[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by QNAPDanielFL »

elvisimprsntr wrote: Mon May 10, 2021 4:11 am
Napo67 wrote:Qnap knew about these vulnerabilities used by the qlocker for a long time...

https://securingsam.com/new-vulnerabili ... -takeover/
More evidence supporting my decision to never ever buy a QNAP product again and why I am actively migrating my existing QNAP NAS units to TrueNAS. The entire QNAP company from leadership to software engineering are run by a bunch of inept people who could care less about customers once they get their money from the initial purchase. Anyone who still works for them should be disgraced.
This vulnerability referred to is not the Qlocker vulnerability and it was patched before the Qloker outbreak.
cjlist
First post
Posts: 1
Joined: Wed May 12, 2021 12:40 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by cjlist »

A HUGE warning! We just threw away $2k CAD. We followed all the procedures for sending the increased ransom of 0.03 Bitcoins, but when I went to actually post the transaction ID on their TOR webbrowser, it had logged me out of my client id without telling me, but proceeded to take my money anyway. When I logged back in it was still asking me for payment, so I lost my money and received no key! These criminals are sub-human, despicable creatures who get off on others' pain. Unfortunately my entire life was on my NAS. I am at a loss. QNAP has to be held responsible. They absolutely deserve to be put out of business as a result of thie disgraceful gross negligence on their part.
brobertson4
First post
Posts: 1
Joined: Wed May 12, 2021 6:14 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by brobertson4 »

Sounds like a good time to band together for a class action lawsuit for failure to properly protect their product and for the losses we have incurred.
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor »

cjlist wrote: Wed May 12, 2021 12:53 am A HUGE warning! We just threw away $2k CAD. We followed all the procedures for sending the increased ransom of 0.03 Bitcoins, but when I went to actually post the transaction ID on their TOR webbrowser, it had logged me out of my client id without telling me, but proceeded to take my money anyway. When I logged back in it was still asking me for payment, so I lost my money and received no key! These criminals are sub-human, despicable creatures who get off on others' pain. Unfortunately my entire life was on my NAS. I am at a loss. QNAP has to be held responsible. They absolutely deserve to be put out of business as a result of thie disgraceful gross negligence on their part.
Truly I understand your frustration and anger. While I believe QNAP needs to get much more serious about how they market and secure their devices I do not think destroying hundreds if not thousands of jobs over this is the right answer.

All that being said I do not understand why, for your life’s effort, you did not have a back up? Anything I consider that valuable in a digital foot print I have backed up 3-2-1 and I have a second fully independent back up from that as well. Things like tax records, high value family photos etc.

I know it is hard to hear but you also had some responsibility to treat such data with the due respect and have a redundant back up plan.

If my house burns down I am still secure with off site back ups, if off site goes down I am secure with local, if all live digital storage goes dead I have a cold storage plan for said data.
Last edited by Skwor on Wed May 12, 2021 6:37 am, edited 1 time in total.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
elvisimprsntr

[RANSOMWARE] 4/20/2021 - QLOCKER

Post by elvisimprsntr »

brobertson4 wrote:Sounds like a good time to band together for a class action lawsuit for failure to properly protect their product and for the losses we have incurred.
https://www.qnap.com/service/product-wa ... pup-terms1

Code: Select all

 In no event shall QNAP and its partners or its employees, shareholders, contractors, (and others) assume responsibility for damages (including but not limited to hardware and system damage, loss of data, any other financial loss), interruption of remote support services, or any content obtained through remote support services.
Good luck with that!
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Don't tell me users did not read the T&C
https://en.wikipedia.org/wiki/HumancentiPad
livelynet
New here
Posts: 3
Joined: Fri Nov 01, 2019 7:10 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by livelynet »

UPDATE on our clients "2" NAS systems locked with QLocker

1. We tried the QLocker unlock posted in Bleeping Computer with no luck :(
2. We have been in contact with QNAP Support and they did send us a QLocker app to install BUT IT HAS NOT WORKED AND AWAITING QNAP SUPPORT TO RESPOND - 5 DAYS NOW
3. We also contacted the client's insurance company after having a firm look at unlocking the files
4. The firm "https://monstercloud.com/" looked at the project and after paying fee to LOOK at them quoted almost $20,000.00 plus to recover the files with a 97% success rate or no charge.
5. We are waiting for QNAP support to respond before the 30 days expires with Monster Cloud quote to have them do the file recovery and turn it into the clients insurance.

Yes we also read the statement " In no event shall QNAP and its partners or its employees, shareholders, contractors, (and others) assume responsibility for damages (including but not limited to hardware and system damage, loss of data, any other financial loss), interruption of remote support services, or any content obtained through remote support services."

So I told the client that QNAP is at least trying with the QLocker app to do something, but it also shows everyone here what the true value of the clients business data is worth.
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

Those security companies are a joke..all they do is pay the ransom and pocket the rest
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Skwor »

livelynet wrote: Wed May 12, 2021 9:55 pm UPDATE on our clients "2" NAS systems locked with QLocker

1. We tried the QLocker unlock posted in Bleeping Computer with no luck :(
2. We have been in contact with QNAP Support and they did send us a QLocker app to install BUT IT HAS NOT WORKED AND AWAITING QNAP SUPPORT TO RESPOND - 5 DAYS NOW
3. We also contacted the client's insurance company after having a firm look at unlocking the files
4. The firm "https://monstercloud.com/" looked at the project and after paying fee to LOOK at them quoted almost $20,000.00 plus to recover the files with a 97% success rate or no charge.
5. We are waiting for QNAP support to respond before the 30 days expires with Monster Cloud quote to have them do the file recovery and turn it into the clients insurance.

