[RANSOMWARE] Qlocker

[Mousetick]

Can someone share me his 7z bin file or explain me how to find the original ?
Whithout the original i cant update app nor firmware

because i've launch this command 2 times:

Code: Select all

cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;

Thx in advance

Try this:

Code: Select all

# cd /usr/local/sbin
# mv 7z 7z.bogus
# mv 7z.bak 7z

This should undo the previous command.

Or you can just reboot the NAS, the file will be restored to its original version.

[Mousetick]

If the malware is still running on the NAS, it may be possible to retrieve the encrypting password by looking (via SSH) at the 7z command line of a running 7z process.

Code: Select all

# ps -o args | grep 7z | grep -v 'grep'

If nothing is displayed, there is no 7z process running. Try again a few times (my understanding is that the malware encrypts files one by one so each 7z process may be very short-lived). If still nothing after several quick tries, it may have finished its job for good on the NAS and it's too late.
If something is displayed, it should be on one line. Look for text beginning with -p followed by a word: i.e. -pXXXXXXXXXXXX.

XXXXXXXXXXXX is the encrypting password.

I don't have a compromised system on which to try this suggestion, so I have no idea if this works.

[HG-wgb]

So I’m fortunate that I have an off-site backup the day prior to getting hit with this thing.

I have installed all the updates QNAP has promulgated since this crap happened. So here is the question: if I format the drives and reset to factory defaults will I be able to start up like a new, clean device and restore? Or will it just happen again.

Sadly, I will never trust this device again

[jaysona]

So I’m fortunate that I have an off-site backup the day prior to getting hit with this thing.

I have installed all the updates QNAP has promulgated since this ** happened. So here is the question: if I format the drives and reset to factory defaults will I be able to start up like a new, clean device and restore? Or will it just happen again.

Sadly, I will never trust this device again

Once you have re-initialized the NAS you will need to perform some basic steps to secure the NAS. The default QNAP configuration is not very secure at all.

viewtopic.php?t=160849&p=786891

[HG-wgb]

Thanks for that! I will disable it all! I’m just glad I’m a little OCD when it comes to backups.

[Eternic]

Just so we can all understand the attack vector, this is my understanding:

1. QNAP fixed some SQL/Command injection vulnerabilities in February in the QTS firmware, Multimedia Console and Media Streaming Add-On but this wasn't mentioned in the update notes for those versions
2. On April 16 they released a Security Advisory telling people about this issue and that people needed these versions from February to be secure. One for the apps and one for the firmware.
3. Also on April 16 they released an update fixing injection vulnerabilities as well as a hard-coded credential issue in HBS 3 Hydrid Backup Sync but did not mention this anywhere outside the update notes

Perhaps the vulnerabilities were fixed in February and they chose not to mention them for a couple of months to avoid alerting bad actors until most people would have updated to secure versions. They didn't do the same with HBS 3 though, which is an application that would run on your NAS whether you'd ever opened it and set anything up in it or not. In fact you could say they instead did the following on April 16:
"Hey Bad Guys, there's an injection vulnerability in older firmware and Multimedia Console which we don't let people uninstall. We fixed these a couple of months ago, but if you check the update notes for HBS 3 which we only just fixed today, you'll see it has the same or similar issues and we haven't told anyone about it outside of those update notes. Enjoy!"

QNAP claim the hard-coded credentials in HBS 3 haven't been used, but point to the SQL Injection issue in the older firmware and Multimedia Console as the problem. Many, myself included, had these up to date at the time of the attack, but not the April 16 update of HBS 3. They did say to update HBS 3 afterwards in response to this attack, but still never released a Security Advisory about its injection issue. After the ransomware had started they put one out about the hard-coded credentials issue, but left out the injection issue.

I'm happy to be proven incorrect about any of this.

[jonezed7]

Can anyone help me with deleting the "Transaction ID" field from the Tor client? I just randomly entered a code and now every time I enter my client key this comes up and it won't let me delete it. No keyboard keys or right clicking work. Tried clearing cache and such too.

[Ramias]

This is so crazy. I don't want Qnap to fail as a company -- I want them to stick around and continue to fix there stuff.

So far (knock on wood) I've dodged this.

