 6:49 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by xtreme »

I feel sorry for you people who was hit by this QLOCKER.
Doing manual backups can be too hard and many people won't even do a single one. I use to buy CDs to backup, then DVDs, then Blurays, but I never kept up-to-date backups of the recent files and suddenly in one unlucky day both of my Maxtor HDDs broke and I lost literally everything from my early life. Nowadays I use Western Digital drives and they seem to last much longer but many have failed in my use.

These Ransomwares are becoming a bit creepy. Some (many?) people nowadays keep their Media files ONLY in the NAS.

I have an idea of an Automated backup (not the best but much better than no backups)

NAS: Automated Backups to (Network share) of the NAS
PC: Automated Archiving of the Backups from the (Network share) to HDD on the PC

What do you think?
Post Reply

Return to “Users' Corner”