Yes we also read the statement " In no event shall QNAP and its partners or its employees, shareholders, contractors, (and others) assume responsibility for damages (including but not limited to hardware and system damage, loss of data, any other financial loss), interruption of remote support services, or any content obtained through remote support services."

So I told the client that QNAP is at least trying with the QLocker app to do something, but it also shows everyone here what the true value of the clients business data is worth.
Like dolbyman already stated, that firm you contacted likely already paid the ransom for your files using the info you gave them, somewhere around 500 to 1500 dollars US and has the key already. They are no better than the hackers themselves. Extortion is extortion.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

livelynet wrote: Wed May 12, 2021 9:55 pm 4. The firm "https://monstercloud.com/" looked at the project and after paying fee to LOOK at them quoted almost $20,000.00 plus to recover the files with a 97% success rate or no charge.
So your customer paid that bunch the ransom money and now they're demanding an even larger ransom to unlock the data. :-0
So I told the client that QNAP is at least trying with the QLocker app to do something, but it also shows everyone here what the true value of the clients business data is worth.
So you have a customer that value their data to more than $20k but they exposed their data storage on the internet AND they have failed to arrange with a viable backup solution to protect their data? I guess their IT manager is now looking for a new employer...

A home user or very small business owner could be excused for not really having understood the importance of a decent backup solution but any larger business failing to protect their data must be either insane or incompetent.

What's your role in this mess, more than posting here? Are you the reseller that sold them the Qnap?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD »

P3R wrote: Thu May 13, 2021 4:06 am A home user or very small business owner could be excused for not really having understood the importance of a decent backup solution but any larger business failing to protect their data must be either insane or incompetent.
+1

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

Many thanks Steve, Yes we are all in the same boat.. with a tiny paddle !

This may help ..

I tried many things using the NAS IP number but it didn't work. Then I used the NAS name and it worked.

Check..

1. NAS must be connected to LAN.

2. Must have ext drive with folders and files PhotoRec saved.
(There could be many many folder each with about 500 files)

3. Must have ext drive ready to save the files this Filestore script saves.
(It will be nearly every files that was 7z by scammers.

4. Must have Net installed on computer to use Filestore

This is the actual Filestore script Panel..
Filestore Panel-tutor.jpg

Good luck
:-)

If it works please give Flavio a Donation. I cannot afford much but gave him what I could, although it is worth a lot more.

The Universe will look after him too.
You do not have the required permissions to view the files attached to this post.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
ChiefORZ
Starting out
Posts: 17
Joined: Tue Apr 03, 2012 3:52 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ChiefORZ »

I got attacked by those buggers too - but luckily could find out the password they used to encrypt my files.
Then i tried a bash script to decrypt all my files, but my script was unstable - so i wrote a Node.js script that decrypts all 7zip archives from an specific directory recursively.

1.) Install Node.js on your Qnap NAS (i did it through Qnapclub's QPKG Store https://qnapclub.eu/en/howto/1)
2.) ssh into your NAS
3.) create a folder somewhere (e.g. `mkdir /share/Public/recover-qlocker`)
4.) copy the files from this gist into the newly created folder (https://gist.github.com/ChiefORZ/4b0826 ... eb5b52f0e3)
5.) go to the folder and install the npm dependencies (`cd /share/Public/recover-qlocker; npm install;`)
6.) edit the .env and paste your 7zip password
7.) go to the folder, where you want to start the recovery (`cd /share/CACHEDEV3_DATA`)
8.) run the script (`node /share/Public/recover-qlocker`)
... by the way ... was someone hearing about a coming update to PHP ?
theincogtion
Starting out
Posts: 27
Joined: Mon Mar 28, 2016 9:56 pm

Attack vector upnp & HBS?

Post by theincogtion »

As QNAP is very silent about how the attacker could break into the NAS I have some questions to the community:
1. Was the attack possible due to activated UPNP?
1.1 Is any kind of UPNP enabled by default which could have allowed hackers to breach into my device?
2. Were all myQnapCloud users vulnerable to this attack?
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Attack vector upnp & HBS?

Post by P3R »

theincogtion wrote: Fri May 14, 2021 1:57 am As QNAP is very silent about how the attacker could break into the NAS I have some questions to the community:
They explained it more than a week ago.
1. Was the attack possible due to activated UPNP?
UPnP is one possibility but some users have probably opened the ports manually. I think that the overwhelming majority of users, even among those that used UPnP, was aware of their system being exposed on the internet. The problem is that inexperienced users blindly trusted their Qnap to be secure as Qnap didn't warn properly about the inherent risks with internet exposure.

Now Qnap are changing their recommendations to that Qnaps shouldn't be exposed on internet.
1.1 Is any kind of UPNP enabled by default which could have allowed hackers to breach into my device?
I think that UPnP is by default enabled, or at least that the configuration guide lead the user in that direction. But that's just part of the problem. Most home routers have UPnP enabled by default and both are required for it to work so both suppliers are to blame for having insecure defaults.
2. Were all myQnapCloud users vulnerable to this attack?
myQNAPcloud unlikely made any difference here. The real problem was the internet exposure in itself in combination with the vulnerability.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Post Reply

Return to “Users' Corner”