[RANSOMWARE] Qlocker
-
- First post
- Posts: 1
- Joined: Tue Dec 04, 2018 9:06 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hello,
This might help. It is from Europol. You can submit samples and they will tell you which if any of the 121 decryption tools will help.
https://www.nomoreransom.org/crypto-sheriff.php?lang=en
https://www.europol.europa.eu/newsroom/ ... le-website
This might help. It is from Europol. You can submit samples and they will tell you which if any of the 121 decryption tools will help.
https://www.nomoreransom.org/crypto-sheriff.php?lang=en
https://www.europol.europa.eu/newsroom/ ... le-website
-
- First post
- Posts: 1
- Joined: Tue Aug 10, 2021 1:15 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I performed Qrescue and all went great given the circumstances. I was able to recover some of the files. However, for some reason the qrescue.sh script did not work completely in the renaming process. I had about 500 .heic image files in the recup1 folder, which the Qrescue renaming script seems to have skipped even though the original .7z's are still in place. I reached out to QNAP support but they were next to useless, they only requested remote access to the NAS and did 'du -sh' in the recovery folders, and neglected the original issue completely.
So my question is, do you know if the qrescue-script is unable to resolve the filenames of recovered .heic files? Is there possibly an exception in the script to skip other than let's say jpg, png, and gif files? Can the script be edited to try to look at the .heic files also? I am not skilled with python or coding, but I am somewhat tech-savvy so I could possibly do the edits myself if someone points me where to look at
So my question is, do you know if the qrescue-script is unable to resolve the filenames of recovered .heic files? Is there possibly an exception in the script to skip other than let's say jpg, png, and gif files? Can the script be edited to try to look at the .heic files also? I am not skilled with python or coding, but I am somewhat tech-savvy so I could possibly do the edits myself if someone points me where to look at
-
- New here
- Posts: 5
- Joined: Wed May 04, 2016 3:12 pm
Re: Attack vector upnp & HBS?
...myQNAPcloud unlikely made any difference here. The real problem was the internet exposure in itself in combination with the vulnerability.2. Were all myQnapCloud users vulnerable to this attack?
Here is how I discoverd I'd been hit by this vulnerability.
Just randomly doing portscan of my network from internet side I notice a port that was open when there shouln't have been anything.
Check router and no port forwarding enabled, upnp disabled, no DMZ .. didn't make any sense. Checked qnap and upnp was enabled which I'm sure I disabled either way.. how is it forwarding.. back to my modem and after some time I think I'll just try enabling upnp checkbox, applying changes, then disabling upnp again... That was it. port no longer forwarded...
Then I think i better look at logs.. hmm no access logs since 20/04/21. ...
20/04/2021 7:45:41 admin 85.57.67.117 --- HTTP/HTTPS Administration
ip is from spain..... uh oh...
Check files
Home,Recordings,Download,Movies all encrypted.
Luckily i didn't have anything of value in there and all my files are in non default named folders.
So it seems 1 day after qnap release a patch i'm hit by an automated attack. The router setting bug is just bad luck, I have my suspicions upnp on qnap was anabled after a firmware update. Thats bad QNAP! but I do have a question.
I assume an attack like this couldn't happen through cloudlink? I mean I suppose my ports were scanned and I was targetted but todo the same thing with cloudlink wouldn't be possible?
Anyway passwords changed, firmware updated, think I'll try a different nas provider when it comes time to upgrade.
I do love qsync over cloudlink though..
-
- Starting out
- Posts: 13
- Joined: Tue Feb 21, 2017 6:45 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi, today I saw that I have a lot of encryption files with 7z.
What can I do? I opened the ticket and waited.
What can I do? I opened the ticket and waited.
You do not have the required permissions to view the files attached to this post.
-
- First post
- Posts: 1
- Joined: Tue Nov 30, 2021 10:06 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi all. Qlocker victim here. I have my password to decrypt. I have a QNAP T-251/A and I'm an Apple user (iMac, to be exact). Is there a batch decrypt I can run using a different uncompression program? Ive confirmed tha password works with other programs (Keka, Stuff It, etc). Looking for alternatives to unziping files one by one on the drives. Any help is greatly appreciated, Thanks!
- TryWait
- Starting out
- Posts: 40
- Joined: Sat Apr 03, 2010 12:26 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.
The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
TS-419P , 4x WD 3TB Red NAS 3.5 Inch, WD30EFRX HD's RAID5 :: QNAP Firmware 4.3.3 (0378)
iMac 3.8 GHz Quad-Core Intel Core i5 . 32GB . OSX 10.15.7
iMac 3.8 GHz Quad-Core Intel Core i5 . 32GB . OSX 10.15.7
- Toxic17
- Ask me anything
- Posts: 6478
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Personally I would not trust anything on your NAS, you cannot guarantee what else the malware/ransomware has done to the system. you're better to wipe all contents by selecting "Reinitialize NAS" and then once your NAS is finalised, then restore your files from your backup.TryWait wrote: ↑Thu Dec 23, 2021 9:52 am What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.
