[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

Just checked the Ransome for me is $755 in Australian Dollars. No I didn't pay it.

Where does one go to see if any geniuses are trying to crack the Qlocker pwd code. Is theer a thread on Beep or some other place? Who knows they may crack it sooner than later. Anytime ins better than not at all.
Last edited by ozstar on Sat May 08, 2021 8:08 am, edited 1 time in total.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

unless they keyserver get captured..doubt there is anything to "crack"

most systems have pretty solid rand generators...
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

Thanks dolbyman,. Yes sadly you are correct. But one must have hope no matter how small it may be :-)

For those who are interested..

I had success with PhotoRec but there was no folder structure or filenames just numbers. It's a great program but I want names if I can.
EaseUS grouped files in many ways, file extns, cameras, many image extns psd,jpg,png etc also some files names such as MP3s and some PDFs. I found this the better of the bunch I tried. At least some structure to piece them all together.
Stellar found them all however very few named and not as clearcut as EuseUS
GetBackData could not get from Linux drive even when connected by USB to PC
NasRecoveryData Just numbered files.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
Barboots
Getting the hang of things
Posts: 53
Joined: Fri Jun 30, 2017 3:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Barboots »

ozstar wrote:... I want names if I can.
Hi from Perth. That AUD ransom is brutal mate... I sympathise.

When these recovery programs scrape up image files, is the EXIF data no longer embedded?

Best of success recovering, Steve
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

Thank you Steve.

Did you get caught ?

It's a messy task trying to piece it all together!

These are the recovered deleted files that previously 7z'd.

At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.

With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.

Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.

EuseUS has separated the camera files into cameras company folders and they have the info.

Thanks again.

oz
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
User avatar
Erik63
Starting out
Posts: 12
Joined: Mon Nov 05, 2012 2:29 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Erik63 »

Qlocker victim here as well. However, solid backups in place so I will not concede to the ransom. Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and [added] 'non-essential' [added] ports closed.

Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.

As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
Last edited by Erik63 on Mon May 10, 2021 1:43 am, edited 1 time in total.
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor »

Erik63 wrote: Sat May 08, 2021 7:58 pm Qlocker victim here as well. However, solid backups in place so I will not concede to the ransom. Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and closed ports.

Just adding this to express my utter disgust with the way Qnap handled and still handles this breach. The lack of communication is appalling and shows their lack of commitment and professionalism.

As the ransom outweighs the cost of a NAS I'll be switching to something else. Anyone considering alternative brands already? Which ones?
If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
User avatar
Erik63
Starting out
Posts: 12
Joined: Mon Nov 05, 2012 2:29 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Erik63 »

Skwor wrote: Sat May 08, 2021 11:33 pm If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.
That's stating the obvious. What I meant to say was that the way they managed to access the system is quite unsettling, at least to me. Me being careful had no effect at all.
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor »

Erik63 wrote: Sun May 09, 2021 1:06 am
Skwor wrote: Sat May 08, 2021 11:33 pm If all your ports from the router and NAS were closed to the internet they would not have gotten in. I am not saying to trust QNAP at all, just pointing out you have or had some ports open in your NAS and router allowing it to be seen from the interment.
That's stating the obvious. What I meant to say was that the way they managed to access the system is quite unsettling, at least to me. Me being careful had no effect at all.
Not really obvious, the way you stated, it came across as if even with closed ports one could have been attacked successfully. There is already enough confusion on how to use a NAS and what internet security is.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by AlastairStevenson »

Not knowing how they got in without leaving a trace has crushed my trust in meticulous updates , long passwords, two factor logins and closed ports.
How do you know that all ports were closed?
You don't have to explicitly configure port forwarding on the router for inbound access to be possible.
It's very common for people to be caught out if UPnP is enabled on the router (often is by default) which then allows any device on the LAN to instruct the router to open up inbound access.

In addition to your careful checking of configurations, do an inbound access test with one of the various checking tools, for example Steve Gibson's ShieldsUp! :
https://www.grc.com/x/ne.dll?bh0bkyd2

Initially test 'All service ports' then 'Common ports' then a custom range that includes your QTS admin port - by default 8080.
You might find something that needs attention, such as the QNAPCloud configuration being enabled.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
elmaxlo
First post
Posts: 1
Joined: Sun May 09, 2021 8:18 pm

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by elmaxlo »

Eternic wrote: Thu Apr 22, 2021 2:18 am For anyone like me that is in the ** situation of deciding to pay up to get the 7z password, I've done so (luckily I already have a bitcoin wallet with enough) and I'm working through fixing my files now. If you're on Windows and accessing the files through explorer, the following is a batch script that I want it to be clear is not something I think you should use and if you do you should backup the folders before running it just in case. If you use this script correctly or incorrectly and have any data loss please do not blame me. Do not use it if you are going to be this person. If you don't know anything about batch files then don't use it. Also please created some test folders and 7z files and try it there first.

