[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
alec59
New here
Posts: 2
Joined: Tue May 25, 2021 9:46 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by alec59 »

Édit ; sorry
Last edited by alec59 on Tue May 25, 2021 10:14 pm, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

this is the wrong thread(Qlocker)...the ransomware infects your NAS ..not your computer
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

alec59 wrote: Tue May 25, 2021 9:56 pm Thanks, and sorry if the questions has already in this 44 pages :/
Reading the 44 pages would have been a huge waste of time since this thread is about the QLocker ransomware. It's written in capital letters in the title of the thread: QLOCKER.

QLOCKER is not the same as ECHORAIX.

There is a dedicated Echoraix Ransomware support thread on the Bleeping Computer forum:
https://www.bleepingcomputer.com/forums ... ort-topic/
Brace yourself: 56 pages.
- I scanned my PC with a lot of tool ( FRST, Malaware etc...) And I don't found Echoraix virus. It's normal ? how I can be sure there is nothing left ??
The ransomware attacked the NAS, not your PC. It breached the NAS directly from the internet, not going through your PC.

Follow these instructions to better protect your NAS now and in the future:
https://www.qnap.com/en/security-advisory/qsa-21-18
https://blog.qnap.com/nas-internet-connect-en/
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

QNAP has released a tool and instructions to help in recovering lost data:
Manually Install QRescue to recover Qlocker-encrypted files on QNAP NAS
sLesage
New here
Posts: 3
Joined: Wed May 26, 2021 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by sLesage »

Hi,

i just noticed all my data has been encrypted too on 21/04/2021. Its also only my QNAP since I don't have the problem on any of my PC or MAC Drives. The QNAP doesn't have the default Admin passwordt so I have no idea what happened. Is there anything I could do to get my files back ? Or how did you folks fix this problem ?
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

the strongest password does not help on exploits and hardcoded credentials .. just read the thread .. and the post just before yours has a possible (partial) solution ..if you are lucky

For the future:
Do not expose your NAS
Backups Backups Backups
sLesage
New here
Posts: 3
Joined: Wed May 26, 2021 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by sLesage »

I am not sure I explicitely exposed my NAS. After purchase I immediately changed the admin password + set up the necessary rules to block IP's after 5 failed login attempts. Sadly that didn't help at all. So I'm wondering how it is even possible for a potential hacker to even get in. I'm leaning towards a backdoor or something. Running the tool (which isn't very clear even for a software developer like me). So I hope I can have some of my data back.
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD »

sLesage wrote: Thu May 27, 2021 3:03 pm I am not sure I explicitely exposed my NAS. After purchase I immediately changed the admin password + set up the necessary rules to block IP's after 5 failed login attempts. Sadly that didn't help at all.
That sounds like exposure to me. If your NAS isn't exposed, there's no-need to establish IP blocking. ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

sLesage wrote: Thu May 27, 2021 3:03 pm After purchase I immediately changed the admin password + set up the necessary rules to block IP's after 5 failed login attempts. So I'm wondering how it is even possible for a potential hacker to even get in. I'm leaning towards a backdoor or something.
There's no need to speculate any more. dolbyman have already told you everything you need but if you're too busy to skim through even a few pages to find out what happened you can read here. Neither strong admin passwords nor even 2FA protect against software vulnerabilities and yes, you had it exposed even if you weren't aware of it (probably through UPnP).

By the way the current brute-force protection is useless against modern brute-force attacks that are coordinated through a botnet so constantly using different source-addresses for the attempts. It doesn't hurt to have it enabled locally in accordance with the defence in depth strategy but it definitely doesn't protect against brute force attacks on the wild internet any more.

As a software developer you should be aware of the importance of external backups, shouldn't you?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
sLesage
New here
Posts: 3
Joined: Wed May 26, 2021 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by sLesage »

Just so you know ... I am very much aware that in some way my Nas was connected to the internet, I'm just not 100% sure if that is something I have done manueally or was set up by default. And yes I'm very much aware that you should have off-site backups too. But what if my On Site backups AND my Off Site backups were on 2 QNAP NASes then I would have been in big trouble now.

Also something I noticed is that not all of my volumes on my NAS Seem to be affected for some reason. Volume with my TimeMachine backups was not affected, neither was one volume with original media files for some projects. Not sure why only 3 out of the 5 volumes on my NAS were affected. But then again maybe the security measures kicked in at some point and stopped the process.

Anyway ... In the process of using the tools provided to try and recover the data for which I don't have off-site backups or backups on other disks.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

sLesage wrote: Thu May 27, 2021 7:25 pm But what if my On Site backups AND my Off Site backups were on 2 QNAP NASes then I would have been in big trouble now.
Only if you exposed them both directly on the internet. But you would still have your source files even if both your backups had been compromised by the ransomware.

I run my off-site backups across a site-to-site-VPN since many years and have never been affected by any malware. It's a bit late but at least now everyone that roll their own off-site backups should upgrade it with a VPN-solution regardless of brand or platform used. Hackers get better all the time and unless users start to improve their backup security as well, they will lose data.
Also something I noticed is that not all of my volumes on my NAS Seem to be affected for some reason.
As is mentioned in this thread, only files smaller than 20 MByte was encrypted. It's either that or that the ransomware had a bug or that it was interrupted by something like a reboot or an updated Malware Remover running.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
jgirado
Starting out
Posts: 38
Joined: Sun Feb 17, 2008 7:32 pm
Location: San Diego, CA

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jgirado »

Hi,

FWIW I received yesterday an e-mail from QNAP. I haven't followed through because in my case I assumed my loss and factory reset & format the whole darn QNAP, then recover what I could from my backups.
-----------------------------------------------------------------------------------QNAP email--------------------------------------------------------------------------------------------------------------------------------------------
Dear Users,

You received this email because you've previously contacted QNAP for the Qlocker incident.

As the QNAP technical support staff around the globe worked with affected users to test and purge Qlocker, and to offer our help by all possible means, we've identified a possible way to recover user data from affected QNAP NAS.

Please visit the following link for more information about how to request QNAP-assisted data recovery service. Details for self-servicing your QNAP NAS to attempt recovery of encrypted files can be found with the link as well:

Recover Qlocker-Encrypted Files With QRescue
https://www.qnap.com/static/landing/202 ... dium=email
Javier
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

was already posted further up ....
User avatar
rafale
Easy as a breeze
Posts: 350
Joined: Tue May 12, 2015 1:53 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by rafale »

In case you guys didn't see this yet...

https://www.bleepingcomputer.com/news/s ... r-account/
Server: TVS-872XT i9 9900 ES, 64GB DDR4 2666MHz, intel X550-T2, Asus RTX3070 Dual OC (On pico PSU), 2x Phison E12 1TB M.2, 4x Micron 5210 7.68TB, 4x WD Purple 4TB
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
gnapfan111
Starting out
Posts: 19
Joined: Sun Mar 07, 2021 12:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by gnapfan111 »

What happens with Hybrid Backup Sync now?

I wanted to use HBS to sync my OneDrive folders to the QNAP.

I hesitate to install it after this incident.

However, I didn't find other software that can be installed on the QNAP and could sync MS OneDrive.

Any ideas?
Post Reply

Return to “Users' Corner”