The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
The malware developers are anything but inept cretins. Their goal is to exploit a vulnerability and hold data ransom, seems like they succeeded in their goal.TryWait wrote: ↑Thu Dec 23, 2021 9:52 am What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.
The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
The QNAP malware remover is a purposely (by QNAP) opaque black box that logs next to nothing, what little logging that is performed is purposely vague and meaningful to the end user.
If you can, I would even re-flash the DOM using the Firmware recovery procedure, instructions here: https://wiki.qnap.com/wiki/Firmware_Recovery
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
That's entirely by design and it did what it was created to do. They didn't want to spend much time on encrypting very large files as that would have increased the risk for being discovered before the encryption mission was completed. Therefore they had a size cut-off where they only encrypted smaller files. Smaller files like documents and photos (that may be unique family photos) are typically much more valuable to users than huge video files that often can be reaccuired from the same sources they came from in the first place. They're criminals but they're clever and competent.
Stop exposing your Qnap directly on the Internet as it simply isn't secure enough for that is the lesson to be learned here, And no, using strong passwords, 2FA, other than default ports, disabling the admin account and all those other things suggested by Qnap doesn't make it secure. It's just lipstick on the pig.
If remote access is required then use a remote access VPN installed on the Internet-facing router/firewall or on a separate device but not the Qnap.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Starting out
- Posts: 32
- Joined: Sun Mar 22, 2020 1:53 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
This site does not include instructions or a firmware file for the TS-251D. Would I use the file and instructions for the TS-253D?jaysona wrote: ↑Thu Dec 23, 2021 11:09 amThe malware developers are anything but inept cretins. Their goal is to exploit a vulnerability and hold data ransom, seems like they succeeded in their goal.TryWait wrote: ↑Thu Dec 23, 2021 9:52 am What does Malware remover do? It says that is scans. Maybe it removes the actual malware, but what is left behind are 10,000 or so "README_FOR_DECRYPT.txtt" files? There is no detailed log about what it actually does that I can find. Am I missing something? Entirely possible.
The malware did not even manage to infect most of the files in the Qmultimedia folder, including iTunes Music or my video files. It did encrypt a lot of photo files that I have elsewhere. It seems that the biggest annoyance caused by these inept cretins and their pretty lame malware is leaving me to get rid of a ** of "README_FOR_DECRYPT.txtt" files! Any clue how to automate that process?
The QNAP malware remover is a purposely (by QNAP) opaque black box that logs next to nothing, what little logging that is performed is purposely vague and meaningful to the end user.
If you can, I would even re-flash the DOM using the Firmware recovery procedure, instructions here: https://wiki.qnap.com/wiki/Firmware_Recovery
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I have not worked with either of those two NAS models, so I can not comment - I typically only comment based on experience.
I have tried messing around with using similar model recovery firmware on a different model in the past, and results were varied, in some cases the NAS would boot with numerous errors, in other cases the NAS would never progress past displaying the message "Decompressing Linux......." or something similar to that message.
That said, and quick search reveals that the TS-251D is an Intel Celeron based NAS with a HMDI video output, so I would presume that the instructions for any similar Intel based NAS with a HDMI video output would work.
I would open a ticket with QNAP tech support to get have them provide you with the specific instructions and recovery firmware for your model of NAS.
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Starting out
- Posts: 15
- Joined: Mon Dec 26, 2016 11:18 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Hi, i'm from Italy.
From yesterday i'm under attack: my NAS was unreachable, so i restart it.
Then all my files are being crypted. I'm trying to save more files i can do.
I don't know how i can resolve... This is a disaster
From yesterday i'm under attack: my NAS was unreachable, so i restart it.
Then all my files are being crypted. I'm trying to save more files i can do.
I don't know how i can resolve... This is a disaster
-
- Experience counts
- Posts: 1824
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Start by reading this entire thread as there is a lot of good information.
Enter a helpdesk ticket with QNAP to see if they can help.
Reinitialize and restore your files from backup should hopefully also be an option.
Be sure to never expose your NAS directly to the internet in the future and follow the security hardening steps such as disabling UPNP and services that you do not require.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
And stop using the NAS immediately, if anything can be recovered via tools, using the NAS will destroy your chances
-
- Starting out
- Posts: 15
- Joined: Mon Dec 26, 2016 11:18 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
It was impossibile to connect to NAS via SSH. Malware Remover unavailable. Failed to install QRescue. Now i've disconnected NAS from internet and local LAN.
Infection in 06/01/2022. Latest available firmware on TS112P.
From https://id-ransomware.malwarehunterteam.com
1 Result
Qlocker
This ransomware has no known way of decrypting data at this time.
It is recommended to backup your encrypted files, and hope for a solution in the future.
Identified by
ransomnote_filename: !!!READ_ME.txt
Infection in 06/01/2022. Latest available firmware on TS112P.
From https://id-ransomware.malwarehunterteam.com
1 Result
Qlocker
This ransomware has no known way of decrypting data at this time.
It is recommended to backup your encrypted files, and hope for a solution in the future.
Identified by
ransomnote_filename: !!!READ_ME.txt