My setup:
Firmware current; all apps current (HBS3 updated April 20th... and did not run scheduled backup Apr 21... perhaps that is what the next fix addresses). I log in a few times/week and update whatever I'm prompted for.
UPNP off on NAS.
UPNP off on Router.
No ports forwarded from router to anywhere (no ports; but I do have IpSec VPN enabled on the router - Unifi).
IP address restrictions for QNAP login to just my local IPs and the container station IPs used on the Qnap.
MyQNapCloud not enabled. I did enabled it once a few years ago to purchase the McAfee license; disabled it. Did most recent license renewal via offline method.

Should I be concerned or is this pretty secure at this point?

[dolbyman]

without forwarded ports, you are good

[Decim8r]

Unfortunately, I was also a victim...It happened the other day when my wife was complaining that the NAS was louder than usual. I bought some new larger hard drives over Xmas so thought they were just acting up again. I checked the health of the drives and all seemed normal.

However, i noticed the firmware and update apps notifications and proceeded accordingly. I usually always keep my NAS as up to date as possible so this was a reflex reaction. This update rebooted the NAS. Today as I tried to access a file on my NAS via a shortcut on my desktop computer, I was getting a file not found error. I logged into my NAS and suspiciously found a !!!READ ME.txt file. I opened it up and thought it was some new marketing ploy to try and use the Tor Web Browser. I then began to find a number of my files were converted to 7zip and began to realize I was a victim of this ransomware.

Lucky for me it only affected some very old files and things I really didn't value as much. Most of my super critical files are in cold storage as well as cloud based services (iCloud, Google Drive and DropBox). So I was mostly protected, but did lose access to a number of "nostalgia" files that I will never get back. I refuse to pay a single Satoshi to these criminals.

That being said, I would deduce that these criminals gained access via the Hybrid Station as that was the only app I actually used. The others were disabled.

I have since disabled all UPnP from my router, changed the default port address for the web console, disabled the admin account and turned off myQNAPCloud completely. I've had this QNAP for a number of years and recommended it to many friends and family. Especially ones who were less technically savy. I'm sad to say I can never recommend QNAP again and will be looking to replace this NAS ASAP. In fact, I'm seriously considering permanently moving all my backup data to cloud storage. It's simply no longer worth the headache of fearing what sort of vulnerability will be introduced by QNAP in the future.

I do kick myself for turning back on my UPnP and myQNAPCloud services. Back in Feb I had noticed in my logs that there were a number of failed admin attempts to try and login as an admin user. But recently turned them back on again...What a mistake that was...

[ozstar]

How do I get into the command line panel?

I have Win 10 but it just goes back to C:/

Can't see any network drive such as my NAS.

I will try those command but need to get to the command line. I have right clicked the NAS on my QFinder and enabled SSH.

[dolbyman]

on win 10 you can do

ssh admin@nasip on cmd

or download ssh client like putty

[RogueOp]

"NEVER EXPOSE YOUR NAS TO THE INETRNET...PERIOD"...

It's the best answer to give .. if the user had any know how .. they wouldn't ask in the first place.

You ask a professional stuntman .. "how can I jump off a roof into a burning kiddy pool with gasoline?" .. Instead of explaining jumping, fire-repellent gels and movie magic, the answer is DONT

That really easy to say, but QNAP designs and configures their NASs to be internet accessible.

There is ZERO options during initial configuration that allow a user to set accessability.

My NAS is strictly file sharing within a SOHO. I thought I disabled all internet accesses. Apparently not.

F*** QNAP.

[RogueOp]

Would anyone please provide a link or list of all the QNAP applications that need to be disabled and configuration settings that need to be adjusted to prevent access to a QNAP NAS from the internet. It must function on an intranet AND periodically check for firmware updates.

FYI: a list is out there, but it doesn't include disabling the Help Desk. That app, for whatever reason, accepts internet connections. wtf?

[PoolBoy7]

Hello from Hong Kong,

Desperate call, as I also had same problem that I realize this morning.
While I am still browsing through the forum for counter-action, do I still need to report vulnerability at this stage since this matter is already known and public.

I did not have an experience of reporting before,
I do not understand how to send an encrypted email like below, can offer me an advise? Sorry if I am being silly. I just want to do my part as well, if this help.

"Please use the below PGP encryption public key to encrypt your email message, and send it to security@qnap.com"