In order for the script to work on a network folder you'll need to map that folder or a parent folder to a drive letter (e.g. Z:). Create a batch file (e.g. FixMyStuff.bat) and place it in the folder you want fixed. It will extract any 7z files in that folder and any child folders and then delete them. You can remove the 3rd line that deletes the 7z files if you choose. The script is:

Code: Select all

dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"
Note that this creates an allzips.txt that the script does not delete. This is what I want. You can add a line to delete allzips.txt at the end or you can rewrite the for loop to just do the (dir /s /b *.7z) internally. Where "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" is you will insert the password you get from giving the pieces of garbage your hard earned money because you were careless with your security and mistakenly trusted your NAS. You can also add lines to find and delete the !!!READ_ME.txt files, but I'll do that separately afterwards personally. You will also need to change the path to 7z.exe to wherever you have it installed.

Again, please do not use this unless you know what you are doing and take every precaution. I'm only posting it to save people some time in this ** situation and I don't want to make it worse for them if there are any issues with this script. I have not tested it on all my files yet but so far it has worked fine.

EDIT: Also note that if you have legitimate 7z files this will extract and delete them. You can separate the first line into a separate batch file and remove any 7z files you want left untouched from the allzips.txt and then run a second batch file that does the loops. You could probably also write something better that checks file modification times and only extracts files modified after a time you specify relevant to when you were hit.



Hello,

Thanks for your script. I have a server with very important data that is completely encrypted. We paid and received the code to unzip.

The script seems to work but asks me each time to validate the overwrite or rename for each files.

Is it possible to introduce adapting the script or some other solution so that everything is done at once?

thank you in advance
You do not have the required permissions to view the files attached to this post.
Barboots
Getting the hang of things
Posts: 53
Joined: Fri Jun 30, 2017 3:24 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Barboots »

ozstar wrote:Thank you Steve.

Did you get caught ?

It's a messy task trying to piece it all together!

These are the recovered deleted files that previously 7z'd.

At least, the files that they 7z'd, still have the names and the correct file size, altho nothing else.

With Duplicate Photo Cleaner hopefully I will be able to compare the files with ones I have scattered around on various dives, then rename them or at least see others of the same time.

Yes some of the files do have the complete EXIF details however many don't although not sure if they did when they got to me anyway.

EuseUS has separated the camera files into cameras company folders and they have the info.

Thanks again.

oz
Fortunately Oz, and honestly with an element of luck, no. My Asus router has flashing yellow text on the home page of the interface warning of UPNP being enabled. I know this, as a while back... in an frustrated effort to get some stuff working, I turned it on... and forgot to disable it afterwards. I was reminded next time I logged in to the router. I'm lucky this previous oversight didn't take place during the outbreak. Of course UPNP was enabled on the NAS (default???), so I would definitely have been in the same boat Image Or perhaps not, as I had disabled HBS along with a load of schnik-schnak apps. I think that was as a result of some warning I'd caught online which reduced my confidence in Qnap security. Luck at play again.

I use a VPN for remote access and have untrustworthy devices isolated. I've received the security lecture on a surveillance forum and have "done the needful". Still, a couple of clicks trying to sort out a network issue can bring all good efforts undone.

Probably my main remnant mistake following current review is that nearly all my backups were online (during extended working hours) on the network. My previous offsite became a non-option 18 months ago Image

I really feel for everyone affected. My position is that this equipment should be better, with audits and warnings regarding loose security. I certainly don't lay blame on the user... these are consumer products.

I hope you can get back to where you were, or near enough to be OK with it.

Cheers, Steve
rp333
First post
Posts: 1
Joined: Sun Oct 25, 2020 1:34 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by rp333 »

I never played with BC, any good guide or way on how to transfer BC to these hackers?

Thoughts? Is there a possibility that after sometime they dismantle this hackers group and folks who did not pay, may not be able to get password even if they want it then? or once they collect enough $ they may just release password for all users online?

Like many users, i also had UPnP enabled on router however no specific port forward. I think my system was compromosed on 4/22 and when i logged in around 5/4, system popped me to reload and apply new firmware...i blindly did that and reloaded system. I think QNAP is at big fault here.. they should have copied password that was saved in system before reload and firmware update.. afterall it came through their app too.
Napo67
Starting out
Posts: 10
Joined: Sat Sep 05, 2015 6:58 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Napo67 »

Qnap knew about these vulnerabilities used by the qlocker for a long time...

https://securingsam.com/new-vulnerabili ... -takeover/
elvisimprsntr

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by elvisimprsntr »

Napo67 wrote:Qnap knew about these vulnerabilities used by the qlocker for a long time...

https://securingsam.com/new-vulnerabili ... -takeover/
More evidence supporting my decision to never ever buy a QNAP product again and why I am actively migrating my existing QNAP NAS units to TrueNAS. The entire QNAP company from leadership to software engineering are run by a bunch of inept people who could care less about customers once they get their money from the initial purchase. Anyone who still works for them should be disgraced.
Post Reply

Return to “Users' Corner”